[derek01f]

Ok I'm at the kaspersky part. I remember doing this on my laptop here and had no problems. But with her computer it keeps failing to download the files. We do have a proxy but she is out past it. Any suggestions?

[Advertisements]

Hmm if you are past the proxy and you are still able to get online then it seems like a kaspersky issue.
===========================
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Post that log in your next reply.

(Note if you cannot open the log it produces then right click on it and choose rename.
Rename it to .txt and you will be able to open it)

[kahdah]

Hmm if you are past the proxy and you are still able to get online then it seems like a kaspersky issue.
===========================
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Post that log in your next reply.

(Note if you cannot open the log it produces then right click on it and choose rename.
Rename it to .txt and you will be able to open it)

[derek01f]

nevermind I got it working

[derek01f]

you want me to finish the kaspersky or do the one you just listed above?

[kahdah]

Ok then go ahead with Kaspersky and disregard the previous post.

[derek01f]

Ok then go ahead with Kaspersky and disregard the previous post.

roger

[derek01f]

kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-05-30 11:51
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/05/2008
Kaspersky Anti-Virus database records: 814948
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
G:\
U:\

Scan Statistics:
Total number of scanned objects: 35752
Number of viruses found: 8
Number of infected objects: 49
Number of suspicious objects: 0
Duration of the scan process: 00:44:34

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe RAR: infected - 1 skipped
C:\Documents and Settings\administrator.CAMBRIA\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\administrator.CAMBRIA\Desktop\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\administrator.CAMBRIA\Desktop\SmitfraudFix.exe RAR: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\sbalsinger\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\sbalsinger\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\sbalsinger\Desktop\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\sbalsinger\Desktop\SmitfraudFix.exe RAR: infected - 1 skipped
C:\Documents and Settings\sbalsinger\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\sbalsinger\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\sbalsinger\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\sbalsinger\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\sbalsinger\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\sbalsinger\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\Documents and Settings\Administrator\cftmon.exe.vir Infected: Trojan-Downloader.Win32.Small.wen skipped
C:\QooBox\Quarantine\C\Documents and Settings\Administrator\ftp34.dll.vir Infected: Trojan-Downloader.Win32.Small.vrw skipped
C:\QooBox\Quarantine\C\Documents and Settings\administrator.CAMBRIA\cftmon.exe.vir Infected: Trojan-Downloader.Win32.Small.wen skipped
C:\QooBox\Quarantine\C\Documents and Settings\administrator.CAMBRIA\ftp34.dll.vir Infected: Trojan-Downloader.Win32.Small.vrw skipped
C:\QooBox\Quarantine\C\Documents and Settings\LocalService\cftmon.exe.vir Infected: Trojan-Downloader.Win32.Small.wen skipped
C:\QooBox\Quarantine\C\Documents and Settings\LocalService\ftp34.dll.vir Infected: Trojan-Downloader.Win32.Small.vrw skipped
C:\QooBox\Quarantine\C\Documents and Settings\sbalsinger\cftmon.exe.vir Infected: Trojan-Downloader.Win32.Small.wen skipped
C:\QooBox\Quarantine\C\Documents and Settings\sbalsinger\ftp34.dll.vir Infected: Trojan-Downloader.Win32.Small.vrw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\spools.exe.vir Infected: Trojan-Downloader.Win32.Small.wen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\__c0030350.exe.vir Infected: not-virus:Hoax.Win32.Renos.fi skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\__c00A8054.dat.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\__c00AC88E.dat.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\__c00F71C6.exe.vir Infected: not-virus:Hoax.Win32.Renos.fi skipped
C:\QooBox\Quarantine\C\WINDOWS\xpupdate.exe.vir Infected: not-virus:Hoax.Win32.Renos.fi skipped
C:\QooBox\Quarantine\catchme2008-05-28_152634.53.zip/clbdriver.sys Infected: Rootkit.Win32.Agent.aoz skipped
C:\QooBox\Quarantine\catchme2008-05-28_152634.53.zip ZIP: infected - 1 skipped
C:\SDFix\backups\backups.zip/backups/cftmon.exe Infected: Trojan-Downloader.Win32.Small.whc skipped
C:\SDFix\backups\backups.zip/backups/spools.exe Infected: Trojan-Downloader.Win32.Small.whc skipped
C:\SDFix\backups\backups.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0001003.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0001004.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0001007.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0001008.exe Infected: Trojan-Downloader.Win32.Small.wen skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0001046.exe Infected: not-virus:Hoax.Win32.Renos.fi skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0001047.exe Infected: Trojan-Downloader.Win32.Small.wen skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0002005.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0002006.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0002041.exe Infected: not-virus:Hoax.Win32.Renos.fi skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0002049.exe Infected: not-virus:Hoax.Win32.Renos.fi skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0002050.exe Infected: Trojan-Downloader.Win32.Small.wen skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0002051.exe Infected: Trojan-Downloader.Win32.Small.wen skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0002052.exe Infected: Trojan-Downloader.Win32.Small.wen skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0002053.exe Infected: Trojan-Downloader.Win32.Small.wen skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0004126.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0004127.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0004128.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0004129.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{536E90D0-4AEB-41EE-ACF0-6AADACADA3F1}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{7075EE45-7D64-4ADC-BF61-5590FE2C87DF}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\ftp34.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped
C:\WINDOWS\system32\rexesvr.exe Infected: not-a-virus:NetTool.Win32.RemoteProcessSpawn.a skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\autorun.exe Infected: Trojan-Downloader.Win32.Small.wen skipped

Scan process completed.

[kahdah]

Are you familiar with this file?
O23 - Service: BeyondLogic RmtExec Server (rexesvr) - http://www.beyondlogic.org - C:\WINDOWS\System32\rexesvr.exe

It is classified as a RemoteProcessSpawn more than likely it is legit probably related to some kind of Win vnc type remote access tool.
Anyway check with the owner because I don't want to delete it if they use it.

Get back to me with that and we will finish up.

[derek01f]

yeah its from a program we use to reboot machines remotely. took a bit to figure out which program it was coming from

[kahdah]

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
  C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe
  C:\Documents and Settings\sbalsinger\Desktop\SmitfraudFix
  C:\Documents and Settings\sbalsinger\Desktop\SmitfraudFix.exe
  C:\WINDOWS\system32\ftp34.dll 
  E:\autorun.exe

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=======================================
Post that log and a final Hijackthis log and we will finish it up.

[derek01f]

otmovieit log:

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix moved successfully.
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe moved successfully.
C:\Documents and Settings\sbalsinger\Desktop\SmitfraudFix moved successfully.
C:\Documents and Settings\sbalsinger\Desktop\SmitfraudFix.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ftp34.dll
C:\WINDOWS\system32\ftp34.dll NOT unregistered.
C:\WINDOWS\system32\ftp34.dll moved successfully.
E:\autorun.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 06022008_090923

[kahdah]

Hi can you post one more Hijackthis log and let me know if things are back to normal?

[derek01f]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:54, on 2008-06-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.17.6.135:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://*.jnet.state.pa.us; https://www.jnet.sta...e.pa.us;<local>
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://172.17.6.3/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cambria.local
O17 - HKLM\Software\..\Telephony: DomainName = cambria.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{34BF8A9F-786D-40C1-8FDF-BAE93A8E918B}: NameServer = 172.17.6.1,172.17.5.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cambria.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{34BF8A9F-786D-40C1-8FDF-BAE93A8E918B}: NameServer = 172.17.6.1,172.17.5.2
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: BeyondLogic RmtExec Server (rexesvr) - http://www.beyondlogic.org - C:\WINDOWS\System32\rexesvr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe

--
End of file - 4616 bytes

[kahdah]

Cleanup::

• Make sure you have an Internet Connection.
• Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Click on the CleanUp! button
• A list of tool components used in the Cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
• Click Yes to begin the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

===============
After that Upgrading Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.

=============================
Delete\uninstall anything else that we have used.

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us
=====================================
After that your log is clean.

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

[derek01f]

thanks really appreciate all your help