Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

trojan.vundo infection - tried but can't fix - log included [RESOL

Started by rmtw , Jan 23 2008 05:07 PM

This topic is locked

#16
Rorschach112

Posted 30 January 2008 - 07:58 AM

Ralphie

Retired Staff
47,710 posts

Hello

Delete your version of ComboFix.exe and the folder C:\qoobox then do this

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#17
rmtw

Posted 30 January 2008 - 09:55 AM

Member

Topic Starter
Member
20 posts

Hello,
thank you for continuing with me! Here is the combofix log after following your instructions above:

ComboFix 08-01-30.6 - Mary 2008-01-30 10:50:22.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.165 [GMT -5:00]Running from: C:\Documents and Settings\Mary\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-21 21:44 . 2008-01-21 21:55 673 --a------ C:\WINDOWS\CoD.INI
2008-01-15 14:51 . 2008-01-15 14:51 0 --a------ C:\WINDOWS\VPC32.INI
2008-01-15 11:56 . 2008-01-15 11:56 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2008-01-14 12:51 . 2008-01-14 15:30 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-14 12:45 . 2008-01-14 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-14 12:37 . 2008-01-14 12:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-14 12:29 . 2008-01-14 12:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 01:05 . 2008-01-14 01:05 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-14 00:45 . 2008-01-14 00:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-14 00:25 . 2008-01-14 01:05 <DIR> d-------- C:\VundoFix Backups
2008-01-13 16:23 . 2008-01-14 12:02 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-13 14:48 . 2008-01-13 14:48 <DIR> d-------- C:\Program Files\Webroot
2008-01-13 14:47 . 2008-01-13 14:47 164 --a------ C:\install.dat
2008-01-12 18:50 . 2008-01-12 18:50 <DIR> d-------- C:\Temp\Ryuan1
2008-01-12 13:35 . 2008-01-12 13:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-12 13:35 . 2008-01-12 13:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-12-27 14:03 . 1999-05-25 06:53 92,208 --a------ C:\WINDOWS\system\WING.DLL
2007-12-25 22:25 . 2007-12-25 22:25 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2007-12-03 16:00 . 2007-12-03 16:00 <DIR> d-------- C:\Documents and Settings\William\Application Data\iScreensaver
2007-12-01 13:31 . 2007-12-10 08:02 <DIR> d-------- C:\Documents and Settings\Mary\.blurb
2007-12-01 13:29 . 2007-12-12 09:11 <DIR> d-------- C:\Program Files\BookSmart

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 13:56 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-01-25 13:52 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-01-25 13:52 --------- d-----w C:\Program Files\iTunes
2008-01-15 16:57 --------- d-----w C:\Program Files\Symantec
2008-01-15 16:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-14 20:24 158,208 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
2008-01-14 20:13 499,712 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
2008-01-13 17:40 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-12 23:55 --------- d-----w C:\Program Files\QuickTime
2008-01-12 18:35 --------- d-----w C:\Program Files\Viewpoint
2008-01-12 18:35 --------- d-----w C:\Documents and Settings\Rob\Application Data\Viewpoint
2008-01-12 18:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-25 15:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-12 13:56 --------- d-----w C:\Program Files\iPod
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2006-12-17 20:51 65,536 ----a-w C:\Documents and Settings\Tucker\jbfmod.dll
2006-12-17 20:51 127,488 -c--a-w C:\Documents and Settings\Tucker\fmod.dll
2006-05-16 21:32 40 -c--a-w C:\Documents and Settings\Tucker\customkeys.dat
2005-05-26 20:49 202,748 -c--a-w C:\Documents and Settings\Tucker\SXMS.dll
.

<pre>
----a-w		   866,584 2008-01-14 20:13:40  C:\Program Files\Windows Defender\MSASCui .exe
----a-w		   158,208 2008-01-14 20:24:01  C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w			15,360 2008-01-14 17:02:33  C:\WINDOWS\system32\ctfmon .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-25 08:52 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [ ]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [ ]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 33280 C:\WINDOWS\system32\rundll32.exe]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-25 16:36 267064]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 13:43 88363 C:\WINDOWS\AGRSMMSG.exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [ ]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2008-01-25 16:36 90112]

C:\Documents and Settings\Mary\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]
PictureProject In Touch.lnk - C:\Program Files\Nikon\PictureProject In Touch\PictureProjectInTouch.exe [2005-03-21 17:30:34 8384512]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2004-12-14 22:37:50 118784]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-10-02 17:08:08 57344]
Remocon Driver.lnk - C:\Program Files\sony\usbsircs\usbsircs.exe [2004-02-03 21:42:14 229376]
Timer Recording Manager.lnk - C:\Program Files\Sony\Giga Pocket\ReserveModule.exe [2004-02-03 21:42:24 262144]

R0 NIPALK;NIPALK;C:\WINDOWS\system32\drivers\NIPALK.sys [2003-05-12 15:21]
R2 nidimk;nidimk;C:\WINDOWS\system32\drivers\nidimk.dll [2003-04-23 19:15]
R2 nipxirmk;nipxirmk;C:\WINDOWS\system32\drivers\nipxirmk.dll [2003-04-18 12:45]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R2 X4HSX32;X4HSX32;C:\Program Files\Comcast Games on Demand\X4HSX32.Sys [2006-03-13 18:13]
R3 niorbk;niorbk;C:\WINDOWS\system32\drivers\niorbk.dll [2003-04-17 16:48]
S3 aaudstum;aaudstum;C:\DOCUME~1\Rob\LOCALS~1\Temp\aaudstum.sys []
S3 LTower;LEGO USB Tower Driver;C:\WINDOWS\system32\Drivers\LTower.sys [2004-01-22 22:15]
S3 NiViPxiK;NiViPxiK;C:\WINDOWS\system32\drivers\NiViPxiK.sys [2003-06-24 17:41]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-30 03:49:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-28 21:11:42 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-30 15:49:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 10:52:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-01-30 10:53:23
ComboFix2.txt 2008-01-30 03:24:34
.
2008-01-13 18:37:36 --- E O F ---

