Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Infected with Virus Dropper.Exebind

Started by factor , Feb 22 2008 02:32 PM

  • Please log in to reply

#1
factor
Posted 22 February 2008 - 02:32 PM

factor

    Member

  • Member
  • PipPip
  • 21 posts
AVG says I have a Virus Dropper.Exebind and the path is in c:\System Volume Information\_restore . Computer is running very slow and if I try using Internet Explorer as soon as it opens up gives me a message saying Explorer needs to shut down. If i use Firefox it doesn't give that. I ran a Panda ActiveScan and it showed thisIncident Status Location

Spyware:spyware/whazit Not disinfected c:\windows\system32\kyf.dat
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Cody Guidry\Application Data\tvmcwrd.dll
Adware:adware/delfinmedia Not disinfected c:\windows\system32\vmss
Hacktool:hacktool/rootkit.m Not disinfected hkey_local_machine\system\controlset002\enum\root\LEGACY_WINIK
Adware:adware/adroar Not disinfected Windows Registry
Adware:adware/downloadware Not disinfected Windows Registry
Adware:adware/sidesearch Not disinfected Windows Registry
Spyware:spyware/sysren Not disinfected Windows Registry
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Cody Guidry\Cookies\cody [email protected][2].txt
Potentially unwanted tool:Application/BrilliantDigital Not disinfected E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde83.tmp
Potentially unwanted tool:Application/BrilliantDigital Not disinfected E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde8E.tmp
Potentially unwanted tool:Application/BrilliantDigital Not disinfected E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde90.tmp[bdeplayer2.dll]
Potentially unwanted tool:Application/BrilliantDigital Not disinfected E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde92.tmp[BDEEngine2.dll]
Potentially unwanted tool:Application/BrilliantDigital Not disinfected E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde94.tmp
Potentially unwanted tool:Application/BrilliantDigital Not disinfected E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde96.tmp
Potentially unwanted tool:Application/BrilliantDigital Not disinfected E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde98.tmp
Potentially unwanted tool:Application/BrilliantDigital Not disinfected E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde9A.tmp
Potentially unwanted tool:Application/BrilliantDigital Not disinfected E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde9D.tmp[bde3d_ref2.dll]
Potentially unwanted tool:Application/BrilliantDigital Not disinfected E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde9F.tmp
Potentially unwanted tool:Application/BrilliantDigital Not disinfected E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bdeA1.tmp
Potentially unwanted tool:Application/BrilliantDigital Not disinfected E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bdeA3.tmp
Spyware:Spyware/New.net Not disinfected E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP2\A0000023.dll

This is my sons computer and i'am trying to disinfect it for him, any help will be appreciated

Edited by factor, 22 February 2008 - 02:41 PM.

  • 0

Advertisements

#2
kahdah
Posted 23 February 2008 - 01:01 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello factor

Welcome to G2Go. :)
================
* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\Hijack This.
  • Click on I agree
  • Then Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

  • 0

#3
factor
Posted 24 February 2008 - 10:11 AM

factor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi Kahdah

Did as you instructed,


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:36 AM, on 2/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\tppaldr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1203614180223
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 5333 bytes
  • 0

#4
kahdah
Posted 24 February 2008 - 10:21 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Download Registry Search.zip by Bobbi Flekman and Save it to your desktop.
  • Extract it to your desktop.
  • Click on the Registry Search.zip icon on your desktop to open the program.
  • Click regsearch.exe to start the program.
  • In the White box type in this WINIK
  • Then hit ok
  • Post the results into your next reply.
=================
Also Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#5
factor
Posted 24 February 2008 - 01:41 PM

factor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 2/24/2008 11:37:44 AM for strings:
; 'winik'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINIK]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINIK\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINIK\0000]
"Service"="WinIK"
"DeviceDesc"="WinIK"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINIK]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINIK\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINIK\0000]
"Service"="WinIK"
"DeviceDesc"="WinIK"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINIK]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINIK\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINIK\0000]
"Service"="WinIK"
"DeviceDesc"="WinIK"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINIK]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINIK\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINIK\0000]
"Service"="WinIK"
"DeviceDesc"="WinIK"

; End Of The Log...





Deckard's System Scanner v20071014.68
Run by Cody Guidry on 2008-02-24 12:11:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-02-24 18:12:01 UTC - RP12 - Deckard's System Scanner Restore Point
1: 2008-02-23 01:45:41 UTC - RP11 - clean restore point


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 252 MiB (512 MiB recommended).


-- HijackThis (run as Cody Guidry.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:17 PM, on 2/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\tppaldr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Cody Guidry\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Cody Guidry.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1203614180223
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 5334 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>

S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys
S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>
S3 TPP725 (USB Storage Adapter (TPP)) - c:\windows\system32\drivers\tpp725.sys <Not Verified; In-System Design, Inc.; TPP Storage Adapter>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_127A&DEV_4321&SUBSYS_43211235&REV_00\3&61AAA01&0&61
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_127A&DEV_4321&SUBSYS_43211235&REV_00\3&61AAA01&0&61
Service:


-- Files created between 2008-01-24 and 2008-02-24 -----------------------------

2008-02-24 09:29:27 0 d-------- C:\Program Files\Trend Micro
2008-02-22 20:54:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-22 20:16:57 0 d-------- C:\Documents and Settings\Cody Guidry\Application Data\Grisoft
2008-02-22 11:43:22 0 dr-h----- C:\Documents and Settings\Cody Guidry\Recent
2008-02-21 13:29:25 44928 --a------ C:\WINDOWS\System32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-02-20 17:02:17 691545 --a------ C:\WINDOWS\unins000.exe
2008-02-20 17:02:17 2545 --a------ C:\WINDOWS\unins000.dat
2008-02-20 11:13:57 0 d-------- C:\Documents and Settings\LocalService\Application Data\Mozilla
2008-02-12 19:13:22 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-12 19:11:45 0 d-------- C:\Documents and Settings\Cody Guidry\Application Data\Mozilla
2008-02-12 18:50:35 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-02-12 18:39:42 60496 --a------ C:\WINDOWS\System32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
2008-02-12 18:39:39 21075 --a------ C:\WINDOWS\System32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
2008-02-12 18:38:27 0 d-------- C:\Program Files\Sygate
2008-02-12 18:36:19 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-12 16:35:03 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier


-- Find3M Report ---------------------------------------------------------------

2008-02-21 14:57:39 0 d-------- C:\Program Files\QuickTime
2008-02-21 14:12:10 0 d-------- C:\Program Files\iTunes
2008-02-21 14:08:27 0 d-------- C:\Program Files\Google
2008-02-21 12:41:44 0 d-------- C:\Program Files\Java
2008-02-20 12:56:28 0 d-------- C:\Documents and Settings\Cody Guidry\Application Data\Google
2008-02-15 18:36:21 0 d-------- C:\Documents and Settings\Cody Guidry\Application Data\AVG7
2008-02-12 18:36:19 0 d-------- C:\Program Files\Common Files
2008-02-12 18:09:00 4212 ---h----- C:\WINDOWS\System32\zllictbl.dat
2008-02-12 17:01:46 0 d-------- C:\Documents and Settings\Cody Guidry\Application Data\Adobe
2008-02-12 16:09:48 0 d--h----- C:\Program Files\WindowsUpdate


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPP Auto Loader"="C:\WINDOWS\tppaldr.exe" [06/29/2001 12:39 PM]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [07/09/2001 03:50 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [04/29/2007 05:33 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/23/2006 02:45 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07/30/2006 10:31 PM]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [10/15/2004 07:40 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 03:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [02/20/2008 12:56 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 2:05:56 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)




-- End of Deckard's System Scanner: finished at 2008-02-24 12:21:21 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD-K6-2 processor
Percentage of Memory in Use: 61%
Physical Memory (total/avail): 251.48 MiB / 96.1 MiB
Pagefile Memory (total/avail): 515.01 MiB / 274.82 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1958.44 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.26 GiB total, 26.4 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 6 GiB total, 4.7 GiB free.

\\.\PHYSICALDRIVE1 - QUANTUM FIREBALL CR6.4A - 6.01 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 6 GiB - E:

\\.\PHYSICALDRIVE0 - WDC WD400BB-00DEA0 - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Cody Guidry\Application Data
CLASSPATH=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CODY
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\
LOGONSERVER=\\CODY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 5 Model 8 Stepping 12, AuthenticAMD
PROCESSOR_LEVEL=5
PROCESSOR_REVISION=080c
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\CODYGU~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\CODYGU~1\LOCALS~1\Temp
USERDOMAIN=CODY
USERNAME=Cody Guidry
USERPROFILE=C:\Documents and Settings\Cody Guidry
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Cody Guidry (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\System32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.7 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70700000002}
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AVG Free Edition --> C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
dBpowerAMP Music Converter --> "C:\WINDOWS\System32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\System32\SpoonUninstall-dBpowerAMP Music Converter.dat
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
iPod for Windows 2006-03-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB} /l1033
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{59C4F14F-7590-45FC-BE9F-A67AB3590709} /l1033
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kaspersky Online Scanner --> C:\WINDOWS\System32\KASPER~1\KASPER~1\kavuninstall.exe
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office 2000 Disc 2 --> MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
Outlook Express Q823353 --> C:\WINDOWS\oeuninst.exe C:\WINDOWS\INF\Q823353.inf
Panda ActiveScan --> C:\WINDOWS\System32\ASUninst.exe Panda ActiveScan
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
Rio Internet Update --> MsiExec.exe /X{3101857A-2D36-4DD5-A092-27478119601A}
Rio Music Manager --> MsiExec.exe /X{12141D70-0324-42DB-B5E8-706040083931}
Rio Taxi --> MsiExec.exe /X{434C733C-27FA-423E-8CDC-F72B55631BA5}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
Sygate Personal Firewall --> MsiExec.exe /I{F34D9A5F-484A-4E31-A9D3-908CB265B289}
USB Storage Adapter (TPP) --> tppun.exe TPP725
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Windows XP Application Compatibility Update[Q319580] --> C:\WINDOWS\$NtUninstallQ319580$\spuninst\spuninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type3151 / Error
Event Submitted/Written: 02/24/2008 00:04:04 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application regsearch.exe, version 2.0.5.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type3147 / Warning
Event Submitted/Written: 02/23/2008 05:19:34 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type3146 / Error
Event Submitted/Written: 02/22/2008 08:54:16 PM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Event Record #/Type3145 / Error
Event Submitted/Written: 02/22/2008 08:54:16 PM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type3144 / Error
Event Submitted/Written: 02/22/2008 00:44:19 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2600.0, faulting module flash9e.ocx, version 9.0.115.0, fault address 0x00055a77.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type19974 / Error
Event Submitted/Written: 02/24/2008 09:14:24 AM
Event ID/Source: 8032 / BROWSER
Event Description:
The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{45A5771A-2BCF-4FF0-9BCB-1E1627C88270}.
The backup browser is stopping.

Event Record #/Type19959 / Warning
Event Submitted/Written: 02/24/2008 09:11:06 AM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\RICKY on the network \Device\NetBT_Tcpip_{45A5771A-2BCF-4FF0-9BCB-1E1627C88270}.
The data is the error code.

Event Record #/Type19955 / Error
Event Submitted/Written: 02/23/2008 05:19:33 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type19954 / Error
Event Submitted/Written: 02/22/2008 08:55:26 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AVG Anti-Spyware Driver
Avg7Core
Avg7RsW
Avg7RsXP
Fips
IPSec
MRxSmb
NetBIOS
NetBT
Processor
RasAcd
Rdbss
Tcpip
wpsdrvnt

Event Record #/Type19953 / Error
Event Submitted/Written: 02/22/2008 08:55:26 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-02-24 12:21:21 ------------
  • 0

#6
kahdah
Posted 24 February 2008 - 01:48 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Download WinKRootKitRemover to your desktop.
  • Click the icon to open the program
  • Then, click RUN and then START
  • Save the log it creates to your desktop.
.
  • 0

#7
factor
Posted 24 February 2008 - 02:22 PM

factor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I tried three times and the WinkRootKIt gave me the same messages



02/24/2008, 14:14:04 - Starting Process
02/24/2008, 14:14:04 - Could not detect the service installed. Nothing else to do!

02/24/2008, 14:14:51 - Starting Process
02/24/2008, 14:14:51 - Could not detect the service installed. Nothing else to do!

02/24/2008, 14:19:21 - Starting Process
02/24/2008, 14:19:21 - Could not detect the service installed. Nothing else to do!


What now? :)
  • 0

#8
kahdah
Posted 24 February 2008 - 02:26 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok that is good that means that part of the infection is gone. :)
----------------------------------------------------------------------------
1. Download RegDACL, and extract it to your desktop.

