Ok... no real problems. Except when I ran Spsehjfix, it didn't reboot like it said it was going to. I read the log, and it basically said that It need a reboot. Also the "Rogue" files I could not find, and therefore assume they must have already been deleted, and I was viewing hidden files as well. Also CWShredder found nothing, and cleanup cleaned a good 12,000 files!! On the Kapersky online scan it asks what to scan... I chose "My Computer" versus the other options like email etc.
Here are the logs as requested:
SPSeHjFix log:
(9/23/05 10:21:07 AM) SPSeHjFix started v1.1.2
(9/23/05 10:21:07 AM) OS: WinXP Service Pack 1 (5.1.2600)
(9/23/05 10:21:07 AM) Language: english
(9/23/05 10:21:07 AM) Win-Path: C:\WINDOWS1
(9/23/05 10:21:07 AM) System-Path: C:\WINDOWS1\System32
(9/23/05 10:21:07 AM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(9/23/05 10:21:10 AM) Disinfection started
(9/23/05 10:21:10 AM) Bad-Dll(IEP): c:\docume~1\jon~1.jon\locals~1\temp\se.dll
(9/23/05 10:21:10 AM) UBF: 7 - UBB: 0 - UBR: 11
(9/23/05 10:21:10 AM) UBF: 7 - UBB: 0 - UBR: 11
(9/23/05 10:21:10 AM) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\jon~1.jon\locals~1\temp\se.dll/spage.html
(9/23/05 10:21:10 AM) Stealth-String not found
(9/23/05 10:21:10 AM) No locked Files to delete. End without Reboot
(9/23/05 10:21:32 AM) Disinfection started
(9/23/05 10:21:32 AM) Bad-Dll(IEP): c:\docume~1\jon~1.jon\locals~1\temp\se.dll
(9/23/05 10:21:32 AM) UBF: 7 - UBB: 0 - UBR: 11
(9/23/05 10:21:32 AM) UBF: 7 - UBB: 0 - UBR: 11
(9/23/05 10:21:32 AM) Bad IE-pages: (none)
(9/23/05 10:21:32 AM) Stealth-String not found
(9/23/05 10:21:32 AM) No locked Files to delete. End without Reboot
(9/23/05 10:24:19 AM) Disinfection started
(9/23/05 10:24:19 AM) Bad-Dll(IEP): c:\docume~1\jon~1.jon\locals~1\temp\se.dll
(9/23/05 10:24:19 AM) UBF: 7 - UBB: 0 - UBR: 11
(9/23/05 10:24:19 AM) UBF: 7 - UBB: 0 - UBR: 11
(9/23/05 10:24:19 AM) Bad IE-pages: (none)
(9/23/05 10:24:19 AM) Stealth-String not found
(9/23/05 10:24:19 AM) No locked Files to delete. End without Reboot
(9/23/05 10:24:20 AM) Disinfection started
(9/23/05 10:24:20 AM) Bad-Dll(IEP): c:\docume~1\jon~1.jon\locals~1\temp\se.dll
(9/23/05 10:24:20 AM) UBF: 7 - UBB: 0 - UBR: 11
(9/23/05 10:24:20 AM) UBF: 7 - UBB: 0 - UBR: 11
(9/23/05 10:24:20 AM) Bad IE-pages: (none)
(9/23/05 10:24:20 AM) Stealth-String not found
(9/23/05 10:24:20 AM) No locked Files to delete. End without Reboot
(9/23/05 10:24:20 AM) Disinfection started
(9/23/05 10:24:20 AM) Bad-Dll(IEP): c:\docume~1\jon~1.jon\locals~1\temp\se.dll
(9/23/05 10:24:20 AM) UBF: 7 - UBB: 0 - UBR: 11
(9/23/05 10:24:20 AM) UBF: 7 - UBB: 0 - UBR: 11
(9/23/05 10:24:20 AM) Bad IE-pages: (none)
(9/23/05 10:24:20 AM) Stealth-String not found
(9/23/05 10:24:20 AM) No locked Files to delete. End without Reboot
Kaspersky log: VERY SLOWWWW!!!
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, September 23, 2005 14:46:40
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 23/09/2005
Kaspersky Anti-Virus database records: 141809
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 64939
Number of viruses found: 8
Number of infected objects: 43
Number of suspicious objects: 0
Duration of the scan process: 13239 sec
Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\OfficeTools.hta Infected: Trojan-Dropper.VBS.Inor.bt
C:\My Shared Folder\Windows XP SP2 KeyGen.exe Infected: P2P-Worm.Win32.Tibick
C:\Program Files\Norton AntiVirus\Quarantine\00A00DCB.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\Program Files\Norton AntiVirus\Quarantine\00B409B5.exe Infected: Trojan.Win32.Qhost.df
C:\Program Files\Norton AntiVirus\Quarantine\069F6FC0.exe Infected: Trojan.Win32.Qhost.df
C:\Program Files\Norton AntiVirus\Quarantine\0C157988.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\Program Files\Norton AntiVirus\Quarantine\15527FE5.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\Program Files\Norton AntiVirus\Quarantine\156925CC.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\Program Files\Norton AntiVirus\Quarantine\158D73A4.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\Program Files\Norton AntiVirus\Quarantine\1E552687.exe Infected: P2P-Worm.Win32.Tibick
C:\Program Files\Norton AntiVirus\Quarantine\46FF1D83.exe Infected: Trojan.Win32.Qhost.df
C:\Program Files\Norton AntiVirus\Quarantine\47091B78.exe Infected: Trojan.Win32.Qhost.df
C:\Program Files\Norton AntiVirus\Quarantine\68C7337F.exe Infected: Trojan.Win32.Qhost.df
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP12\A0001184.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP12\A0001198.exe Infected: Trojan.Win32.Qhost.df
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP13\A0001209.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP13\A0001212.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP13\A0001221.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP13\A0001230.exe Infected: Trojan.Win32.Qhost.df
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP13\A0001233.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP13\A0001245.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP13\A0001252.exe Infected: Trojan.Win32.Qhost.df
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP13\A0001253.exe Infected: P2P-Worm.Win32.Tibick
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP14\A0002203.dll Infected: Virus.Win32.Nsag.a
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP15\A0004057.dll Infected: Virus.Win32.Nsag.a
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP25\A0005065.dll Infected: Virus.Win32.Nsag.a
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP25\A0005183.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP25\A0005292.exe Infected: Trojan.Win32.Qhost.df
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP42\A0006953.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP42\A0006961.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP42\A0006968.exe Infected: Trojan.Win32.Qhost.df
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP44\A0007023.exe Infected: Trojan.Win32.Qhost.df
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP44\A0007030.exe Infected: Trojan-Downloader.Win32.Small.bgv
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP44\A0007031.exe Infected: Trojan-Downloader.Win32.Agent.sy
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP44\A0007034.exe Infected: Trojan-Downloader.Win32.Agent.sy
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP44\A0007035.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\WINDOWS1\hisistheurls.exe/archive comment Infected: Trojan.Win32.Favadd.f
C:\WINDOWS1\hisistheurls.exe Infected: Trojan.Win32.Favadd.f
C:\WINDOWS1\msview\Ad-aware Professional.exe Infected: P2P-Worm.Win32.Tibick
C:\WINDOWS1\msview\Ad-aware.exe Infected: P2P-Worm.Win32.Tibick
C:\WINDOWS1\msview\ICQ 4.exe Infected: P2P-Worm.Win32.Tibick
C:\WINDOWS1\msview\Spybot - Search & Destroy.exe Infected: P2P-Worm.Win32.Tibick
C:\WINDOWS1\msview\WinZip.exe Infected: P2P-Worm.Win32.Tibick
Scan process completed.
Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 2:47:38 PM, on 9/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS1\System32\smss.exe
C:\WINDOWS1\system32\winlogon.exe
C:\WINDOWS1\system32\services.exe
C:\WINDOWS1\system32\lsass.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS1\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS1\Explorer.EXE
C:\WINDOWS1\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS1\System32\CTHELPER.EXE
C:\WINDOWS1\System32\ctfmon.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS1\System32\ssstars.scr
C:\WINDOWS1\System32\ssstars.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Agent\agent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jon.JON-8HX8MZ3KHTU\Desktop\HijackThis.exe
O1 - Hosts: localhost 127.0.0.1
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS1\UpdReg.EXE
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS1\System32\ctfmon.exe
O4 - HKCU\..\Run: [updatelavasoft] C:\WINDOWS1\System32\updatelavasoft.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0b\cstray.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS1\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky...can_unicode.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....k/?linkid=39204O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -
http://www.symantec....rl/LSSupCtl.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.micros...b?1125267220564O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.micros...b?1127256435424O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) -
http://secure2.comne...login-devel.cabO16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
http://www.symantec....rl/SymAData.cabO16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -
https://intercall.we...bex/ieatgpc.cabO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS1\wanmpsvc.exe