I'm working on my brother-in-laws previously IT neglected laptop and I've made some progress cleaning things up, but there seems to be some issues that require more than my level of experience.
This is a Windows XP SP2 system that had badly outdated virus software, no firewall and no anti-spyware installed. I have added Sophos AV, SpyBot S&D and before posting I added & ran AVG Anit-Virus, DSS, HijackThis, & Panda Activescan. Let me know if you need any more information.
Any help is appreciated...
Thanks
Nathan
----
Panda Activescan:
Incident Status Location
Spyware:Spyware/Vundo Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\EDWARD~1\LOCALS~1\Temp\acspxcuv.dll
Spyware:Cookie/Belnk Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\EDWARD~1\LOCALS~1\Temp\Cookies\edward palacios@belnk[2].txt
Spyware:Cookie/Dashbar Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\EDWARD~1\LOCALS~1\Temp\Cookies\edward [email protected][2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Edward Palacios\Cookies\edward__palacios@doubleclick[1].txt
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Elsa Palacios\Local Settings\Temp\wfwtiemd.dll
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Elsa Palacios\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\hwo20071222[1]
Spyware:Cookie/Dashbar Not disinfected C:\Documents and Settings\LocalService\Cookies\edward [email protected][2].txt
Possible Virus. Not disinfected C:\Program Files\FaxTools\Install\Setup.exe
Possible Virus. Not disinfected C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\Setup.exe
Spyware:Spyware/Virtumonde Not disinfected C:\RECYCLER\S-1-5-21-2963747139-907337274-3928304420-500\Dc1.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\aeimjfav.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\bkfskaqg.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\bmuexadk.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\btxfbtiv.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\cegahlgv.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\cqoukcoc.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\cqqpmqog.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\cvjisemt.dll
Spyware:Spyware/Vundo Not disinfected C:\WINDOWS\SYSTEM32\dnsfcmvl.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\dovtfnar.dll
Spyware:Spyware/Vundo Not disinfected C:\WINDOWS\SYSTEM32\duibphbw.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\ebwkjtmn.dll
Spyware:Spyware/Vundo Not disinfected C:\WINDOWS\SYSTEM32\ehswpvul.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\eydahhqb.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\gdgbhcig.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\gkmjgfwu.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\glknmmml.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\hjjksbux.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\hucpjxot.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\ihxbjbel.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\iscecnxs.dll
Spyware:Spyware/Vundo Not disinfected C:\WINDOWS\SYSTEM32\itwqgldr.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\jdpatbqo.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\jphyonty.dll
Spyware:Spyware/Vundo Not disinfected C:\WINDOWS\SYSTEM32\klgpfdxw.dll
Spyware:Spyware/Vundo Not disinfected C:\WINDOWS\SYSTEM32\kqhnnlyk.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\lttegqne.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\nitxwcfn.dll
Spyware:Spyware/Vundo Not disinfected C:\WINDOWS\SYSTEM32\ovkiawwn.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\pckrsqan.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\pmsfekyk.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\pqjamgqs.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\pqkygcob.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\qaaxsamy.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\qvqmpygo.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\scqhyfud.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\sfswhywc.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\sjweuqap.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\smdjrjfa.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\sxljqkdc.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\syyhysfv.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\tlacbuvx.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\ukkncffa.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\ulolyunw.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\utnsdqpf.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\vaiqwvbg.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\vgjfgxba.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\wrwvqkxc.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\wtjvqdby.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\xflouplx.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\xqlhrewb.dll
Spyware:Spyware/Vundo Not disinfected C:\WINDOWS\SYSTEM32\xrcheqgp.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\yuxggofu.dll
HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:03 PM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: {22364e79-f962-3788-6ae4-b870cbeb4ad5} - {5da4bebc-078b-4ea6-8873-269f97e46322} - C:\WINDOWS\system32\wrwvqkxc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O20 - AppInit_DLLs: c:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - http://images.foodne...ages/spacer.gif
--
End of file - 6933 bytes