Here is the Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:19 AM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
C:\Program Files\Nikon\PictureProject In Touch\PictureProjectInTouch.exe
C:\Program Files\Sony\Giga Pocket\gps.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.sony.com/vaiopeople"); (C:\Documents and Settings\MARY\Application Data\Mozilla\Profiles\default\0zbbfbsx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\MARY\Application Data\Mozilla\Profiles\default\0zbbfbsx.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKUS\S-1-5-21-1172612574-422567106-3690756700-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Rob')
O4 - HKUS\S-1-5-21-1172612574-422567106-3690756700-1005\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1 (User 'Rob')
O4 - HKUS\S-1-5-21-1172612574-422567106-3690756700-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Rob')
O4 - HKUS\S-1-5-21-1172612574-422567106-3690756700-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Rob')
O4 - HKUS\S-1-5-21-1172612574-422567106-3690756700-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Tucker')
O4 - HKUS\S-1-5-21-1172612574-422567106-3690756700-1007\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'Tucker')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: PictureProject In Touch.lnk = C:\Program Files\Nikon\PictureProject In Touch\PictureProjectInTouch.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Remocon Driver.lnk = ?
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1162822773109
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer....l/installer.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\Sony\Giga Pocket\shwserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 13088 bytes

Let me know what to do next!
cheers~

#18
Rorschach112

Posted 30 January 2008 - 10:13 AM

Ralphie

Retired Staff
47,710 posts

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

RenV::
----a-w 866,584 2008-01-14 20:13:40 C:\Program Files\Windows Defender\MSASCui .exe
----a-w 158,208 2008-01-14 20:24:01 C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w 15,360 2008-01-14 17:02:33 C:\WINDOWS\system32\ctfmon .exe

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

#19
rmtw

Posted 30 January 2008 - 10:37 AM

Member

Topic Starter
Member
20 posts

Here is the latest combofix log after following the instructions above:
ComboFix 08-01-30.6 - Mary 2008-01-30 11:32:17.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.192 [GMT -5:00]
Running from: C:\Documents and Settings\Mary\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mary\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-21 21:44 . 2008-01-21 21:55 673 --a------ C:\WINDOWS\CoD.INI
2008-01-15 14:51 . 2008-01-15 14:51 0 --a------ C:\WINDOWS\VPC32.INI
2008-01-15 11:56 . 2008-01-15 11:56 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2008-01-14 12:51 . 2008-01-14 15:30 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-14 12:45 . 2008-01-14 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-14 12:37 . 2008-01-14 12:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-14 12:29 . 2008-01-14 12:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 01:05 . 2008-01-14 01:05 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-14 00:45 . 2008-01-14 00:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-14 00:25 . 2008-01-14 01:05 <DIR> d-------- C:\VundoFix Backups
2008-01-13 16:23 . 2008-01-14 12:02 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-13 14:48 . 2008-01-13 14:48 <DIR> d-------- C:\Program Files\Webroot
2008-01-13 14:47 . 2008-01-13 14:47 164 --a------ C:\install.dat
2008-01-12 18:50 . 2008-01-12 18:50 <DIR> d-------- C:\Temp\Ryuan1
2008-01-12 13:35 . 2008-01-12 13:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-12 13:35 . 2008-01-12 13:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-12-27 14:03 . 1999-05-25 06:53 92,208 --a------ C:\WINDOWS\system\WING.DLL
2007-12-25 22:25 . 2007-12-25 22:25 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2007-12-03 16:00 . 2007-12-03 16:00 <DIR> d-------- C:\Documents and Settings\William\Application Data\iScreensaver
2007-12-01 13:31 . 2007-12-10 08:02 <DIR> d-------- C:\Documents and Settings\Mary\.blurb
2007-12-01 13:29 . 2007-12-12 09:11 <DIR> d-------- C:\Program Files\BookSmart

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 13:56 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-01-25 13:52 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-01-25 13:52 --------- d-----w C:\Program Files\iTunes
2008-01-15 16:57 --------- d-----w C:\Program Files\Symantec
2008-01-15 16:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-14 20:24 158,208 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
2008-01-14 20:13 499,712 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
2008-01-13 17:40 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-12 23:55 --------- d-----w C:\Program Files\QuickTime
2008-01-12 18:35 --------- d-----w C:\Program Files\Viewpoint
2008-01-12 18:35 --------- d-----w C:\Documents and Settings\Rob\Application Data\Viewpoint
2008-01-12 18:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-25 15:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-12 13:56 --------- d-----w C:\Program Files\iPod
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2006-12-17 20:51 65,536 ----a-w C:\Documents and Settings\Tucker\jbfmod.dll
2006-12-17 20:51 127,488 -c--a-w C:\Documents and Settings\Tucker\fmod.dll
2006-05-16 21:32 40 -c--a-w C:\Documents and Settings\Tucker\customkeys.dat
2005-05-26 20:49 202,748 -c--a-w C:\Documents and Settings\Tucker\SXMS.dll
.

<pre>
----a-w		   866,584 2008-01-14 20:13:40  C:\Program Files\Windows Defender\MSASCui .exe
----a-w		   158,208 2008-01-14 20:24:01  C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w			15,360 2008-01-14 17:02:33  C:\WINDOWS\system32\ctfmon .exe
</pre>

#20
Rorschach112

Posted 30 January 2008 - 10:53 AM

Ralphie

Retired Staff
47,710 posts

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

RenV::
----a-w 866,584 2008-01-14 20:13:40 C:\Program Files\Windows Defender\MSASCui .exe
----a-w 158,208 2008-01-14 20:24:01 C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w 15,360 2008-01-14 17:02:33 C:\WINDOWS\system32\ctfmon .exe

Folder::
C:\Temp\Ryuan1

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

#21
rmtw

Posted 30 January 2008 - 11:38 AM

Member

Topic Starter
Member
20 posts

here you go:
ComboFix 08-01-30.6 - Mary 2008-01-30 12:33:28.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.198 [GMT -5:00]
Running from: C:\Documents and Settings\Mary\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mary\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\Ryuan1

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-21 21:44 . 2008-01-21 21:55 673 --a------ C:\WINDOWS\CoD.INI
2008-01-15 14:51 . 2008-01-15 14:51 0 --a------ C:\WINDOWS\VPC32.INI
2008-01-15 11:56 . 2008-01-15 11:56 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2008-01-14 12:51 . 2008-01-14 15:30 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-14 12:45 . 2008-01-14 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-14 12:37 . 2008-01-14 12:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-14 12:29 . 2008-01-14 12:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 01:05 . 2008-01-14 01:05 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-14 00:45 . 2008-01-14 00:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-14 00:25 . 2008-01-14 01:05 <DIR> d-------- C:\VundoFix Backups
2008-01-13 16:23 . 2008-01-14 12:02 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-13 14:48 . 2008-01-13 14:48 <DIR> d-------- C:\Program Files\Webroot
2008-01-13 14:47 . 2008-01-13 14:47 164 --a------ C:\install.dat
2008-01-12 13:35 . 2008-01-12 13:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-12 13:35 . 2008-01-12 13:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-12-27 14:03 . 1999-05-25 06:53 92,208 --a------ C:\WINDOWS\system\WING.DLL
2007-12-25 22:25 . 2007-12-25 22:25 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2007-12-03 16:00 . 2007-12-03 16:00 <DIR> d-------- C:\Documents and Settings\William\Application Data\iScreensaver
2007-12-01 13:31 . 2007-12-10 08:02 <DIR> d-------- C:\Documents and Settings\Mary\.blurb
2007-12-01 13:29 . 2007-12-12 09:11 <DIR> d-------- C:\Program Files\BookSmart

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 13:56 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-01-25 13:52 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-01-25 13:52 --------- d-----w C:\Program Files\iTunes
2008-01-15 16:57 --------- d-----w C:\Program Files\Symantec
2008-01-15 16:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-14 20:24 158,208 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
2008-01-14 20:13 499,712 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
2008-01-13 17:40 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-12 23:55 --------- d-----w C:\Program Files\QuickTime
2008-01-12 18:35 --------- d-----w C:\Program Files\Viewpoint
2008-01-12 18:35 --------- d-----w C:\Documents and Settings\Rob\Application Data\Viewpoint
2008-01-12 18:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-25 15:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-12 13:56 --------- d-----w C:\Program Files\iPod
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2006-12-17 20:51 65,536 ----a-w C:\Documents and Settings\Tucker\jbfmod.dll
2006-12-17 20:51 127,488 -c--a-w C:\Documents and Settings\Tucker\fmod.dll
2006-05-16 21:32 40 -c--a-w C:\Documents and Settings\Tucker\customkeys.dat
2005-05-26 20:49 202,748 -c--a-w C:\Documents and Settings\Tucker\SXMS.dll
.

<pre>
----a-w		   866,584 2008-01-14 20:13:40  C:\Program Files\Windows Defender\MSASCui .exe
----a-w		   158,208 2008-01-14 20:24:01  C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w			15,360 2008-01-14 17:02:33  C:\WINDOWS\system32\ctfmon .exe
</pre>

#22
Rorschach112

Posted 30 January 2008 - 12:21 PM

Ralphie

Retired Staff
47,710 posts

Hello

Download RenV.exe by sUBs to your desktop
Double click on it to run it
It will search your system drive looking for any modified .exe file and will produce a log for you.
Drag that log into RenV.exe and post the resulting log

#23
rmtw

Posted 30 January 2008 - 02:14 PM

Member

Topic Starter
Member
20 posts

<ignore this - I figured it out...> do I need to save the log as something specific? I have the log, but not sure how to drag an open window into the renV.exe icon on desktop.

thanks for explaining....

Edited by rmtw, 30 January 2008 - 02:29 PM.

#24
rmtw

Posted 30 January 2008 - 02:17 PM

Member

Topic Starter
Member
20 posts

Ok, sorry, I see that it did save itself on my desktop. Here is the resulting log after dragging it into RenV.exe

Ran on Wed 01/30/2008 - 15:16:56.20

------w			15,360 2008-01-14 17:02:33  C:\WINDOWS\system32\ctfmon .exe

 Entries:				1  (1)
 Directories:			0  Files:			 1
 Bytes:			 15,360  Blocks:		   30

#25
Rorschach112

Posted 30 January 2008 - 03:26 PM

Ralphie

Retired Staff
47,710 posts

Hello

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

#26
rmtw

Posted 30 January 2008 - 06:56 PM

Member

Topic Starter
Member
20 posts

Wow! That took a while. It looks like it found a few things. Are some of these already quarantined by symantec?
This is amazing. thanks so, so much!!

Here is the log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 30, 2008 7:40:10 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/01/2008
Kaspersky Anti-Virus database records: 538793
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 79333
Number of viruses found: 8
Number of infected objects: 46
Number of suspicious objects: 3
Duration of the scan process: 01:25:52

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-01142008-125157.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.mdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09940000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09980000.VBN Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09A40000.VBN Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09A40001.VBN Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09A40002.VBN Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09A40003.VBN Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09A80000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09A80001.VBN Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09B00000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09F40000.VBN Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09F40001.VBN Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F340000.VBN Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F340001.VBN Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mary\Application Data\Mozilla\Profiles\default\0zbbfbsx.slt\Mail\mail.verizon.net\Inbox/[From "Omberg, Mary" <[email protected]>][Date Wed, 3 Mar 2004 09:08:53 -0600]/text/[From "Alison Lamura" <[email protected]>][Date Tue, 10 Aug 2004 13:35:13 -0400]/text/[From "SOUTHERN LIVING Magazine"<[email protected]>][Date Wed, 11 Aug 2004 19:22:52 -0400]/UNNAMED/[From "Sears" <[email protected]>][Date Mon, 16 Aug 2004 18:49:42 -0000]/UNNAMED/[From Upromise <[email protected]>][Date Mon, 16 Aug 2004 20:28:32 -0400 (EDT)]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped
C:\Documents and Settings\Mary\Application Data\Mozilla\Profiles\default\0zbbfbsx.slt\Mail\mail.verizon.net\Inbox/[From "Omberg, Mary" <[email protected]>][Date Wed, 3 Mar 2004 09:08:53 -0600]/text/[From "Alison Lamura" <[email protected]>][Date Tue, 10 Aug 2004 13:35:13 -0400]/text/[From "SOUTHERN LIVING Magazine"<[email protected]>][Date Wed, 11 Aug 2004 19:22:52 -0400]/UNNAMED/[From "Sears" <[email protected]>][Date Mon, 16 Aug 2004 18:49:42 -0000]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped
C:\Documents and Settings\Mary\Application Data\Mozilla\Profiles\default\0zbbfbsx.slt\Mail\mail.verizon.net\Inbox/[From "Omberg, Mary" <[email protected]>][Date Wed, 3 Mar 2004 09:08:53 -0600]/text/[From "Alison Lamura" <[email protected]>][Date Tue, 10 Aug 2004 13:35:13 -0400]/text/[From "SOUTHERN LIVING Magazine"<[email protected]>][Date Wed, 11 Aug 2004 19:22:52 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped
C:\Documents and Settings\Mary\Application Data\Mozilla\Profiles\default\0zbbfbsx.slt\Mail\mail.verizon.net\Inbox/[From "Omberg, Mary" <[email protected]>][Date Wed, 3 Mar 2004 09:08:53 -0600]/text/[From "Alison Lamura" <[email protected]>][Date Tue, 10 Aug 2004 13:35:13 -0400]/text Infected: Email-Worm.Win32.NetSky.b skipped
C:\Documents and Settings\Mary\Application Data\Mozilla\Profiles\default\0zbbfbsx.slt\Mail\mail.verizon.net\Inbox/[From "Omberg, Mary" <[email protected]>][Date Wed, 3 Mar 2004 09:08:53 -0600]/text/[From <[email protected]>][Date Thu, 23 Jun 2005 14:27:32 -0700]/UNNAMED/[From <[email protected]>][Date Fri, 24 Jun 2005 10:30:23 -0400]/UNNAMED/[From <[email protected]>][Date Fri, 24 Jun 2005 11:19:41 -0400]/text/[From <[email protected]>][Dat ... /[Fro ... /[From ... /important-details.txt .pif Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Mary\Application Data\Mozilla\Profiles\default\0zbbfbsx.slt\Mail\mail.verizon.net\Inbox/[From "Omberg, Mary" <[email protected]>][Date Wed, 3 Mar 2004 09:08:53 -0600]/text/[From <[email protected]>][Date Thu, 23 Jun 2005 14:27:32 -0700]/UNNAMED/[From <[email protected]>][Date Fri, 24 Jun 2005 10:30:23 -0400]/UNNAMED/[From <[email protected]>][Date Fri, 24 Jun 2005 11:19:41 -0400]/text/[From <[email protected]>][Dat ... /[Fro ... /[From "Emer ... /[From ... /[From [email protected]][Date Fri, 15 Jul 2005 00:47:12 -0400]/UNNAMED Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Mary\Application Data\Mozilla\Profiles\default\0zbbfbsx.slt\Mail\mail.verizon.net\Inbox/[From "Omberg, Mary" <[email protected]>][Date Wed, 3 Mar 2004 09:08:53 -0600]/text/[From <[email protected]>][Date Thu, 23 Jun 2005 14:27:32 -0700]/UNNAMED/[From <[email protected]>][Date Fri, 24 Jun 2005 10:30:23 -0400]/UNNAMED/[From <[email protected]>][Date Fri, 24 Jun 2005 11:19:41 -0400]/text/[From <[email protected]>][Dat ... /[Fro ... /[From "Emer ... /[From "Amazon.com" <[email protected]>][Date Thu, 14 Jul 2005 12:35:34 -0700]/UNNAMED Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Mary\Application Data\Mozilla\Profiles\default\0zbbfbsx.slt\Mail\mail.verizon.net\Inbox/[From "Omberg, Mary" <[email protected]>][Date Wed, 3 Mar 2004 09:08:53 -0600]/text/[From <[email protected]>][Date Thu, 23 Jun 2005 14:27:32 -0700]/UNNAMED/[From <[email protected]>][Date Fri, 24 Jun 2005 10:30:23 -0400]/UNNAMED/[From <[email protected]>][Date Fri, 24 Jun 2005 11:19:41 -0400]/text/[From <[email protected]>][Dat ... /[Fro ... /[From "EmergencyEmail.ORG" <[email protected]>][Date Wed, 13 Jul 2005 16:50:24 -0400]/text Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Mary\Application Data\Mozilla\Profiles\default\0zbbfbsx.slt\Mail\mail.verizon.net\Inbox/[From "Omberg, Mary" <[email protected]>][Date Wed, 3 Mar 2004 09:08:53 -0600]/text/[From <[email protected]>][Date Thu, 23 Jun 2005 14:27:32 -0700]/UNNAMED/[From <[email protected]>][Date Fri, 24 Jun 2005 10:30:23 -0400]/UNNAMED/[From <[email protected]>][Date Fri, 24 Jun 2005 11:19:41 -0400]/text/[From <[email protected]>][Dat ... /[From "Willi ... /[From ... /[From "Hockman, Jeb" <[email protected]>][Date Fri, 08 Jul 2005 16:23:53 -0400]/UNNAMED Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Mary\Application Data\Mozilla\Profiles\default\0zbbfbsx.slt\Mail\mail.verizon.net\Inbox/[From "Omberg, Mary" <[email protected]>][Date Wed, 3 Mar 2004 09:08:53 -0600]/text/[From <[email protected]>][Date Thu, 23 Jun 2005 14:27:32 -0700]/UNNAMED/[From <[email protected]>][Date Fri, 24 Jun 2005 10:30:23 -0400]/UNNAMED/[From <[email protected]>][Date Fri, 24 Jun 2005 11:19:41 -0400]/text/[From <[email protected]>][Dat ... /[From "Willi ... /[From Your request from The Wall Street Journal Online][Date Fri, 08 Jul 2005 08:10:29 -0400]/text Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Mary\Application Data\Mozilla\Profiles\default\0zbbfbsx.slt\Mail\mail.verizon.net\Inbox/[From "Omberg, Mary" <[email protected]>][Date Wed, 3 Mar 2004 09:08:53 -0600]/text/[From <[email protected]>][Date Thu, 23 Jun 2005 14:27:32 -0700]/UNNAMED/[From <[email protected]>][Date Fri, 24 Jun 2005 10:30:23 -0400]/UNNAMED/[From <[email protected]>][Date Fri, 24 Jun 2005 11:19:41 -0400]/text/[From <[email protected]>][Dat ... /[From "Williams-Sonoma ... /[From "Omberg, Robert" <[email protected]>][Date Thu, 07 Jul 2005 10:02:36 -0400]/UNNAMED Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Mary\Application Data\Mozilla\Profiles\default\0zbbfbsx.slt\Mail\mail.verizon.net\Inbox/[From "Omberg, Mary" <[email protected]>][Date Wed, 3 Mar 2004 09:08:53 -0600]/text/[From <[email protected]>][Date Thu, 23 Jun 2005 14:27:32 -0700]/UNNAMED/[From <[email protected]>][Date Fri, 24 Jun 2005 10:30:23 -0400]/UNNAMED/[From <[email protected]>][Date Fri, 24 Jun 2005 11:19:41 -0400]/text/[From <[email protected]>][Dat ... /[From "Williams-Sonoma" <[email protected]>][Date Thu, 30 Jun 2005 12:29:29 -0700]/UNNAMED Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Mary\Application Data\Mozilla\Profiles\default\0zbbfbsx.slt\Mail\mail.verizon.net\Inbox/[From "Omberg, Mary" <[email protected]>][Date Wed, 3 Mar 2004 09:08:53 -0600]/text/[From <[email protected]>][Date Thu, 23 Jun 2005 14:27:32 -0700]/UNNAMED/[From <[email protected]>][Date Fri, 24 Jun 2005 10:30:23 -0400]/UNNAMED/[From <[email protected]>][Date Fri, 24 Jun 2005 11:19:41 -0400]/text/[From <[email protected]>][Date Mon, 27 Jun 20 ... /[From "Garvey, Anne (NIH/NCI)" <[email protected]>][Date Thu, 30 Jun 2005 14:08:00 -0400]/UNNAMED Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Mary\Application Data\Mozilla\Profiles\default\0zbbfbsx.slt\Mail\mail.verizon.net\Inbox/[From "Omberg, Mary" <[email protected]>][Date Wed, 3 Mar 2004 09:08:53 -0600]/text/[From <[email protected]>][Date Thu, 23 Jun 2005 14:27:32 -0700]/UNNAMED/[From <[email protected]>][Date Fri, 24 Jun 2005 10:30:23 -0400]/UNNAMED/[From <[email protected]>][Date Fri, 24 Jun 2005 11:19:41 -0400]/text/[From <[email protected]>][Date Mon, 27 Jun 2005 12:46:13 -0700]/UNNAMED Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Mary\Application Data\Mozilla\Profiles\default\0zbbfbsx.slt\Mail\mail.verizon.net\Inbox/[From "Omberg, Mary" <[email protected]>][Date Wed, 3 Mar 2004 09:08:53 -0600]/text/[From <[email protected]>][Date Thu, 23 Jun 2005 14:27:32 -0700]/UNNAMED/[From <[email protected]>][Date Fri, 24 Jun 2005 10:30:23 -0400]/UNNAMED/[From <[email protected]>][Date Fri, 24 Jun 2005 11:19:41 -0400]/text Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Mary\Application Data\Mozilla\Profiles\default\0zbbfbsx.slt\Mail\mail.verizon.net\Inbox/[From "Omberg, Mary" <[email protected]>][Date Wed, 3 Mar 2004 09:08:53 -0600]/text/[From <[email protected]>][Date Thu, 23 Jun 2005 14:27:32 -0700]/UNNAMED/[From <[email protected]>][Date Fri, 24 Jun 2005 10:30:23 -0400]/UNNAMED Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Mary\Application Data\Mozilla\Profiles\default\0zbbfbsx.slt\Mail\mail.verizon.net\Inbox/[From "Omberg, Mary" <[email protected]>][Date Wed, 3 Mar 2004 09:08:53 -0600]/text/[From <[email protected]>][Date Thu, 23 Jun 2005 14:27:32 -0700]/UNNAMED Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Mary\Application Data\Mozilla\Profiles\default\0zbbfbsx.slt\Mail\mail.verizon.net\Inbox/[From "Omberg, Mary" <[email protected]>][Date Wed, 3 Mar 2004 09:08:53 -0600]/text Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Mary\Application Data\Mozilla\Profiles\default\0zbbfbsx.slt\Mail\mail.verizon.net\Inbox Mail Berkeley mbox: infected - 18 skipped
C:\Documents and Settings\Mary\Application Data\Nikon\PictureProject In Touch\P2ITLog.txt Object is locked skipped
C:\Documents and Settings\Mary\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mary\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mary\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mary\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mary\Local Settings\Temp\~DF3E87.tmp Object is locked skipped
C:\Documents and Settings\Mary\Local Settings\Temp\~DF3E94.tmp Object is locked skipped
C:\Documents and Settings\Mary\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Mary\Local Settings\Temporary Internet Files\Content.IE5\5USV6YCE\bind[2].htm Object is locked skipped
C:\Documents and Settings\Mary\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mary\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mary\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Rob\Application Data\Mozilla\Profiles\default\oakpqrjb.slt\Mail\incoming.verizon.net\Inbox/[From "P.K. Black" <[email protected]>][Date Mon, 01 Mar 2004 12:35:58 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out004.verizon.net from [209.158.202.125] at Mon, 1 Mar 2004 18:59:25 -0600][Date Mon, 1 Mar 2004 19:54:41 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out003.verizon.net from [151.199.215.21] at Mon, 1 Mar 2004 19:39:40 -0600][Date Mon, ... /[From "Right ... /[From "Andrea L. Prisco" < ... /[From [email protected]][Date Sun, 4 Apr 2004 22:01:31 -040 ... /html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Rob\Application Data\Mozilla\Profiles\default\oakpqrjb.slt\Mail\incoming.verizon.net\Inbox/[From "P.K. Black" <[email protected]>][Date Mon, 01 Mar 2004 12:35:58 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out004.verizon.net from [209.158.202.125] at Mon, 1 Mar 2004 18:59:25 -0600][Date Mon, 1 Mar 2004 19:54:41 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out003.verizon.net from [151.199.215.21] at Mon, 1 Mar 2004 19:39:40 -0600][Date Mon, ... /[From "Right ... /[From "Andrea L. Prisco" < ... /[From [email protected]][Date Sun, 4 Apr 2004 22:01:31 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Rob\Application Data\Mozilla\Profiles\default\oakpqrjb.slt\Mail\incoming.verizon.net\Inbox/[From "P.K. Black" <[email protected]>][Date Mon, 01 Mar 2004 12:35:58 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out004.verizon.net from [209.158.202.125] at Mon, 1 Mar 2004 18:59:25 -0600][Date Mon, 1 Mar 2004 19:54:41 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out003.verizon.net from [151.199.215.21] at Mon, 1 Mar 2004 19:39:40 -0600][Date Mon, ... /[From "Right ... /[From "Andrea L. Prisco" <[email protected]>][Date Tue, 30 Mar 2004 20:36:03 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Rob\Application Data\Mozilla\Profiles\default\oakpqrjb.slt\Mail\incoming.verizon.net\Inbox/[From "P.K. Black" <[email protected]>][Date Mon, 01 Mar 2004 12:35:58 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out004.verizon.net from [209.158.202.125] at Mon, 1 Mar 2004 18:59:25 -0600][Date Mon, 1 Mar 2004 19:54:41 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out003.verizon.net from [151.199.215.21] at Mon, 1 Mar 2004 19:39:40 -0600][Date Mon, ... /[From ... / .. ... /important-details.txt .pif Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Rob\Application Data\Mozilla\Profiles\default\oakpqrjb.slt\Mail\incoming.verizon.net\Inbox/[From "P.K. Black" <[email protected]>][Date Mon, 01 Mar 2004 12:35:58 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out004.verizon.net from [209.158.202.125] at Mon, 1 Mar 2004 18:59:25 -0600][Date Mon, 1 Mar 2004 19:54:41 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out003.verizon.net from [151.199.215.21] at Mon, 1 Mar 2004 19:39:40 -0600][Date Mon, ... /[From ... / ... ... /[From "Mar ... /[From [email protected]][Date Fri, 15 Jul 2005 00:47:12 - ... /UNNAMED Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Rob\Application Data\Mozilla\Profiles\default\oakpqrjb.slt\Mail\incoming.verizon.net\Inbox/[From "P.K. Black" <[email protected]>][Date Mon, 01 Mar 2004 12:35:58 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out004.verizon.net from [209.158.202.125] at Mon, 1 Mar 2004 18:59:25 -0600][Date Mon, 1 Mar 2004 19:54:41 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out003.verizon.net from [151.199.215.21] at Mon, 1 Mar 2004 19:39:40 -0600][Date Mon, ... /[From ... / ... ... /[From "Mar ... /[From [email protected]][Date Fri, 15 Jul 2005 00:47:12 -0400]/UNNAMED Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Rob\Application Data\Mozilla\Profiles\default\oakpqrjb.slt\Mail\incoming.verizon.net\Inbox/[From "P.K. Black" <[email protected]>][Date Mon, 01 Mar 2004 12:35:58 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out004.verizon.net from [209.158.202.125] at Mon, 1 Mar 2004 18:59:25 -0600][Date Mon, 1 Mar 2004 19:54:41 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out003.verizon.net from [151.199.215.21] at Mon, 1 Mar 2004 19:39:40 -0600][Date Mon, ... /[From ... / ... ... /[From "Mary Lou Titus" <[email protected]>][Date Fri, 08 Jul 2005 15:51:40 -0400]/UNNAMED Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Rob\Application Data\Mozilla\Profiles\default\oakpqrjb.slt\Mail\incoming.verizon.net\Inbox/[From "P.K. Black" <[email protected]>][Date Mon, 01 Mar 2004 12:35:58 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out004.verizon.net from [209.158.202.125] at Mon, 1 Mar 2004 18:59:25 -0600][Date Mon, 1 Mar 2004 19:54:41 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out003.verizon.net from [151.199.215.21] at Mon, 1 Mar 2004 19:39:40 -0600][Date Mon, ... /[From ... / ... /[From Your request from The Wall Street Journal Online][Date Fri, 08 Jul 2005 08:10:29 -0400]/text Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Rob\Application Data\Mozilla\Profiles\default\oakpqrjb.slt\Mail\incoming.verizon.net\Inbox/[From "P.K. Black" <[email protected]>][Date Mon, 01 Mar 2004 12:35:58 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out004.verizon.net from [209.158.202.125] at Mon, 1 Mar 2004 18:59:25 -0600][Date Mon, 1 Mar 2004 19:54:41 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out003.verizon.net from [151.199.215.21] at Mon, 1 Mar 2004 19:39:40 -0600][Date Mon, ... /[From ... /[From "Right at ... /[From "eBay" <[email protected]>][Date Sat, 05 Mar 2005 18:30:42 -0800]/UNNAMED Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Rob\Application Data\Mozilla\Profiles\default\oakpqrjb.slt\Mail\incoming.verizon.net\Inbox/[From "P.K. Black" <[email protected]>][Date Mon, 01 Mar 2004 12:35:58 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out004.verizon.net from [209.158.202.125] at Mon, 1 Mar 2004 18:59:25 -0600][Date Mon, 1 Mar 2004 19:54:41 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out003.verizon.net from [151.199.215.21] at Mon, 1 Mar 2004 19:39:40 -0600][Date Mon, ... /[From ... /[From "Right at Home" <[email protected]>][Date Wed, 02 Mar 2005 06:37:28 -0500]/UNNAMED Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Rob\Application Data\Mozilla\Profiles\default\oakpqrjb.slt\Mail\incoming.verizon.net\Inbox/[From "P.K. Black" <[email protected]>][Date Mon, 01 Mar 2004 12:35:58 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out004.verizon.net from [209.158.202.125] at Mon, 1 Mar 2004 18:59:25 -0600][Date Mon, 1 Mar 2004 19:54:41 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out003.verizon.net from [151.199.215.21] at Mon, 1 Mar 2004 19:39:40 -0600][Date Mon, ... /[From "Right at Home" <[email protected]>][Date Sat, 13 Mar 2004 14:59:33 -0500]/UNNAMED Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Rob\Application Data\Mozilla\Profiles\default\oakpqrjb.slt\Mail\incoming.verizon.net\Inbox/[From "P.K. Black" <[email protected]>][Date Mon, 01 Mar 2004 12:35:58 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out004.verizon.net from [209.158.202.125] at Mon, 1 Mar 2004 18:59:25 -0600][Date Mon, 1 Mar 2004 19:54:41 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out003.verizon.net from [151.199.215.21] at Mon, 1 Mar 2004 19:39:40 -0600][Date Mon, 1 Mar 2004 19:39:42 -0600]/text/[From Matt Menke <[email protected]>][Date Thu, 11 Mar 2004 16:54:30 -0500]/text Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Rob\Application Data\Mozilla\Profiles\default\oakpqrjb.slt\Mail\incoming.verizon.net\Inbox/[From "P.K. Black" <[email protected]>][Date Mon, 01 Mar 2004 12:35:58 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out004.verizon.net from [209.158.202.125] at Mon, 1 Mar 2004 18:59:25 -0600][Date Mon, 1 Mar 2004 19:54:41 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out003.verizon.net from [151.199.215.21] at Mon, 1 Mar 2004 19:39:40 -0600][Date Mon, 1 Mar 2004 19:39:42 -0600]/text Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Rob\Application Data\Mozilla\Profiles\default\oakpqrjb.slt\Mail\incoming.verizon.net\Inbox/[From "P.K. Black" <[email protected]>][Date Mon, 01 Mar 2004 12:35:58 -0500]/UNNAMED/[From Submitted using SMTP AUTH at out004.verizon.net from [209.158.202.125] at Mon, 1 Mar 2004 18:59:25 -0600][Date Mon, 1 Mar 2004 19:54:41 -0500]/UNNAMED Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Rob\Application Data\Mozilla\Profiles\default\oakpqrjb.slt\Mail\incoming.verizon.net\Inbox/[From "P.K. Black" <[email protected]>][Date Mon, 01 Mar 2004 12:35:58 -0500]/UNNAMED Infected: Net-Worm.Win32.Mytob.bi skipped
C:\Documents and Settings\Rob\Application Data\Mozilla\Profiles\default\oakpqrjb.slt\Mail\incoming.verizon.net\Inbox Mail Berkeley mbox: infected - 12, suspicious - 3 skipped
C:\Documents and Settings\Rob\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Rob\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Rob\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Rob\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Rob\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tucker\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Tucker\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tucker\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tucker\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tucker\Local Settings\History\History.IE5\MSHist012008012920080130\index.dat Object is locked skipped
C:\Documents and Settings\Tucker\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tucker\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tucker\ntuser.dat.LOG Object is locked skipped
C:\Downloads\RiskIISetup-dm[1].exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\DB\vpdb.ldb Object is locked skipped
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\DB\vpdb.mdb Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP14\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itircl.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JETD699.tmp Object is locked skipped
C:\WINDOWS\Temp\JETD69A.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP14\change.log Object is locked skipped

Scan process completed.

#27
Rorschach112

Posted 30 January 2008 - 07:05 PM

Ralphie

Retired Staff
47,710 posts

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Downloads\RiskIISetup-dm[1].exe
C:\WINDOWS\system32\ctfmon .exe

RenV::
C:\WINDOWS\system32\ctfmon .exe

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

#28
rmtw

Posted 30 January 2008 - 09:44 PM

Member

Topic Starter
Member
20 posts

ComboFix 08-01-30.6 - Mary 2008-01-30 22:28:57.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.142 [GMT -5:00]Running from: C:\Documents and Settings\Mary\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mary\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Downloads\RiskIISetup-dm[1].exe
C:\WINDOWS\system32\ctfmon .exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Downloads\RiskIISetup-dm[1].exe
C:\WINDOWS\system32\ctfmon .exe

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-30 17:30 . 2008-01-30 17:30 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-30 17:30 . 2008-01-30 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-30 17:29 . 2008-01-30 17:29 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-21 21:44 . 2008-01-21 21:55 673 --a------ C:\WINDOWS\CoD.INI
2008-01-15 14:51 . 2008-01-15 14:51 0 --a------ C:\WINDOWS\VPC32.INI
2008-01-15 11:56 . 2008-01-15 11:56 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2008-01-14 12:51 . 2008-01-30 15:16 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-14 12:45 . 2008-01-14 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-14 12:37 . 2008-01-14 12:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-14 12:29 . 2008-01-14 12:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 01:05 . 2008-01-14 01:05 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-14 00:45 . 2008-01-14 00:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-14 00:25 . 2008-01-14 01:05 <DIR> d-------- C:\VundoFix Backups
2008-01-13 14:48 . 2008-01-13 14:48 <DIR> d-------- C:\Program Files\Webroot
2008-01-13 14:47 . 2008-01-13 14:47 164 --a------ C:\install.dat
2008-01-12 13:35 . 2008-01-12 13:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-12 13:35 . 2008-01-12 13:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-12-27 14:03 . 1999-05-25 06:53 92,208 --a------ C:\WINDOWS\system\WING.DLL
2007-12-25 22:25 . 2007-12-25 22:25 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2007-12-03 16:00 . 2007-12-03 16:00 <DIR> d-------- C:\Documents and Settings\William\Application Data\iScreensaver
2007-12-01 13:31 . 2007-12-10 08:02 <DIR> d-------- C:\Documents and Settings\Mary\.blurb
2007-12-01 13:29 . 2007-12-12 09:11 <DIR> d-------- C:\Program Files\BookSmart

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 13:56 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-01-25 13:52 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-01-25 13:52 --------- d-----w C:\Program Files\iTunes
2008-01-15 16:57 --------- d-----w C:\Program Files\Symantec
2008-01-15 16:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-14 20:24 158,208 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
2008-01-13 17:40 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-12 23:55 --------- d-----w C:\Program Files\QuickTime
2008-01-12 18:35 --------- d-----w C:\Program Files\Viewpoint
2008-01-12 18:35 --------- d-----w C:\Documents and Settings\Rob\Application Data\Viewpoint
2008-01-12 18:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-25 15:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-12 13:56 --------- d-----w C:\Program Files\iPod
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2006-12-17 20:51 65,536 ----a-w C:\Documents and Settings\Tucker\jbfmod.dll
2006-12-17 20:51 127,488 -c--a-w C:\Documents and Settings\Tucker\fmod.dll
2006-05-16 21:32 40 -c--a-w C:\Documents and Settings\Tucker\customkeys.dat
2005-05-26 20:49 202,748 -c--a-w C:\Documents and Settings\Tucker\SXMS.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-25 08:52 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [ ]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [ ]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 33280 C:\WINDOWS\system32\rundll32.exe]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-25 16:36 267064]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 13:43 88363 C:\WINDOWS\AGRSMMSG.exe]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2008-01-25 16:36 90112]

C:\Documents and Settings\Mary\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]
PictureProject In Touch.lnk - C:\Program Files\Nikon\PictureProject In Touch\PictureProjectInTouch.exe [2005-03-21 17:30:34 8384512]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2004-12-14 22:37:50 118784]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-10-02 17:08:08 57344]
Remocon Driver.lnk - C:\Program Files\sony\usbsircs\usbsircs.exe [2004-02-03 21:42:14 229376]
Timer Recording Manager.lnk - C:\Program Files\Sony\Giga Pocket\ReserveModule.exe [2004-02-03 21:42:24 262144]

R0 NIPALK;NIPALK;C:\WINDOWS\system32\drivers\NIPALK.sys [2003-05-12 15:21]
R2 nidimk;nidimk;C:\WINDOWS\system32\drivers\nidimk.dll [2003-04-23 19:15]
R2 nipxirmk;nipxirmk;C:\WINDOWS\system32\drivers\nipxirmk.dll [2003-04-18 12:45]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R2 X4HSX32;X4HSX32;C:\Program Files\Comcast Games on Demand\X4HSX32.Sys [2006-03-13 18:13]
R3 niorbk;niorbk;C:\WINDOWS\system32\drivers\niorbk.dll [2003-04-17 16:48]
S3 aaudstum;aaudstum;C:\DOCUME~1\Rob\LOCALS~1\Temp\aaudstum.sys []
S3 LTower;LEGO USB Tower Driver;C:\WINDOWS\system32\Drivers\LTower.sys [2004-01-22 22:15]
S3 NiViPxiK;NiViPxiK;C:\WINDOWS\system32\drivers\NiViPxiK.sys [2003-06-24 17:41]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-30 03:49:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-28 21:11:42 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-31 03:29:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 22:32:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-01-30 22:32:49
ComboFix-quarantined-files.txt 2008-01-31 03:32:32
ComboFix2.txt 2008-01-30 17:36:08
ComboFix3.txt 2008-01-30 16:35:01
ComboFix4.txt 2008-01-30 15:53:24
ComboFix5.txt 2008-01-30 03:24:34
.
2008-01-13 18:37:36 --- E O F ---

#29
Rorschach112

Posted 31 January 2008 - 09:36 AM

Ralphie

Retired Staff
47,710 posts

Can you post a new HijackThis log and tell me how your PC is running

#30
rmtw

Posted 31 January 2008 - 03:40 PM

Member

Topic Starter
Member
20 posts

Sure! It is running very well! Very responsive, little - if any - delays between windows, programs, internet, etc. Amazing difference! Plus, no warnings that we have run out of disk space.

I have had a number of people tell me that emails I have sent while infected did not reach them. there doesn't seem to be any pattern, just random emails. I have tested with those people now, and emails are going through. Was this a result of the vundo malware?

If I am truly "clean" now, I have a few questions for you, please. (If you can answer them)
- Do I need to keep the various programs I downloaded during this process?
- I now have several anti-virus programs. I think I only should be running one. I use symantec, which I thought worked well..... Now I also have spyware - Adwatch, Adware and Spybot. do I need them all? I think they look for slightly different things, but I am not sure.
- From reading on this site, I see that people are warned sometimes that their Java is out of date and this is the reason that these malware programs can get in. Is this true? I guess I really want to make sure I don't get infected again!

Here is my latest HJT log, and also a huge THANK YOU for your help. You have been tremendous!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:32 PM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
D:\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
C:\Program Files\Nikon\PictureProject In Touch\PictureProjectInTouch.exe
C:\Program Files\Sony\Giga Pocket\gps.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.sony.com/vaiopeople"); (C:\Documents and Settings\MARY\Application Data\Mozilla\Profiles\default\0zbbfbsx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\MARY\Application Data\Mozilla\Profiles\default\0zbbfbsx.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKUS\S-1-5-21-1172612574-422567106-3690756700-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Tucker')
O4 - HKUS\S-1-5-21-1172612574-422567106-3690756700-1007\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Tucker')
O4 - HKUS\S-1-5-21-1172612574-422567106-3690756700-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Tucker')
O4 - HKUS\S-1-5-21-1172612574-422567106-3690756700-1007\..\Run: [Iinl] "C:\WINDOWS\ICROSO~1\dllhost.exe" -vt yazb (User 'Tucker')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: PictureProject In Touch.lnk = C:\Program Files\Nikon\PictureProject In Touch\PictureProjectInTouch.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Remocon Driver.lnk = ?
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1162822773109
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer....l/installer.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\Sony\Giga Pocket\shwserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12850 bytes