2. Launch Notepad, and copy/paste the box below into a new text file. Save it as FixReg.bat and all file types Be sure to save it in the same folder as the one where you extracted RegDACL.

RegDACL HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINIK /GGE:F
RegDACL HKLM\SYSTEM\ControlSet001\Services\WinIK /GGE:F
RegDACL HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINIK /GGE:F
RegDACL HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINIK /GGE:F


3. Open the RegDACL folder, and double click on your FixReg.bat you just created and allow it to run. Answer yes to any prompts.

4. Launch Notepad, and copy/paste the box below into a new text file. Save it on your C:\ drive as fixme.reg. For the "save as type" choose all files

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINIK]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINIK]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINIK]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINIK]


  • Locate fixme.reg on your Desktop and double-click on it.
  • You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
  • Answer "Yes" and wait for a message to appear similar to "Merged Successfully".


5. Reboot the computer and run the regsearch tool again with the same instructions as before and post those results please.
  • 0

#9
factor
Posted 24 February 2008 - 04:07 PM

factor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hope I did this all right, I have to double check and sometiimes triple check what i am doing


Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 2/24/2008 3:50:55 PM for strings:
; 'winik'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Documents and Settings\\Cody Guidry\\Desktop\\WinKRootKitRemover.exe"="This program will look for WinKRootKit (winik.sys) and attempt to remove it."

; End Of The Log...
  • 0

#10
kahdah
Posted 24 February 2008 - 04:29 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Great the rootkit is gone :)
===============
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    c:\windows\system32\kyf.dat 
C:\Documents and Settings\Cody Guidry\Application Data\tvmcwrd.dll 
c:\windows\system32\vmss 
C:\Program Files\Viewpoint
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===============================
After that Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
  • 0

Advertisements

#11
factor
Posted 24 February 2008 - 10:16 PM

factor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
c:\windows\system32\kyf.dat moved successfully.
LoadLibrary failed for C:\Documents and Settings\Cody Guidry\Application Data\tvmcwrd.dll
C:\Documents and Settings\Cody Guidry\Application Data\tvmcwrd.dll NOT unregistered.
C:\Documents and Settings\Cody Guidry\Application Data\tvmcwrd.dll moved successfully.
c:\windows\system32\vmss moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\Components moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player moved successfully.
C:\Program Files\Viewpoint moved successfully.

OTMoveIt2 v1.0.20 log created on 02242008_164226




Malwarebytes' Anti-Malware 1.05
Database version: 402

Scan type: Quick Scan
Objects scanned: 25460
Time elapsed: 25 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\MediaLoads (Adware.Medload) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Both procedures never asked me to reboot, hope that was okay!
  • 0

#12
kahdah
Posted 25 February 2008 - 02:53 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yes that is fine.

Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#13
factor
Posted 25 February 2008 - 06:45 PM

factor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
The Kaspersky scan took 6 hours and 30 min. and computer is running real slow, respone time is about half of what it use to be. Looks like there is a bunch of bad guys on this computer :)


KASPERSKY ONLINE SCANNER REPORT
Monday, February 25, 2008 4:24:00 PM
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/02/2008
Kaspersky Anti-Virus database records: 579937
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 26623
Number of viruses found 1
Number of infected objects 10
Number of suspicious objects 0
Duration of the scan process 06:36:14

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Cody Guidry\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Cody Guidry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Cody Guidry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Cody Guidry\Local Settings\Application Data\Mozilla\Firefox\Profiles\hdznyzd9.default\Cache\2D71E1F6d01/stream/data0003 Infected: not-a-virus:RiskTool.Win32.PsKill.k skipped
C:\Documents and Settings\Cody Guidry\Local Settings\Application Data\Mozilla\Firefox\Profiles\hdznyzd9.default\Cache\2D71E1F6d01/stream Infected: not-a-virus:RiskTool.Win32.PsKill.k skipped
C:\Documents and Settings\Cody Guidry\Local Settings\Application Data\Mozilla\Firefox\Profiles\hdznyzd9.default\Cache\2D71E1F6d01 NSIS: infected - 2 skipped
C:\Documents and Settings\Cody Guidry\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cody Guidry\Local Settings\Temp\nsd33.tmp Infected: not-a-virus:RiskTool.Win32.PsKill.k skipped
C:\Documents and Settings\Cody Guidry\Local Settings\Temp\nsn37.tmp Infected: not-a-virus:RiskTool.Win32.PsKill.k skipped
C:\Documents and Settings\Cody Guidry\Local Settings\Temp\nsu3D.tmp Infected: not-a-virus:RiskTool.Win32.PsKill.k skipped
C:\Documents and Settings\Cody Guidry\Local Settings\Temp\nsz2F.tmp Infected: not-a-virus:RiskTool.Win32.PsKill.k skipped
C:\Documents and Settings\Cody Guidry\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cody Guidry\ntuser.dat Object is locked skipped
C:\Documents and Settings\Cody Guidry\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\AVG7\l_000102.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Sygate\SPF\debug.log Object is locked skipped
C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
C:\RECYCLER\S-1-5-21-823518204-1580818891-1202660629-1003\Dc8.exe/stream/data0003 Infected: not-a-virus:RiskTool.Win32.PsKill.k skipped
C:\RECYCLER\S-1-5-21-823518204-1580818891-1202660629-1003\Dc8.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.k skipped
C:\RECYCLER\S-1-5-21-823518204-1580818891-1202660629-1003\Dc8.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{E761B63C-38F9-4191-9BEC-C4DD886842A9}\RP12\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\Documents and Settings\Cody Guidry\Application Data\desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\Application Data\Microsoft\Crypto\RSA\S-1-5-21-220523388-706699826-842925246-1003\3cf822ff2c234346a926ca993b0d3dda_a539c8f5-e3cf-46f5-90e5-36d8d7abdeee Object is locked skipped
E:\Documents and Settings\Cody Guidry\Application Data\Microsoft\Internet Explorer\brndlog.bak Object is locked skipped
E:\Documents and Settings\Cody Guidry\Application Data\Microsoft\Internet Explorer\brndlog.txt Object is locked skipped
E:\Documents and Settings\Cody Guidry\Application Data\Microsoft\Internet Explorer\Desktop.htt Object is locked skipped
E:\Documents and Settings\Cody Guidry\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf Object is locked skipped
E:\Documents and Settings\Cody Guidry\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Application Data\Microsoft\Movie Maker\Windows Movie Maker.COL Object is locked skipped
E:\Documents and Settings\Cody Guidry\Application Data\Microsoft\Protect\CREDHIST Object is locked skipped
E:\Documents and Settings\Cody Guidry\Application Data\Microsoft\Protect\S-1-5-21-220523388-706699826-842925246-1003\f3b1c8ad-eb7d-43a8-861f-cc37b4b8b4d4 Object is locked skipped
E:\Documents and Settings\Cody Guidry\Application Data\Microsoft\Protect\S-1-5-21-220523388-706699826-842925246-1003\Preferred Object is locked skipped
E:\Documents and Settings\Cody Guidry\Application Data\Microsoft\Windows\Themes\Custom.theme Object is locked skipped
E:\Documents and Settings\Cody Guidry\Desktop\KaZaA Media Desktop.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Desktop\KaZaA Promotions.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Desktop\My Shared Folder.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Favorites\Desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\Favorites\Links\Customize Links.url Object is locked skipped
E:\Documents and Settings\Cody Guidry\Favorites\Links\Free Hotmail.url Object is locked skipped
E:\Documents and Settings\Cody Guidry\Favorites\Links\Windows Media.url Object is locked skipped
E:\Documents and Settings\Cody Guidry\Favorites\Links\Windows.url Object is locked skipped
E:\Documents and Settings\Cody Guidry\Favorites\MSN.com.url Object is locked skipped
E:\Documents and Settings\Cody Guidry\Favorites\Radio Station Guide.url Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Application Data\IconCache.db Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Application Data\Microsoft\Wallpaper1.bmp Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\History\desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\History\History.IE5\desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\History\History.IE5\index.dat Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde12.tmp Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde14.tmp Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde16.tmp Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde2.tmp Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde23.tmp Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde25.tmp Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde83.tmp Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde8E.tmp Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde90.tmp Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde92.tmp Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde94.tmp Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde96.tmp Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde98.tmp Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde9A.tmp Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde9D.tmp Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bde9F.tmp Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bdeA1.tmp Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\BDECache\bdeA3.tmp Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\dfAA.tmp Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\kmdb.html Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\WER3.tmp Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\WER3.tmp.dir00\appcompat.txt Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\{6e112c5b-6890-4396-9f34-bc9ad3729984}\InstDlg.dll Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temp\~DF8C4.tmp Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temporary Internet Files\Content.IE5\4XWTI7IT\desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temporary Internet Files\Content.IE5\4XWTI7IT\Thumbs.db Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temporary Internet Files\Content.IE5\G5E7G5YF\desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temporary Internet Files\Content.IE5\G5E7G5YF\Thumbs.db Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temporary Internet Files\Content.IE5\SPQF49QB\desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temporary Internet Files\Content.IE5\SPQF49QB\Thumbs.db Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temporary Internet Files\Content.IE5\U7SLGROF\desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temporary Internet Files\Content.IE5\U7SLGROF\Thumbs.db Object is locked skipped
E:\Documents and Settings\Cody Guidry\Local Settings\Temporary Internet Files\desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\My Documents\desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\My Documents\My Music\Desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\My Documents\My Music\Sample Music.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\My Documents\My Pictures\Desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\My Documents\My Pictures\Sample Pictures.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\My Documents\My Pictures\Thumbs.db Object is locked skipped
E:\Documents and Settings\Cody Guidry\My Documents\My Videos\Desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\My Documents\My Videos\Thumbs.db Object is locked skipped
E:\Documents and Settings\Cody Guidry\My Documents\My Videos\Windows Movie Maker Sample File.wmv Object is locked skipped
E:\Documents and Settings\Cody Guidry\NetHood\c on Cody\Desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\NetHood\c on Cody\target.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\NetHood\SharedDocs on Ricky\Desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\NetHood\SharedDocs on Ricky\target.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\NTUSER.DAT Object is locked skipped
E:\Documents and Settings\Cody Guidry\NTUSER.DAT.LOG Object is locked skipped
E:\Documents and Settings\Cody Guidry\ntuser.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\Recent\3˝ Floppy (A).lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Recent\Cody (2).lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Recent\cody.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Recent\Desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\Recent\image.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Recent\Jeanne.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Recent\Journal.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Recent\main_bg.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Recent\My Shared Folder.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Recent\Rusty.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Recent\selected34.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Recent\tribalS.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Recent\Works Cited.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Recent\yellow_lab_2.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\SendTo\Compressed (zipped) Folder.ZFSendToTarget Object is locked skipped
E:\Documents and Settings\Cody Guidry\SendTo\Desktop (create shortcut).DeskLink Object is locked skipped
E:\Documents and Settings\Cody Guidry\SendTo\desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\SendTo\Mail Recipient.MAPIMail Object is locked skipped
E:\Documents and Settings\Cody Guidry\SendTo\My Documents.mydocs Object is locked skipped
E:\Documents and Settings\Cody Guidry\Start Menu\desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\Start Menu\Programs\Accessories\Accessibility\desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Start Menu\Programs\Accessories\Address Book.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Start Menu\Programs\Accessories\Command Prompt.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Start Menu\Programs\Accessories\desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\Start Menu\Programs\Accessories\Entertainment\desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\Start Menu\Programs\Accessories\Notepad.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Start Menu\Programs\Accessories\Synchronize.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Start Menu\Programs\Accessories\Tour Windows XP.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Start Menu\Programs\Accessories\Windows Explorer.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Start Menu\Programs\desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\Start Menu\Programs\Internet Explorer.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Start Menu\Programs\MediaLoads.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Start Menu\Programs\Outlook Express.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Start Menu\Programs\Remote Assistance.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Start Menu\Programs\Startup\desktop.ini Object is locked skipped
E:\Documents and Settings\Cody Guidry\Start Menu\Programs\Windows Media Player.lnk Object is locked skipped
E:\Documents and Settings\Cody Guidry\Templates\amipro.sam Object is locked skipped
E:\Documents and Settings\Cody Guidry\Templates\excel.xls Object is locked skipped
E:\Documents and Settings\Cody Guidry\Templates\excel4.xls Object is locked skipped
E:\Documents and Settings\Cody Guidry\Templates\lotus.wk4 Object is locked skipped
E:\Documents and Settings\Cody Guidry\Templates\powerpnt.ppt Object is locked skipped
E:\Documents and Settings\Cody Guidry\Templates\presenta.shw Object is locked skipped
E:\Documents and Settings\Cody Guidry\Templates\quattro.wb2 Object is locked skipped
E:\Documents and Settings\Cody Guidry\Templates\sndrec.wav Object is locked skipped
E:\Documents and Settings\Cody Guidry\Templates\winword.doc Object is locked skipped
E:\Documents and Settings\Cody Guidry\Templates\winword2.doc Object is locked skipped
E:\Documents and Settings\Cody Guidry\Templates\wordpfct.wpd Object is locked skipped
E:\Documents and Settings\Cody Guidry\Templates\wordpfct.wpg Object is locked skipped
E:\Program Files\InstallShield Installation Information\{7D50E972-F2C4-4327-AA79-88FA868A4507}\setup.ilg Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP2\A0000022.ini Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP2\A0000028.ini Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP2\A0000031.ini Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP2\A0000032.ini Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP2\A0000035.ini Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP2\A0000038.ini Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP2\A0000039.lnk Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP2\A0000040.lnk Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP2\A0000041.lnk Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP2\A0000042.ini Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP2\A0000049.ini Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP3\A0000052.lnk Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP3\A0000053.lnk Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP3\A0000054.ini Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP3\A0000055.ini Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP3\A0000058.ini Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP4\A0000061.ini Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP4\A0000064.ini Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP4\A0000067.ini Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP4\A0000068.lnk Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP4\A0000069.lnk Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP4\A0000070.ilg Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP4\A0000071.ini Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP4\A0000074.ini Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP4\A0000077.ini Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP4\A0000080.ini Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP4\A0000091.lnk Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP4\A0000092.lnk Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP4\A0000093.ilg Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP4\A0000094.lnk Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP4\A0000095.ini Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP4\A0000096.lnk Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP4\A0000097.exe Object is locked skipped
E:\System Volume Information\_restore{9D7A8434-CAC0-40C7-8B28-756988015FCF}\RP4\A0000100.ini Object is locked skipped
Scan process completed.


I see 2 references to KaZaA, I have been trying to rid KaZaA from this computer and though I had removed them all, guess those 2 were lurking some where I didn't find, I know KaZaA is one of those bad guys that can infect you :) :)
  • 0

#14
kahdah
Posted 25 February 2008 - 08:43 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Actually there is really nothing left.

Clean your Cache and Cookies in Firefox :
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
  • Alternatively, you can clear all information stored while browsing by clicking Clear All.
  • A confirmation dialog box will be shown before clearing the information.
========================================================
Go Here and download CCleaner.
Double click on it to install it.
Click on your language then Next then I agree then next again.
When you come to the Installation options window (the next window after clicking next)
Uncheck all but Create a Desktop Shortcut.
Then Click on Install.

After it is installed double click on the icon on your desktop to run it.
Choose Run Cleaner then yes at the prompt to permanently delete files.
It may take a while so let it finish.

After that Click on the icon to the left called Registry
Then click on scan for issues.
Then click on Fix selected issues.
And then yes to making a backup.
It will save it in your MY Documents Folder.
Then Click on Fix all selected issues and yes that you really want to do it.
After that is done then exit out of CCleaner.

You can uninstall that when you are done.
=========================
If you want try to do a search for kazza and delete what you find.

I will need to you show hidden files\folders so we can delete the leftover file.
To Set:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK


then go to this location:C:\Rcycler open it ,it will have a picture of the recle bin double click on it and then delete ehat is in there.

then reset your folders\files to hidden:
To reset:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not Show hidden files and folders.
  • Check the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK

=====================
Cleanup::

  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Please also delete anything else that we used.
===================
Then I will need you to reset your System Restore points:
How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us
============================================
After that go to This link to show you how to defragment your hard drive.

Doing all of these things together should help out the overall speed.
==============================================
After that Your log is clean. :)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here

Let me know if you have anymore questions or problems. :)
  • 0

#15
factor
Posted 26 February 2008 - 09:24 PM

factor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
kahdah

Did all that you informed me to do, I still get ( Internet Explorer has encountered a problem and needs to close) funny thing is its not all the time but most of the time. Also when using firefox i get ( Illegal Operation in Plug-in Shockwave Flash , the plug-in preformed an illegal operation. you are strongly advised to restart Firefox ) again like Explorer it not all the time.

Computer itself is running a little better but still not like it use to be. I did find two versions of Sun Java in control panel and removed the older one. Also I uninstalled Adobe Flash Player an reinstalled Adobe Flash Player Active X.

I really dont know what to do now, its got me puzzled :) maybe some of the files got corrupted with the infection I had.
Any suggestions?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP