Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

VUNDO, VIRTUMODE, maybe others [RESOLVED]

Started by Johnsondl , Feb 24 2008 07:34 AM

  • This topic is locked This topic is locked

#1
Johnsondl
Posted 24 February 2008 - 07:34 AM

Johnsondl

    Member

  • Member
  • PipPip
  • 22 posts
Hi - I believe I have Vundo and virtumonde. Symptoms are popups claiming I have infections or traces to porn content on my system and offering software to scan and clean system. I run Norton-360, and have tried spybot, AVG, Vundofix, Virtumundobegone and trojan hunter. Nothing seems to work. I would appreciate help. Thanks.

Here is a hijackthis log:


Logfile of HijackThis v1.99.1
Scan saved at 8:22:09 AM, on 2/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
G:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\David Johnson\My Documents\My Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [08f97678] rundll32.exe "C:\WINDOWS\system32\kjimenlw.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - G:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Here is a vundofix log:

VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.1
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 7:15:13 PM 2/22/2008

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\abadd.ini
C:\WINDOWS\SYSTEM32\abadd.ini2
C:\WINDOWS\SYSTEM32\awtsstt.dll
C:\WINDOWS\SYSTEM32\ddaba.dll
C:\WINDOWS\SYSTEM32\ddcyx.dll
C:\WINDOWS\SYSTEM32\fvdesmjr.dll
C:\WINDOWS\SYSTEM32\kbgcopbg.dll
C:\WINDOWS\SYSTEM32\khfeeee.dll
C:\WINDOWS\SYSTEM32\ltabjkvh.dll
C:\WINDOWS\SYSTEM32\naefmbdv.dll
C:\WINDOWS\SYSTEM32\ssqonmm.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\abadd.ini
C:\WINDOWS\SYSTEM32\abadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\abadd.ini2
C:\WINDOWS\SYSTEM32\abadd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\awtsstt.dll
C:\WINDOWS\SYSTEM32\awtsstt.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\ddaba.dll
C:\WINDOWS\SYSTEM32\ddaba.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ddcyx.dll
C:\WINDOWS\SYSTEM32\ddcyx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\fvdesmjr.dll
C:\WINDOWS\SYSTEM32\fvdesmjr.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\kbgcopbg.dll
C:\WINDOWS\SYSTEM32\kbgcopbg.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\khfeeee.dll
C:\WINDOWS\SYSTEM32\khfeeee.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ltabjkvh.dll
C:\WINDOWS\SYSTEM32\ltabjkvh.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\naefmbdv.dll
C:\WINDOWS\SYSTEM32\naefmbdv.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ssqonmm.dll
C:\WINDOWS\SYSTEM32\ssqonmm.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\awtsstt.dll
C:\WINDOWS\SYSTEM32\awtsstt.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\ddcyx.dll
C:\WINDOWS\SYSTEM32\ddcyx.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\fvdesmjr.dll
C:\WINDOWS\SYSTEM32\fvdesmjr.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.1
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 3:37:10 PM 2/23/2008

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\awtsstt.dll
C:\WINDOWS\SYSTEM32\cfodpjlp.dll
C:\WINDOWS\SYSTEM32\gwthriiy.dll
C:\WINDOWS\SYSTEM32\imjsefcr.dll
C:\WINDOWS\SYSTEM32\kjaixgsg.dll
C:\WINDOWS\SYSTEM32\lwhfsljo.dll
C:\WINDOWS\SYSTEM32\mcjgfell.dll
C:\WINDOWS\SYSTEM32\ojlsfhwl.ini
C:\windows\SYSTEM32\vtsqr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\awtsstt.dll
C:\WINDOWS\SYSTEM32\awtsstt.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\cfodpjlp.dll
C:\WINDOWS\SYSTEM32\cfodpjlp.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\gwthriiy.dll
C:\WINDOWS\SYSTEM32\gwthriiy.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\imjsefcr.dll
C:\WINDOWS\SYSTEM32\imjsefcr.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\kjaixgsg.dll
C:\WINDOWS\SYSTEM32\kjaixgsg.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\lwhfsljo.dll
C:\WINDOWS\SYSTEM32\lwhfsljo.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\mcjgfell.dll
C:\WINDOWS\SYSTEM32\mcjgfell.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ojlsfhwl.ini
C:\WINDOWS\SYSTEM32\ojlsfhwl.ini Has been deleted!

Attempting to delete C:\windows\SYSTEM32\vtsqr.dll
C:\windows\SYSTEM32\vtsqr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\awtsstt.dll
C:\WINDOWS\SYSTEM32\awtsstt.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\lwhfsljo.dll
C:\WINDOWS\SYSTEM32\lwhfsljo.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\vtsqr.dll
C:\windows\SYSTEM32\vtsqr.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.1
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 4:28:55 PM 2/23/2008

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\awtsstt.dll
C:\WINDOWS\SYSTEM32\cdnbumbw.dll
C:\WINDOWS\SYSTEM32\ddqbqwfp.dll
C:\WINDOWS\SYSTEM32\pfwqbqdd.ini
C:\WINDOWS\SYSTEM32\ppqss.ini
C:\WINDOWS\SYSTEM32\ppqss.ini2
C:\WINDOWS\SYSTEM32\ssqpp.dll
C:\WINDOWS\SYSTEM32\uldjcnya.dll
C:\WINDOWS\system32\unipysjy.dll
C:\windows\SYSTEM32\unipysjy.dllbox
C:\WINDOWS\SYSTEM32\wdkptonj.dll
C:\WINDOWS\SYSTEM32\xktuxtwq.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\awtsstt.dll
C:\WINDOWS\SYSTEM32\awtsstt.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\cdnbumbw.dll
C:\WINDOWS\SYSTEM32\cdnbumbw.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ddqbqwfp.dll
C:\WINDOWS\SYSTEM32\ddqbqwfp.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\pfwqbqdd.ini
C:\WINDOWS\SYSTEM32\pfwqbqdd.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ppqss.ini
C:\WINDOWS\SYSTEM32\ppqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ppqss.ini2
C:\WINDOWS\SYSTEM32\ppqss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ssqpp.dll
C:\WINDOWS\SYSTEM32\ssqpp.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\uldjcnya.dll
C:\WINDOWS\SYSTEM32\uldjcnya.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\unipysjy.dll
C:\WINDOWS\system32\unipysjy.dll Could not be deleted.

Attempting to delete C:\windows\SYSTEM32\unipysjy.dllbox
C:\windows\SYSTEM32\unipysjy.dllbox Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\wdkptonj.dll
C:\WINDOWS\SYSTEM32\wdkptonj.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\xktuxtwq.dll
C:\WINDOWS\SYSTEM32\xktuxtwq.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\awtsstt.dll
C:\WINDOWS\SYSTEM32\awtsstt.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\unipysjy.dll
C:\WINDOWS\system32\unipysjy.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\unipysjy.dllbox
C:\windows\SYSTEM32\unipysjy.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.1
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 8:02:58 PM 2/23/2008

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\awtsstt.dll
C:\WINDOWS\SYSTEM32\ijjlm.ini
C:\WINDOWS\SYSTEM32\ijjlm.ini2
C:\WINDOWS\SYSTEM32\mljji.dll
C:\WINDOWS\SYSTEM32\pshywjwb.dll
C:\WINDOWS\SYSTEM32\wlfovnnb.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\awtsstt.dll
C:\WINDOWS\SYSTEM32\awtsstt.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\ijjlm.ini
C:\WINDOWS\SYSTEM32\ijjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ijjlm.ini2
C:\WINDOWS\SYSTEM32\ijjlm.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\mljji.dll
C:\WINDOWS\SYSTEM32\mljji.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\pshywjwb.dll
C:\WINDOWS\SYSTEM32\pshywjwb.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\wlfovnnb.dll
C:\WINDOWS\SYSTEM32\wlfovnnb.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\awtsstt.dll
C:\WINDOWS\SYSTEM32\awtsstt.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.1
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 8:55:57 PM 2/23/2008

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\acbeg.ini
C:\WINDOWS\SYSTEM32\acbeg.ini2
C:\WINDOWS\SYSTEM32\awtsstt.dll
C:\WINDOWS\SYSTEM32\gebca.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\acbeg.ini
C:\WINDOWS\SYSTEM32\acbeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\acbeg.ini2
C:\WINDOWS\SYSTEM32\acbeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\awtsstt.dll
C:\WINDOWS\SYSTEM32\awtsstt.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\gebca.dll
C:\WINDOWS\SYSTEM32\gebca.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\awtsstt.dll
C:\WINDOWS\SYSTEM32\awtsstt.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.1
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 7:23:55 AM 2/24/2008

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\awtsstt.dll
C:\WINDOWS\SYSTEM32\ekrmvelv.dll
C:\WINDOWS\SYSTEM32\kjimenlw.dll
C:\WINDOWS\SYSTEM32\wlnemijk.ini

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\awtsstt.dll
C:\WINDOWS\SYSTEM32\awtsstt.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\ekrmvelv.dll
C:\WINDOWS\SYSTEM32\ekrmvelv.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\kjimenlw.dll
C:\WINDOWS\SYSTEM32\kjimenlw.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\wlnemijk.ini
C:\WINDOWS\SYSTEM32\wlnemijk.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\awtsstt.dll
C:\WINDOWS\SYSTEM32\awtsstt.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\kjimenlw.dll
C:\WINDOWS\SYSTEM32\kjimenlw.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...
  • 0

Advertisements

#2
kahdah
Posted 24 February 2008 - 08:45 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Johnsondl

Welcome to G2Go. :)
================
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
Johnsondl
Posted 24 February 2008 - 11:03 AM

Johnsondl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thanks - Combofix stalled a couple of times, but finally seemed to fully execute. IT seemed to have forced my shortcut to Firefox to run is safe mode. Is it okay to restore firefox? Please let me know if I'm clean.

Thanks,

Dave J.

Here is the combofix log file:

ComboFix 08-02-24.4 - David Johnson 2008-02-24 10:53:45.2 - NTFSx86
Running from: C:\Documents and Settings\David Johnson\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Program Files\Common Files\uninstall information
C:\Program Files\MyWay
C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
C:\Program Files\MyWay\SrchAstt\1.bin\PARTNER.DAT
C:\Program Files\MyWay\SrchAstt\Cache\02E476B7
C:\Program Files\MyWay\SrchAstt\Cache\02E479D4
C:\Program Files\MyWay\SrchAstt\Cache\files.ini
C:\Program Files\MyWay\SrchAstt\Settings\prevcfg.htm
C:\Program Files\pedevice
C:\Program Files\pedevice\communication.xml
C:\Program Files\pedevice\Domain.Watchlist.txt
C:\Program Files\pedevice\pae-options.xml
C:\Program Files\pedevice\search.watchlist.txt
C:\WINDOWS\blrjz.dat
C:\WINDOWS\SYSTEM32\adeeg.ini
C:\WINDOWS\SYSTEM32\adeeg.ini2
C:\WINDOWS\system32\awtsstt.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\emppu.dat
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\SYSTEM32\gfhkj.ini
C:\WINDOWS\SYSTEM32\gfhkj.ini2
C:\WINDOWS\SYSTEM32\ilkkj.ini
C:\WINDOWS\SYSTEM32\ilkkj.ini2
C:\WINDOWS\SYSTEM32\kjkkj.ini
C:\WINDOWS\SYSTEM32\kjkkj.ini2
C:\WINDOWS\SYSTEM32\kurmpbks.ini
C:\WINDOWS\system32\obhld.dat
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\SYSTEM32\qpqss.ini
C:\WINDOWS\SYSTEM32\qpqss.ini2
C:\WINDOWS\SYSTEM32\rtstv.ini
C:\WINDOWS\SYSTEM32\rtstv.ini2
C:\WINDOWS\system32\skbpmruk.dll
C:\WINDOWS\system32\tvbajukw.dll
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\SYSTEM32\wybeg.ini
C:\WINDOWS\SYSTEM32\wybeg.ini2
C:\WINDOWS\SYSTEM32\xycdd.ini
C:\WINDOWS\SYSTEM32\xycdd.ini2
C:\WINDOWS\SYSTEM32\ybadd.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FAD




((((((((((((((((((((((((( Files Created from 2008-01-24 to 2008-02-24 )))))))))))))))))))))))))))))))
.

2008-02-24 08:36 . 2008-02-24 08:36 292,352 --a------ C:\WINDOWS\SYSTEM32\vtstr.dll.vir
2008-02-24 08:08 . 2008-02-24 08:08 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2008-02-23 17:49 . 2008-02-23 17:49 294 ---hs---- C:\WINDOWS\SYSTEM32\bnnvoflw.ini
2008-02-23 15:22 . 2008-02-23 15:22 292,352 --a------ C:\WINDOWS\SYSTEM32\jkkli.dll.vir
2008-02-23 08:40 . 2008-02-23 08:40 85,056 --a------ C:\WINDOWS\SYSTEM32\eyufkmel.dll.vir
2008-02-23 08:22 . 2008-02-23 08:22 292,352 --a------ C:\WINDOWS\SYSTEM32\ddcyx.dll.vir
2008-02-23 07:34 . 2008-02-23 07:34 85,056 --a------ C:\WINDOWS\SYSTEM32\bqaqdttx.dll.vir
2008-02-23 06:58 . 2008-02-23 06:58 526 ---hs---- C:\WINDOWS\SYSTEM32\mygomhyu.ini
2008-02-22 21:24 . 2008-02-23 06:50 466 ---hs---- C:\WINDOWS\SYSTEM32\vxewaipt.ini
2008-02-22 21:18 . 2008-02-22 21:18 292,352 --a------ C:\WINDOWS\SYSTEM32\mljjg.dll.vir
2008-02-22 20:07 . 2008-02-22 20:07 294 ---hs---- C:\WINDOWS\SYSTEM32\pvpknnau.ini
2008-02-22 20:06 . 2008-02-22 20:06 292,352 --a------ C:\WINDOWS\SYSTEM32\ddaby.dll.vir
2008-02-22 19:15 . 2008-02-24 08:05 <DIR> d-------- C:\VundoFix Backups
2008-02-22 13:25 . 2008-02-22 13:25 474 ---hs---- C:\WINDOWS\SYSTEM32\rjmsedvf.ini
2008-02-22 11:09 . 2008-02-22 13:17 414 ---hs---- C:\WINDOWS\SYSTEM32\hvkjbatl.ini
2008-02-22 10:54 . 2008-02-22 10:54 327,168 --a------ C:\WINDOWS\SYSTEM32\jkkjk.dll.vir
2008-02-22 07:44 . 2008-02-22 07:44 89,664 --a------ C:\WINDOWS\SYSTEM32\nfouoxgc.dll.vir
2008-02-22 07:28 . 2008-02-22 07:28 327,168 --a------ C:\WINDOWS\SYSTEM32\geeda.dll.vir
2008-02-22 07:02 . 2008-02-22 06:27 327,168 --a------ C:\WINDOWS\SYSTEM32\mljge.dll.vir
2008-02-22 06:33 . 2008-02-22 06:33 89,664 --a------ C:\WINDOWS\SYSTEM32\nuyggbjr.dll.vir
2008-02-22 06:17 . 2008-02-22 06:17 317,440 --a------ C:\WINDOWS\SYSTEM32\jkhfg.dll.vir
2008-02-21 20:21 . 2008-02-21 20:21 321,536 --a------ C:\WINDOWS\SYSTEM32\ssqpq.dll.vir
2008-02-21 20:13 . 2008-02-24 08:46 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-21 20:12 . 2008-02-21 20:12 <DIR> d-------- C:\Program Files\Trojan Remover
2008-02-21 20:12 . 2008-02-21 20:12 <DIR> d-------- C:\Documents and Settings\David Johnson\Application Data\Simply Super Software
2008-02-21 20:12 . 2008-02-21 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-02-21 20:12 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\SYSTEM32\ztvunrar36.dll
2008-02-21 20:12 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\SYSTEM32\UNRAR3.dll
2008-02-21 20:12 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\SYSTEM32\ztvunace26.dll
2008-02-21 20:12 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\SYSTEM32\unacev2.dll
2008-02-21 20:12 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\SYSTEM32\ztvcabinet.dll
2008-02-19 17:37 . 2008-02-21 06:19 894 ---hs---- C:\WINDOWS\SYSTEM32\qaxgpgai.ini
2008-02-19 17:09 . 2008-02-19 17:22 3,358 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-02-19 17:08 . 2008-02-19 17:11 <DIR> d-------- C:\Documents and Settings\David Johnson\SmitfraudFix
2008-02-19 17:08 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-02-19 17:08 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-02-19 17:08 . 2008-02-16 19:46 85,504 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-02-19 17:08 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-02-19 17:08 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-02-19 17:08 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-02-19 17:08 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-02-18 21:15 . 2008-02-19 17:33 774 ---hs---- C:\WINDOWS\SYSTEM32\jvcoxcfn.ini
2008-02-17 21:16 . 2008-02-18 19:06 594 ---hs---- C:\WINDOWS\SYSTEM32\ahawrplk.ini
2008-02-17 09:11 . 2008-02-16 08:17 51,712 --a------ C:\Documents and Settings\David Johnson\crack.exe
2008-02-17 08:06 . 2008-02-17 08:06 0 --a------ C:\WINDOWS\Irremote.ini
2008-01-26 09:03 . 2008-02-03 10:39 <DIR> d-------- C:\Program Files\Norton 360

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 14:34 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-24 11:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-20 04:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-19 02:27 --------- d-----w C:\Documents and Settings\David Johnson\Application Data\.purple
2008-02-18 00:31 --------- d-----w C:\Program Files\Common Files\Nero
2008-02-18 00:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-02-16 12:19 --------- d-----w C:\Program Files\Quicken
2008-02-13 16:26 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-26 16:40 --------- d-----w C:\Documents and Settings\David Johnson\Application Data\Symantec
2008-01-26 14:42 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-26 14:42 60,800 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2008-01-26 14:42 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-26 14:42 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-26 14:42 --------- d-----w C:\Program Files\Symantec
2008-01-26 01:27 --------- d-----w C:\Documents and Settings\David Johnson\Application Data\Move Networks
2008-01-15 14:54 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-15 10:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-12 23:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-06 15:20 --------- d-----w C:\Program Files\Nero
2008-01-06 15:14 --------- d-----w C:\Program Files\NeroInstall.bak
2007-12-25 05:23 --------- d-----w C:\Program Files\Full Tilt Poker
2007-12-14 00:09 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\SYSTEM32\oleaut32.dll
2007-12-04 14:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-12-03 23:04 95,600 ----a-w C:\WINDOWS\SYSTEM32\NeroCo.dll
2007-02-15 23:36 81,560 ------w C:\Documents and Settings\David Johnson\Application Data\GDIPFONTCACHEV1.DAT
2006-06-13 16:54 32 ------r C:\Documents and Settings\All Users\hash.dat
2004-09-06 21:08 7,989,816 ------w C:\Program Files\MysticPhotoWizard.exe
2004-05-16 12:15 6,958,492 ------w C:\Documents and Settings\Ross Johnson\bpssr.exe
2000-06-27 22:18 995,328 ------w C:\Program Files\FlasKMPEG.exe
2000-06-13 06:04 690,176 ------w C:\Program Files\mpeg.cm.flask
2000-05-06 20:33 102,400 ------w C:\Program Files\aviout.cm.flask
1995-10-18 20:18 18,321 ------w C:\Program Files\copying
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 07:59 155648]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 00:19 172032]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 07:59 126976]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30 517768]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 20:54 116072]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-02-21 16:13 863824]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2007-09-12 18:27 492912]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe]
"tscuninstall"="" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"hbdr.exe"= C:\WINDOWS\system\hbdr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\j2re1.4.2_01\\bin\\javaw.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Lowrance Electronics\\MapCreate5\\MMC Browser\\MMCBrowser.exe"=
"C:\\Program Files\\Yahoo! Games\\Hamsterball\\Hamsterball.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Sierra On-Line\\SIGSPat.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Winamp\\winamp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\SYSTEM32\\mshta.exe"=
"C:\\WINDOWS\\SYSTEM32\\ftp.exe"=

R1 lowpp;Lowrance MMC Parallel Port Driver;C:\WINDOWS\system32\Drivers\lowpp.sys [2000-11-14 06:30]
R1 NPPTNT;NPPTNT;C:\WINDOWS\System32\npptNT.sys [2003-07-22 01:14]
R2 portD;ABS PortIO Service;C:\WINDOWS\system32\DRIVERS\portd2k.sys [2003-09-14 20:24]
R3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\System32\Drivers\NPDRIVER.SYS [2002-08-14 05:03]
S3 NUVision;Pinnacle DVC 80 Video;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-12-03 12:55]

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\00c9d5d9-86ee-4cec-a68a-2dc64201ea62]
C:\WINDOWS\system32\brarnnn.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 11:09:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-24 11:53:20
ComboFix-quarantined-files.txt 2008-02-24 16:52:42
.
2008-02-14 04:08:33 --- E O F ---




And Here is my hijack this log::

Logfile of HijackThis v1.99.1
Scan saved at 12:01:30 PM, on 2/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
G:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\David Johnson\My Documents\My Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - G:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#4
kahdah
Posted 24 February 2008 - 12:18 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
========================================
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\SYSTEM32\vtstr.dll.vir
C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
C:\WINDOWS\SYSTEM32\bnnvoflw.ini
C:\WINDOWS\SYSTEM32\jkkli.dll.vir
C:\WINDOWS\SYSTEM32\eyufkmel.dll.vir
C:\WINDOWS\SYSTEM32\ddcyx.dll.vir
C:\WINDOWS\SYSTEM32\bqaqdttx.dll.vir
C:\WINDOWS\SYSTEM32\mygomhyu.ini
C:\WINDOWS\SYSTEM32\vxewaipt.ini
C:\WINDOWS\SYSTEM32\mljjg.dll.vir
C:\WINDOWS\SYSTEM32\pvpknnau.ini
C:\WINDOWS\SYSTEM32\ddaby.dll.vir
C:\WINDOWS\SYSTEM32\rjmsedvf.ini
C:\WINDOWS\SYSTEM32\hvkjbatl.ini
C:\WINDOWS\SYSTEM32\jkkjk.dll.vir
C:\WINDOWS\SYSTEM32\nfouoxgc.dll.vir
C:\WINDOWS\SYSTEM32\geeda.dll.vir
C:\WINDOWS\SYSTEM32\mljge.dll.vir
C:\WINDOWS\SYSTEM32\nuyggbjr.dll.vir
C:\WINDOWS\SYSTEM32\jkhfg.dll.vir
C:\WINDOWS\SYSTEM32\ssqpq.dll.vir
C:\WINDOWS\SYSTEM32\qaxgpgai.ini
C:\WINDOWS\SYSTEM32\jvcoxcfn.ini
C:\WINDOWS\SYSTEM32\ahawrplk.ini
C:\Documents and Settings\David Johnson\crack.exe
C:\WINDOWS\system\hbdr.exe
C:\WINDOWS\system32\brarnnn.exe
Folder::
C:\VundoFix Backups


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#5
kahdah
Posted 24 February 2008 - 12:18 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
It is ok to restore Firefox.

You are not clean yet.
  • 0

#6
Johnsondl
Posted 24 February 2008 - 01:28 PM

Johnsondl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Kahdah-- Thanks for all the help so far. Things seem better already. At least no pop-ups since I ran combofix the first time.

Here is the combofix log after following the instructions from your previous post:

ComboFix 08-02-24.4 - David Johnson 2008-02-24 14:05:24.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.397 [GMT -5:00]
Running from: C:\Documents and Settings\David Johnson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David Johnson\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\David Johnson\crack.exe
C:\WINDOWS\system\hbdr.exe
C:\WINDOWS\SYSTEM32\ahawrplk.ini
C:\WINDOWS\SYSTEM32\bnnvoflw.ini
C:\WINDOWS\SYSTEM32\bqaqdttx.dll.vir
C:\WINDOWS\system32\brarnnn.exe
C:\WINDOWS\SYSTEM32\ddaby.dll.vir
C:\WINDOWS\SYSTEM32\ddcyx.dll.vir
C:\WINDOWS\SYSTEM32\eyufkmel.dll.vir
C:\WINDOWS\SYSTEM32\geeda.dll.vir
C:\WINDOWS\SYSTEM32\hvkjbatl.ini
C:\WINDOWS\SYSTEM32\jkhfg.dll.vir
C:\WINDOWS\SYSTEM32\jkkjk.dll.vir
C:\WINDOWS\SYSTEM32\jkkli.dll.vir
C:\WINDOWS\SYSTEM32\jvcoxcfn.ini
C:\WINDOWS\SYSTEM32\mljge.dll.vir
C:\WINDOWS\SYSTEM32\mljjg.dll.vir
C:\WINDOWS\SYSTEM32\mygomhyu.ini
C:\WINDOWS\SYSTEM32\nfouoxgc.dll.vir
C:\WINDOWS\SYSTEM32\nuyggbjr.dll.vir
C:\WINDOWS\SYSTEM32\pvpknnau.ini
C:\WINDOWS\SYSTEM32\qaxgpgai.ini
C:\WINDOWS\SYSTEM32\rjmsedvf.ini
C:\WINDOWS\SYSTEM32\ssqpq.dll.vir
C:\WINDOWS\SYSTEM32\vtstr.dll.vir
C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
C:\WINDOWS\SYSTEM32\vxewaipt.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\abadd.ini.bad
C:\VundoFix Backups\abadd.ini2.bad
C:\VundoFix Backups\acbeg.ini.bad
C:\VundoFix Backups\acbeg.ini2.bad
C:\VundoFix Backups\awtsstt.dll.bad
C:\VundoFix Backups\cdnbumbw.dll.bad
C:\VundoFix Backups\cfodpjlp.dll.bad
C:\VundoFix Backups\ddaba.dll.bad
C:\VundoFix Backups\ddcyx.dll.bad
C:\VundoFix Backups\ddqbqwfp.dll.bad
C:\VundoFix Backups\ekrmvelv.dll.bad
C:\VundoFix Backups\fvdesmjr.dll.bad
C:\VundoFix Backups\gebca.dll.bad
C:\VundoFix Backups\gwthriiy.dll.bad
C:\VundoFix Backups\ijjlm.ini.bad
C:\VundoFix Backups\ijjlm.ini2.bad
C:\VundoFix Backups\imjsefcr.dll.bad
C:\VundoFix Backups\kbgcopbg.dll.bad
C:\VundoFix Backups\khfeeee.dll.bad
C:\VundoFix Backups\kjaixgsg.dll.bad
C:\VundoFix Backups\kjimenlw.dll.bad
C:\VundoFix Backups\ltabjkvh.dll.bad
C:\VundoFix Backups\lwhfsljo.dll.bad
C:\VundoFix Backups\mcjgfell.dll.bad
C:\VundoFix Backups\mljji.dll.bad
C:\VundoFix Backups\naefmbdv.dll.bad
C:\VundoFix Backups\ojlsfhwl.ini.bad
C:\VundoFix Backups\pfwqbqdd.ini.bad
C:\VundoFix Backups\ppqss.ini.bad
C:\VundoFix Backups\ppqss.ini2.bad
C:\VundoFix Backups\pshywjwb.dll.bad
C:\VundoFix Backups\ssqonmm.dll.bad
C:\VundoFix Backups\ssqpp.dll.bad
C:\VundoFix Backups\uldjcnya.dll.bad
C:\VundoFix Backups\unipysjy.dll.bad
C:\VundoFix Backups\unipysjy.dllbox.bad
C:\VundoFix Backups\vtsqr.dll.bad
C:\VundoFix Backups\wdkptonj.dll.bad
C:\VundoFix Backups\wlfovnnb.dll.bad
C:\VundoFix Backups\wlnemijk.ini.bad
C:\VundoFix Backups\xktuxtwq.dll.bad
C:\WINDOWS\SYSTEM32\ahawrplk.ini
C:\WINDOWS\SYSTEM32\bnnvoflw.ini
C:\WINDOWS\SYSTEM32\bqaqdttx.dll.vir
C:\WINDOWS\SYSTEM32\ddaby.dll.vir
C:\WINDOWS\SYSTEM32\ddcyx.dll.vir
C:\WINDOWS\SYSTEM32\eyufkmel.dll.vir
C:\WINDOWS\SYSTEM32\geeda.dll.vir
C:\WINDOWS\SYSTEM32\hvkjbatl.ini
C:\WINDOWS\SYSTEM32\jkhfg.dll.vir
C:\WINDOWS\SYSTEM32\jkkjk.dll.vir
C:\WINDOWS\SYSTEM32\jkkli.dll.vir
C:\WINDOWS\SYSTEM32\jvcoxcfn.ini
C:\WINDOWS\SYSTEM32\mljge.dll.vir
C:\WINDOWS\SYSTEM32\mljjg.dll.vir
C:\WINDOWS\SYSTEM32\mygomhyu.ini
C:\WINDOWS\SYSTEM32\nfouoxgc.dll.vir
C:\WINDOWS\SYSTEM32\nuyggbjr.dll.vir
C:\WINDOWS\SYSTEM32\pvpknnau.ini
C:\WINDOWS\SYSTEM32\qaxgpgai.ini
C:\WINDOWS\SYSTEM32\rjmsedvf.ini
C:\WINDOWS\SYSTEM32\ssqpq.dll.vir
C:\WINDOWS\SYSTEM32\vtstr.dll.vir
C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
C:\WINDOWS\SYSTEM32\vxewaipt.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-24 to 2008-02-24 )))))))))))))))))))))))))))))))
.

2008-02-21 20:13 . 2008-02-24 08:46 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-19 17:09 . 2008-02-19 17:22 3,358 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-02-19 17:08 . 2008-02-19 17:11 <DIR> d-------- C:\Documents and Settings\David Johnson\SmitfraudFix
2008-02-19 17:08 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-02-19 17:08 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-02-19 17:08 . 2008-02-16 19:46 85,504 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-02-19 17:08 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-02-19 17:08 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-02-19 17:08 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-02-19 17:08 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-02-17 09:11 . 2008-02-16 08:17 51,712 --a------ C:\Documents and Settings\David Johnson\crack.exe
2008-02-17 08:06 . 2008-02-17 08:06 0 --a------ C:\WINDOWS\Irremote.ini
2008-01-26 09:03 . 2008-02-03 10:39 <DIR> d-------- C:\Program Files\Norton 360

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 18:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-24 14:34 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-20 04:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-19 02:27 --------- d-----w C:\Documents and Settings\David Johnson\Application Data\.purple
2008-02-18 00:31 --------- d-----w C:\Program Files\Common Files\Nero
2008-02-18 00:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-02-16 12:19 --------- d-----w C:\Program Files\Quicken
2008-02-13 16:26 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-26 16:40 --------- d-----w C:\Documents and Settings\David Johnson\Application Data\Symantec
2008-01-26 14:42 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-26 14:42 60,800 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2008-01-26 14:42 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-26 14:42 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-26 14:42 --------- d-----w C:\Program Files\Symantec
2008-01-26 01:27 --------- d-----w C:\Documents and Settings\David Johnson\Application Data\Move Networks
2008-01-15 14:54 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-15 10:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-12 23:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-06 15:20 --------- d-----w C:\Program Files\Nero
2008-01-06 15:14 --------- d-----w C:\Program Files\NeroInstall.bak
2007-12-25 05:23 --------- d-----w C:\Program Files\Full Tilt Poker
2007-12-14 00:09 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\SYSTEM32\oleaut32.dll
2007-12-04 14:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-12-03 23:04 95,600 ----a-w C:\WINDOWS\SYSTEM32\NeroCo.dll
2007-02-15 23:36 81,560 ------w C:\Documents and Settings\David Johnson\Application Data\GDIPFONTCACHEV1.DAT
2006-06-13 16:54 32 ------r C:\Documents and Settings\All Users\hash.dat
2004-09-06 21:08 7,989,816 ------w C:\Program Files\MysticPhotoWizard.exe
2004-05-16 12:15 6,958,492 ------w C:\Documents and Settings\Ross Johnson\bpssr.exe
2000-06-27 22:18 995,328 ------w C:\Program Files\FlasKMPEG.exe
2000-06-13 06:04 690,176 ------w C:\Program Files\mpeg.cm.flask
2000-05-06 20:33 102,400 ------w C:\Program Files\aviout.cm.flask
1995-10-18 20:18 18,321 ------w C:\Program Files\copying
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 07:59 155648]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 00:19 172032]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 07:59 126976]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30 517768]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 20:54 116072]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2007-09-12 18:27 492912]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe]
"tscuninstall"="" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"hbdr.exe"= C:\WINDOWS\system\hbdr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\j2re1.4.2_01\\bin\\javaw.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Lowrance Electronics\\MapCreate5\\MMC Browser\\MMCBrowser.exe"=
"C:\\Program Files\\Yahoo! Games\\Hamsterball\\Hamsterball.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Sierra On-Line\\SIGSPat.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Winamp\\winamp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\SYSTEM32\\mshta.exe"=
"C:\\WINDOWS\\SYSTEM32\\ftp.exe"=

R1 lowpp;Lowrance MMC Parallel Port Driver;C:\WINDOWS\system32\Drivers\lowpp.sys [2000-11-14 06:30]
R1 NPPTNT;NPPTNT;C:\WINDOWS\System32\npptNT.sys [2003-07-22 01:14]
R2 portD;ABS PortIO Service;C:\WINDOWS\system32\DRIVERS\portd2k.sys [2003-09-14 20:24]
R3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\System32\Drivers\NPDRIVER.SYS [2002-08-14 05:03]
S3 NUVision;Pinnacle DVC 80 Video;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-12-03 12:55]

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\00c9d5d9-86ee-4cec-a68a-2dc64201ea62]
C:\WINDOWS\system32\brarnnn.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 14:15:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-24 14:26:24
ComboFix-quarantined-files.txt 2008-02-24 19:26:19
ComboFix2.txt 2008-02-24 16:53:22
.
2008-02-14 04:08:33 --- E O F ---




And here is the latest hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:32:15 PM, on 2/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
G:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\David Johnson\My Documents\My Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - G:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edited by Johnsondl, 24 February 2008 - 01:36 PM.

  • 0

#7
kahdah
Posted 24 February 2008 - 01:42 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
  • 0

#8
Johnsondl
Posted 24 February 2008 - 06:13 PM

Johnsondl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thanks - Here is the Malwarebytes log :




Malwarebytes' Anti-Malware 1.05
Database version: 402

Scan type: Full Scan (A:\|C:\|F:\|G:\|)
Objects scanned: 455056
Time elapsed: 3 hour(s), 52 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 59

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\bfgtoolbar (Adware.OneToolBar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bfgtoolbar (Adware.OneToolBar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{4e7bd74f-2b8d-469e-86bd-fd60bb9aae3a} (Adware.OneToolBar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\bfgtoolbar (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\NewCfg (Adware.OneToolBar) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\David Johnson\crack.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\VundoFix Backups\awtsstt.dll.bad.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\VundoFix Backups\khfeeee.dll.bad.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\VundoFix Backups\ssqonmm.dll.bad.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\awtsstt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0313949.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0313950.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1382\A0313951.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1390\A0317589.rbf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1391\A0317592.rbf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1391\A0317596.exe (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1395\A0317766.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1395\A0317769.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1397\A0322113.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\install.ico (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\toolbar.ini (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\uninstall.exe (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\1.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\10.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\2.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\20off.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\3.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\4.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\5.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\6.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\7.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\8.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\9.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\a.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\action.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\atlantis.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\bfgtoolbartb0401.cfg (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\card.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\COMBOSEARCH.acs (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\ErrorLog.txt (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\fgh.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\ivillage.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\le.txt (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\logo.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\mahjong.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\mygames.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\new.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\newgames.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\newgames3.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\nick.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\nickjr.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\puzzle.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\search.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\thelagoon.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\thereef.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\topten.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\topten2.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\topten3.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\topten4.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\topten5.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\webgames.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\word.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Program Files\bfgtoolbar\Cache\y.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\David Johnson\Desktop\Help and Support Center.lnk (Rogue.Link) -> Quarantined and deleted successfully.


And here is a fresh Hijackthis log (I didn't reboot):

Logfile of HijackThis v1.99.1
Scan saved at 7:12:16 PM, on 2/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
G:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\David Johnson\My Documents\My Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - G:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks for all the help,

Dave J.
  • 0

#9
kahdah
Posted 24 February 2008 - 07:49 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome :)

Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#10
Johnsondl
Posted 25 February 2008 - 04:22 PM

Johnsondl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
OkAY - Here is the Kapersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, February 25, 2008 5:15:46 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/02/2008
Kaspersky Anti-Virus database records: 579710
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 412302
Number of viruses found: 28
Number of infected objects: 173
Number of suspicious objects: 0
Duration of the scan process: 08:56:50

Infected Object Name / Virus Name / Last Action
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar3.zip/MTSOESTB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ap skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar4.zip/MTSOEMON.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar5.zip/MTSHTMMU.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bi skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar6.zip/F3WPHOOK.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar6.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar8.zip/F3REPROX.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar8.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar9.zip/F3CJPEG.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar9.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyBar2.zip/NPMYWAY.DLL Infected: not-a-virus:AdWare.Win32.MyWay.f skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyBar2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyBar28.zip/1.bin/MY2NS.EXE Infected: not-a-virus:AdWare.Win32.Excite.a skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyBar28.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch18.zip/MWSOEMON.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch18.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/F3CJPEG.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.d skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/F3HISTSW.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/F3HTMLMU.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/F3POPSWT.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/F3PSSAVR.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/F3REPROX.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.e skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/F3RESTUB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/F3SCHMON.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/F3SCRCTR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.j skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/F3WPHOOK.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/M3OUTLCN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/M3SKIN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/MWSOEPLG.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.e skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/MWSOESTB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/SrchAstt/1.bin/MWSSRCAS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip ZIP: infected - 15 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-02-25_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\09B205A1.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15882EA4.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1B575540.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\269F7F31.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\26A97D26.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\622E4FFA.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\68472DBA.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\684A57B6.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7A7C07ED.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7F7A4F14.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7F877706.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\1662A89D.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\20ADD1C0.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\vnc-4.0-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\All Users\Documents\vnc-4.0-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\All Users\Documents\vnc-4.0-x86_win32.exe/data0006 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\All Users\Documents\vnc-4.0-x86_win32.exe Inno: infected - 3 skipped
C:\Documents and Settings\David Johnson\Application Data\Thunderbird\Profiles\xhcs6gv1.default\abook.mab Object is locked skipped
C:\Documents and Settings\David Johnson\Application Data\Thunderbird\Profiles\xhcs6gv1.default\Mail\Local Folders\Inbox.msf Object is locked skipped
C:\Documents and Settings\David Johnson\Application Data\Thunderbird\Profiles\xhcs6gv1.default\Mail\Local Folders\Junk.msf Object is locked skipped
C:\Documents and Settings\David Johnson\Application Data\Thunderbird\Profiles\xhcs6gv1.default\panacea.dat Object is locked skipped
C:\Documents and Settings\David Johnson\Application Data\Thunderbird\Profiles\xhcs6gv1.default\parent.lock Object is locked skipped
C:\Documents and Settings\David Johnson\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\David Johnson\l2mfix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\David Johnson\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\David Johnson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\David Johnson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\David Johnson\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\David Johnson\Local Settings\History\History.IE5\MSHist012008022520080226\index.dat Object is locked skipped
C:\Documents and Settings\David Johnson\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\David Johnson\My Documents\My Downloads\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\David Johnson\My Documents\My Downloads\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\David Johnson\My Documents\My Downloads\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\David Johnson\My Documents\My Downloads\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\David Johnson\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\David Johnson\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\David Johnson\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWAD.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWADMT.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWAS.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWAS.ldb Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\eengine\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\hijackthis\backups\backup-20050115-092728-594.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.bf skipped
C:\Program Files\hijackthis\backups\backup-20050115-092729-205.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\MyTotalSearch\bar\1.bin\F3PSSAVR.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch.bg skipped
C:\Program Files\MyTotalSearch\bar\1.bin\F3SCRCTR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.y skipped
C:\Program Files\MyTotalSearch\bar\1.bin\MTSOEPLG.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Nero\Nero8\Nero BackItUp\BIU1.txt Object is locked skipped
C:\Program Files\Norton 360\Log\AutoProtect.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVContext.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVManual.log Object is locked skipped
C:\Program Files\Norton 360\Log\Backup.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\EmailScan.log Object is locked skipped
C:\Program Files\Norton 360\Log\InternetSecurity.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIOTraffic.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISNewNetwork.log Object is locked skipped
C:\Program Files\Norton 360\Log\LiveUpdate.log Object is locked skipped
C:\Program Files\Norton 360\Log\NCO.log Object is locked skipped
C:\Program Files\Norton 360\Log\VABrowserSettings.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAIPAddresses.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAWeakPasswords.log Object is locked skipped
C:\Program Files\Norton 360\Log\WDFScanner.log Object is locked skipped
C:\QooBox\Quarantine\C\VundoFix Backups\cfodpjlp.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ixf skipped
C:\QooBox\Quarantine\C\VundoFix Backups\ddcyx.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ixd skipped
C:\QooBox\Quarantine\C\VundoFix Backups\fvdesmjr.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ixe skipped
C:\QooBox\Quarantine\C\VundoFix Backups\gwthriiy.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ixf skipped
C:\QooBox\Quarantine\C\VundoFix Backups\kbgcopbg.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ixf skipped
C:\QooBox\Quarantine\C\VundoFix Backups\naefmbdv.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\wdkptonj.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\xktuxtwq.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ddaby.dll.vir.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ixd skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jkhfg.dll.vir.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mljjg.dll.vir.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ixd skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ssqpq.dll.vir.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1384\A0315174.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1385\A0315398.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1387\A0317441.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1387\A0317442.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1388\A0317509.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1388\A0317525.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1390\A0317566.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1392\A0317614.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1392\A0317615.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1392\A0317616.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1392\A0317617.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1392\A0317618.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1394\A0317744.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ixe skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1395\A0317765.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ixf skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1395\A0317767.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1395\A0317768.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1395\A0317771.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ixd skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1395\A0317772.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ixe skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1396\A0319810.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ixd skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1396\A0320913.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ixe skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1396\A0320957.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1396\A0320958.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1396\A0320964.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1396\A0322020.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ixf skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1396\A0322021.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ixf skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{06CDF479-DA56-445E-88B7-74D013287892}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JET28F.tmp Object is locked skipped
C:\WINDOWS\Temp\JETFFC0.tmp Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar3.zip/MTSOESTB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ap skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar3.zip ZIP: infected - 1 skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar4.zip/MTSOEMON.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar4.zip ZIP: infected - 1 skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar5.zip/MTSHTMMU.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bi skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar5.zip ZIP: infected - 1 skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar6.zip/F3WPHOOK.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar6.zip ZIP: infected - 1 skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar8.zip/F3REPROX.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar8.zip ZIP: infected - 1 skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar9.zip/F3CJPEG.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyTotalSearchBar9.zip ZIP: infected - 1 skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyBar2.zip/NPMYWAY.DLL Infected: not-a-virus:AdWare.Win32.MyWay.f skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyBar2.zip ZIP: infected - 1 skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyBar28.zip/1.bin/MY2NS.EXE Infected: not-a-virus:AdWare.Win32.Excite.a skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyBar28.zip ZIP: infected - 1 skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch18.zip/MWSOEMON.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch18.zip ZIP: infected - 1 skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/F3CJPEG.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.d skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/F3HISTSW.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/F3HTMLMU.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/F3POPSWT.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/F3PSSAVR.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/F3REPROX.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.e skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/F3RESTUB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/F3SCHMON.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/F3SCRCTR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.j skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/F3WPHOOK.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/M3OUTLCN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/M3SKIN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/MWSOEPLG.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.e skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/bar/1.bin/MWSOESTB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip/SrchAstt/1.bin/MWSSRCAS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWebSearch33.zip ZIP: infected - 15 skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\09B205A1.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15882EA4.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1B575540.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\269F7F31.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\26A97D26.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\36B55D1F.exe Infected: Trojan-Downloader.Win32.Small.ddp skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3A9962D7.exe Infected: Trojan-Downloader.Win32.Small.ddp skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4DA24493.exe/WISE0024.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4DA24493.exe WiseSFX: infected - 1 skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4DA24493.exe WiseSFXDropper: infected - 1 skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4DA24493.exe CryptFF: infected - 1 skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\622E4FFA.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\67CE566C.exe Infected: Trojan-Downloader.Win32.Tiny.bw skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\68472DBA.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\684A57B6.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7A7C07ED.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7F7A4F14.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
F:\My Backup\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7F877706.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
F:\My Backup\Documents and Settings\All Users\Documents\vnc-4.0-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
F:\My Backup\Documents and Settings\All Users\Documents\vnc-4.0-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
F:\My Backup\Documents and Settings\All Users\Documents\vnc-4.0-x86_win32.exe/data0006 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
F:\My Backup\Documents and Settings\All Users\Documents\vnc-4.0-x86_win32.exe Inno: infected - 3 skipped
F:\My Backup\Documents and Settings\David Johnson\l2mfix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\My Backup\Documents and Settings\David Johnson\My Documents\My Downloads\hijackthis-1.zip/backups/backup-20060818-182533-243.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
F:\My Backup\Documents and Settings\David Johnson\My Documents\My Downloads\hijackthis-1.zip/backups/backup-20060818-182533-962.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
F:\My Backup\Documents and Settings\David Johnson\My Documents\My Downloads\hijackthis-1.zip ZIP: infected - 2 skipped
F:\My Backup\Documents and Settings\David Johnson\My Documents\My Downloads\SmileyCentralFFSetup2.1.50.2.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
F:\My Backup\Program Files\hijackthis\backups\backup-20050115-092728-594.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.bf skipped
F:\My Backup\Program Files\hijackthis\backups\backup-20050115-092729-205.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
F:\My Backup\Program Files\MyTotalSearch\bar\1.bin\F3PSSAVR.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch.bg skipped
F:\My Backup\Program Files\MyTotalSearch\bar\1.bin\F3SCRCTR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.y skipped
F:\My Backup\Program Files\MyTotalSearch\bar\1.bin\MTSOEPLG.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
F:\My Backup\RECYCLER\NPROTECT\00282031.EXE Infected: not-a-virus:AdWare.Win32.Excite.a skipped
F:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1398\change.log Object is locked skipped
G:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
G:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1359\A0307731.exe/Stream/data0076/stream/data0006 Infected: not-a-virus:AdWare.Win32.SearchIt.p skipped
G:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1359\A0307731.exe/Stream/data0076/stream Infected: not-a-virus:AdWare.Win32.SearchIt.p skipped
G:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1359\A0307731.exe/Stream/data0076 Infected: not-a-virus:AdWare.Win32.SearchIt.p skipped
G:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1359\A0307731.exe/Stream Infected: not-a-virus:AdWare.Win32.SearchIt.p skipped
G:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1359\A0307731.exe Inno: infected - 4 skipped
G:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1359\A0307739.exe/data0081/Sync.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
G:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1359\A0307739.exe/data0081/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
G:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1359\A0307739.exe/data0081 Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
G:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1359\A0307739.exe Inno: infected - 3 skipped
G:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1398\change.log Object is locked skipped

Scan process completed.

and a fresh hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 5:20:06 PM, on 2/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
G:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\David Johnson\My Documents\My Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - G:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Let me know what's next. Thanks, Dave J.
  • 0

Advertisements

#11
kahdah
Posted 25 February 2008 - 08:28 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Open up Spybot and go to the recovery box
Double click and open it place a check mark next to everything in ther and click on remove.
=================================
Empty your Norton QUarantine as well please.
===============================
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Program Files\MyTotalSearch
F:\My Backup\Documents and Settings\David Johnson\My Documents\My Downloads\SmileyCentralFFSetup2.1.50.2.exe 
F:\My Backup\Documents and Settings\David Johnson\My Documents\My Downloads\hijackthis-1.zip/backups
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  • 0

#12
Johnsondl
Posted 26 February 2008 - 06:30 AM

Johnsondl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi Kahdah-

Thanks again for all the help. Still symptom free, so I think we got the nastiest ones.

I purged the backup files from Spybot, but I couldn't figure out how to do the same with Norton.
I'm running Norton 360 and the only option I can see on the quarantined files is to restore them.
If this is an issue I can try toget some help from Symantic.

Movit seemed to run fine. Here is the log:

C:\Program Files\MyTotalSearch\SrchAstt\Settings moved successfully.
C:\Program Files\MyTotalSearch\SrchAstt\Cache moved successfully.
C:\Program Files\MyTotalSearch\SrchAstt\1.bin moved successfully.
C:\Program Files\MyTotalSearch\SrchAstt moved successfully.
C:\Program Files\MyTotalSearch\bar\Settings moved successfully.
C:\Program Files\MyTotalSearch\bar\History moved successfully.
C:\Program Files\MyTotalSearch\bar\Game\CHESS moved successfully.
C:\Program Files\MyTotalSearch\bar\Game moved successfully.
C:\Program Files\MyTotalSearch\bar\Cache moved successfully.
C:\Program Files\MyTotalSearch\bar\1.bin moved successfully.
C:\Program Files\MyTotalSearch\bar moved successfully.
C:\Program Files\MyTotalSearch moved successfully.
File/Folder F:\My Backup\Documents and Settings\David Johnson\My Documents\My Downloads\SmileyCentralFFSetup2.1.50.2.exe not found.
File/Folder F:\My Backup\Documents and Settings\David Johnson\My Documents\My Downloads\hijackthis-1.zip/backups not found.

OTMoveIt2 v1.0.20 log created on 02262008_072444


I noticed some of the files were not found. I might have run "cleanup" over the weekend which might have deleted them.

Let me know what's next.

Thanks again.

Dave J
  • 0

#13
kahdah
Posted 26 February 2008 - 08:10 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Great that is fine:
=================
Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    [list]
  • Posted Image

The above procedure will delete and do the following:

  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Clean System Restore points.

Also delete\uninstall anything that we used that is left over.
============================================
After that Your log is clean. :)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here
  • 0

#14
Johnsondl
Posted 28 February 2008 - 06:06 PM

Johnsondl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thanks Kahdah -
I completed the instructions for your previous post. Seems like I am now clean, so you can close the thread unless you have any other suggestions. You have been great. Instructions have been very clear and you helped me solve the problem after spending many hours of trying on my own.

Thanks again,

Dave J.

Edited by Johnsondl, 28 February 2008 - 06:10 PM.

  • 0

#15
kahdah
Posted 28 February 2008 - 07:37 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome :)


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP