Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan.Vundo from [bleep]

Started by Abraham3 , Jan 14 2008 09:58 AM

  • This topic is locked This topic is locked

#1
Abraham3
Posted 14 January 2008 - 09:58 AM

Abraham3

    New Member

  • Member
  • Pip
  • 1 posts
Hello,

First, I hope you have a good editor with which to read this file. I'd suggest turning on word wrap to read this note, then turn it off for perusing all the logs below. Several have very long line lengths - particularly the CSV files.

I have been 'infected' by the trojan.vundo (nee virtumondo) that has so far resisted all efforts to remove it.

The machine is an Asus P5LD2 'Deluxe' motherboard with a 3.2 GHz P4 single core (Intel 540?), and 2 GB of RAM. I run Win2K SP4. I have two 80 GB ATA drives as C: and E: with a DVD-burner as D: and a DVD-ROM as F. The machine also has a Sony multi-card reader for flash sticks/chips that, when empty of chips, appears as multiple unmounted drives. There are often also one or two thumb drives stuck into USB ports somewhere.

I have an Administrator account and one Power User account named "Normal Operations"

I run Norton Anti-Virus (Program version 7.61.932, Scan Engine version 4.1.0.15) every night. I update my definitions perhaps twice weekly. I have NAV also set to always run its real time monitoring. About once a week I also run:

o Ad-Aware SE Personal Version 1.06 and always use the latest definitions (currently from 27 Dec 07)

o PCTools Registry Mechanic version 5.2.0.310. My subscription for updates expired almost a year back but it is still quite functional.

I first noticed that my machine was choking a bit playing a DVD movie. Then I noticed that it would no longer scroll smoothly through files of any sort.
I saw nothing amiss in Task Manager/Processes but... I had suffered none of the MSIE popups one expects with this trojan. This machine is rarely ever powered off but I rebooted while looking into this and discovered that after everything except Asus's 'Probe' (temp & fan monitor) had loaded, a CMD window pops up and prints three lines all reading "1 file(s) copied" and then closes. A few seconds later another CMD window opens just for an instant with no text visible. I have been able to catch and close the first window before the "file(s) copied" text displays but doing so seems to have no effect.

About this time I got a popup from NAV rtvscan telling me that I had Trojan.Vundo in the form of C:\Documents and Settings\Normal Operations\Local Settings\Temp\gebcc.dll and that it could neither quarantine it nor delete it. When I tried I got:

"Cannot delete gebcc.dll: There has been a sharing violation. The source or destination file may be in use."

This is getting lengthy so let me try to abbreviate this a bit. I read up what I could then downloaded:

o MS MalwareScan from Microsoft (Windows-KB890830-v1.36.exe) that found nothing

o FixVundo.exe from Symantec that found nothing

o McAfee Stinger that found nothing

o VundoFix.exe from Atribune that found nothing

o VirtumondoBeGone.exe from Secured2K which found nothing

o HiJackThis 2.02 from Trend Micro. The log does not mention gebcc.dll

o An HJT Startup scan also showed no mention of the dll

o I went into RegEdit and did a search for and deleted all keys which mentioned gebcc.dll. I did not notice where or what they were but they seemed to have no effect.

o Got 'Process Explorer' and used it to suspend and later kill the four gebcc.dll threads I found under Explorer.exe. Immediately afterwards I tried NAV and manually deleting them. No joy.

Friday I went out and bought PCTools Spyware Doctor version 5.0.1.205R, updated everything (now 5.5.0.178) and then ran a full scan. It found several other spyware files I'd never heard of (and cleaned them without trouble) but did not react to gebcc.dll. I then did a custom scan pointed directly at the infected folder. No reaction. During the scan and despite having turned on ALL of Spyware Doctor's real time "Guards", the DLL seemed to have downloaded more code - a new and unknown executable appeared alongside it in the TEMP folder and new popups began plaguing me in MSIE.

The attached HiJackThis log was created after the following steps:

o Did a power off reboot into Administrator

o Did a NAV Scan and attached the results to this note. Only gebcc.dll showed up. Earlier scans had found other things that seemed to have been downloaded by Vundo but NAV was able to quarantine them (from whence I finished them off).

o Ran a scan with PCTools RegMechanic and attached the results to this file

o Logged off Administrator and logged on to Normal Operations, allowing the CMD windows to run unchecked

o Here I ran into a problem or two. I am guessing that this Trojan is being proactive with HJT and perhaps some other AV or AT programs. Any attempt to get HJT to record a scan (ie, write it to disk) causes HJT to immediately disappear from memory with nothing recorded. I *was* able to create a Startup log but HJT shut itself down as it was making it. I went into Process Explorer and killed all the gebcc.dll threads under Explorer.exe but that did not help. A simpler strategy, however, was more successful: I renamed HiJackThis.exe to Something.exe, ran it and discovered I could now store scan logs without crashing.

Any help would probably convince me to turn off the engine of the family car and remove the towels from under the door. ;->

Abraham

Logs below separated by double-rows of asterisks.

Final addendums: I am now beset by browser hijacks: porn, bogus spyware, Indian Bollywood gossip pages, etc. In the HJT log there is mention of an unnamed BHO. I did a search in the Registry for the hex string shown there and every other occurrence involved mention of gebcc.dll. I deleted them all but, again, it seemed to do nothing.


TURN OFF WORD WRAP AT THIS POINT


****************************************************************************
****
**************************NAV
NOTIFICATION**************************************
****************************************************************************
****

Virus notification from Norton Anti-Virus scan of drives C: and E: from Administrator account

Scan type: Manual Scan
Event: Virus Found!
Virus name: Trojan.Vundo
File: C:\Documents and Settings\Normal Operations\Local Settings\Temp\gebcc.dll
Location: C:\Documents and Settings\Normal Operations\Local Settings\Temp
Computer: MASTER
User: Administrator
Action taken: Clean failed : Quarantine failed :
Date found: Sat Jan 12 10:40:58 2008

****************************************************************************
****
***************************NAV VIRUS HISTORY
LOG********************************
****************************************************************************
****


Date ,Filename ,Virus Name
,Virus Type ,Action Taken ,Computer ,User
,Original Location
,Status ,Current Location
,Primary Action ,Secondary Action ,Scan Type ,
1/12/2008 10:40:58 AM ,gebcc.dll ,Trojan.Vundo
,File ,Left alone ,MASTER ,Administrator
,C:\Documents and Settings\Normal Operations\Local Settings\Temp\ ,Infected ,C:\Documents and Settings\Normal Operations\Local Settings\Temp\
,Clean virus from file ,Quarantine infected file,Manual scan ,
1/12/2008 10:33:09 AM ,webinst[2].cab ,Downloader.MisleadApp
,File ,Quarantined ,MASTER ,Administrator
,C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\PKO75T89\ ,Infected ,Quarantine
,Clean virus from file ,Quarantine infected file,Realtime scan ,
1/12/2008 10:33:07 AM ,scan[1].htm ,Downloader
,File ,Quarantined ,MASTER ,Administrator
,C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\RVHF75ID\ ,Infected ,Quarantine
,Clean virus from file ,Quarantine infected file,Realtime scan ,
1/12/2008 10:29:47 AM ,9_swp[1] ,Downloader
,File ,Left alone ,MASTER ,Administrator
,C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\FG20VKCP\ ,Infected ,C:\Documents and
Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\FG20VKCP\ ,Clean virus from file ,Quarantine infected
file,Realtime scan ,
1/12/2008 10:08:50 AM ,gebcc.dll ,Trojan.Vundo
,File ,Left alone ,MASTER ,Administrator
,C:\Documents and Settings\Normal Operations\Local Settings\Temp\ ,Infected ,C:\Documents and Settings\Normal Operations\Local Settings\Temp\
,Clean virus from file ,Quarantine infected file,Manual scan ,
1/12/2008 10:05:24 AM ,kcdknbjv.dll ,Trojan.Adclicker
,File ,Quarantined ,MASTER ,Administrator
,C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
,Infected ,Quarantine
,Clean virus from file ,Quarantine infected file,Realtime scan ,
1/12/2008 10:05:24 AM ,aal20080110[1] ,Trojan.Adclicker
,File ,Left alone ,MASTER ,Administrator
,C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\SFFB6451\ ,Infected ,C:\Documents and
Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\SFFB6451\ ,Clean virus from file ,Quarantine infected
file,Realtime scan ,
1/12/2008 10:04:17 AM ,rneuctkp.dll ,Trojan.Vundo
,File ,Quarantined ,MASTER ,Administrator
,C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
,Infected ,Quarantine
,Clean virus from file ,Quarantine infected file,Realtime scan ,
1/12/2008 10:04:17 AM ,jal20080110[1] ,Trojan.Vundo
,File ,Left alone ,MASTER ,Administrator
,C:\Documents and Settings\Administrator\Local Settings\Temporary
Internet Files\Content.IE5\Q5CJI165\ ,Infected
,C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\Q5CJI165\ ,Clean virus from file ,Quarantine infected
file,Realtime scan ,
1/12/2008 4:31:43 AM ,gebcc.dll ,Trojan.Vundo
,File ,Left alone ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temp\ ,Infected ,C:\Documents and Settings\Normal Operations\Local Settings\Temp\
,Clean virus from file ,Quarantine infected file,Manual scan ,
1/11/2008 6:37:33 AM ,gebcc.dll ,Trojan.Vundo
,File ,Left alone ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temp\ ,Infected ,C:\Documents and Settings\Normal Operations\Local Settings\Temp\
,Clean virus from file ,Quarantine infected file,Manual scan ,
1/11/2008 5:54:55 AM ,ynjgught.dll ,Trojan.Adclicker
,File ,Quarantined ,MASTER ,Normal
Operations
,C:\DOCUME~1\NORMAL~1\LOCALS~1\Temp\
,Infected ,Quarantine
,Clean virus from file ,Quarantine infected file,Realtime scan ,
1/11/2008 5:54:55 AM ,aal20080110[1] ,Trojan.Adclicker
,File ,Left alone ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temporary
Internet Files\Content.IE5\Y78D2N2J\ ,Infected ,C:\Documents
and Settings\Normal Operations\Local Settings\Temporary Internet
Files\Content.IE5\Y78D2N2J\,Clean virus from file ,Quarantine infected
file,Realtime scan ,
1/11/2008 5:54:49 AM ,ncrefyns.dll ,Trojan.Vundo
,File ,Quarantined ,MASTER ,Normal
Operations
,C:\DOCUME~1\NORMAL~1\LOCALS~1\Temp\
,Infected ,Quarantine
,Clean virus from file ,Quarantine infected file,Realtime scan ,
1/11/2008 5:54:48 AM ,jal20080110[1] ,Trojan.Vundo
,File ,Left alone ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temporary
Internet Files\Content.IE5\MB81EFY3\ ,Infected ,C:\Documents
and Settings\Normal Operations\Local Settings\Temporary Internet
Files\Content.IE5\MB81EFY3\,Clean virus from file ,Quarantine infected
file,Realtime scan ,
1/10/2008 9:39:02 PM ,gebcc.dll ,Trojan.Vundo
,File ,Left alone ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temp\ ,Infected ,C:\Documents and Settings\Normal Operations\Local Settings\Temp\
,Clean virus from file ,Quarantine infected file,Manual scan ,
1/10/2008 9:34:17 PM ,gebcc.dll ,Trojan.Vundo
,File ,Left alone ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temp\ ,Infected ,C:\Documents and Settings\Normal Operations\Local Settings\Temp\
,Clean virus from file ,Quarantine infected file,Manual scan ,
1/10/2008 9:32:31 PM ,imfe.exe ,Downloader
,File ,Left alone ,MASTER ,SYSTEM
,C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ ,Infected ,C:\Documents and Settings\Administrator\Start
Menu\Programs\Startup\ ,Clean virus from
file ,Leave alone (log only) ,Manual scan ,
1/10/2008 9:32:31 PM ,u[1].dat ,Downloader
,File ,Left alone ,MASTER ,SYSTEM
,C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\Q5CJI165\ ,Infected ,C:\Documents and
Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\Q5CJI165\ ,Clean virus from file ,Leave alone (log
only) ,Manual scan ,
1/10/2008 9:32:30 PM ,rmumwuce.dll ,Trojan.Adclicker
,File ,Left alone ,MASTER ,SYSTEM
,C:\DOCUME~1\NORMAL~1\LOCALS~1\Temp\
,Infected ,C:\DOCUME~1\NORMAL~1\LOCALS~1\Temp\
,Clean virus from file ,Leave alone (log only) ,Manual scan ,
1/10/2008 8:02:46 PM ,rmumwuce.dll ,Trojan.Adclicker
,File ,Quarantined ,MASTER ,Normal
Operations
,C:\DOCUME~1\NORMAL~1\LOCALS~1\Temp\
,Infected ,Quarantine
,Clean virus from file ,Quarantine infected file,Realtime scan ,
1/10/2008 8:02:46 PM ,aal20080110[1] ,Trojan.Adclicker
,File ,Left alone ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temporary
Internet Files\Content.IE5\UP47S3GD\ ,Infected ,C:\Documents
and Settings\Normal Operations\Local Settings\Temporary Internet
Files\Content.IE5\UP47S3GD\,Clean virus from file ,Quarantine infected
file,Realtime scan ,
1/10/2008 12:02:57 AM ,gebcc.dll ,Trojan.Vundo
,File ,Left alone ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temp\ ,Infected ,C:\Documents and Settings\Normal Operations\Local Settings\Temp\
,Clean virus from file ,Quarantine infected file,Scheduled scan,
1/9/2008 12:02:55 AM ,gebcc.dll ,Trojan.Vundo
,File ,Left alone ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temp\ ,Infected ,C:\Documents and Settings\Normal Operations\Local Settings\Temp\
,Clean virus from file ,Quarantine infected file,Scheduled scan,
1/8/2008 8:45:21 PM ,0[1].htm ,Downloader
,File ,Left alone ,MASTER ,Administrator
,C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\Q5CJI165\ ,Infected ,C:\Documents and
Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\Q5CJI165\ ,Clean virus from file ,Quarantine infected
file,Realtime scan ,
1/8/2008 8:44:29 PM ,imfe.exe ,Downloader
,File ,Quarantined ,MASTER ,Administrator
,C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ ,Infected ,Quarantine
,Clean virus from file ,Quarantine infected file,Realtime scan ,
1/8/2008 8:44:29 PM ,u[1].dat ,Downloader
,File ,Quarantined ,MASTER ,Administrator
,C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\Q5CJI165\ ,Infected ,Quarantine
,Clean virus from file ,Quarantine infected file,Realtime scan ,
1/8/2008 8:40:58 PM ,gebcc.dll ,Trojan.Vundo
,File ,Left alone ,MASTER ,Administrator
,C:\Documents and Settings\Normal Operations\Local Settings\Temp\ ,Infected ,C:\Documents and Settings\Normal Operations\Local Settings\Temp\
,Clean virus from file ,Quarantine infected file,Manual scan ,
1/8/2008 12:02:14 AM ,gebcc.dll ,Trojan.Vundo
,File ,Left alone ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temp\ ,Infected ,C:\Documents and Settings\Normal Operations\Local Settings\Temp\
,Clean virus from file ,Quarantine infected file,Scheduled scan,
1/6/2008 12:02:37 AM ,gebcc.dll ,Trojan.Vundo
,File ,Left alone ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temp\ ,Infected ,C:\Documents and Settings\Normal Operations\Local Settings\Temp\
,Clean virus from file ,Quarantine infected file,Scheduled scan,
1/5/2008 12:22:45 AM ,gebcc.dll ,Trojan.Vundo
,File ,Left alone ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temp\ ,Infected ,C:\Documents and Settings\Normal Operations\Local Settings\Temp\
,Clean virus from file ,Quarantine
infected file,Scheduled scan,
1/4/2008 6:56:03 PM ,~GLH0013.TMP ,Trojan.Dropper
,File ,Quarantined ,MASTER ,Administrator
,C:\Program Files\MahJonggMaster2\Game\
,Infected ,Quarantine
,Clean virus from file ,Quarantine infected file,Realtime scan ,
1/4/2008 12:04:25 AM ,gebcc.dll ,Trojan.Vundo
,File ,Left alone ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temp\ ,Infected ,C:\Documents and Settings\Normal Operations\Local Settings\Temp\
,Clean virus from file ,Quarantine infected file,Scheduled scan,
1/3/2008 12:03:15 AM ,gebcc.dll ,Trojan.Vundo
,File ,Left alone ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temp\ ,Infected ,C:\Documents and Settings\Normal Operations\Local Settings\Temp\
,Clean virus from file ,Quarantine infected file,Scheduled scan,
1/2/2008 12:02:51 AM ,gebcc.dll ,Trojan.Vundo
,File ,Left alone ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temp\ ,Infected ,C:\Documents and Settings\Normal Operations\Local Settings\Temp\
,Clean virus from file ,Quarantine infected file,Scheduled scan,
1/1/2008 12:02:54 AM ,gebcc.dll ,Trojan.Vundo
,File ,Left alone ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temp\ ,Infected ,C:\Documents and Settings\Normal Operations\Local Settings\Temp\
,Clean virus from file ,Quarantine infected file,Scheduled scan,
12/31/2007 12:03:31 AM ,gebcc.dll ,Trojan.Vundo
,File ,Left alone ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temp\ ,Infected ,C:\Documents and Settings\Normal Operations\Local Settings\Temp\
,Clean virus from file ,Quarantine infected file,Scheduled scan,
12/30/2007 12:03:26 AM ,gebcc.dll ,Trojan.Vundo
,File ,Left alone ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temp\ ,Infected ,C:\Documents and Settings\Normal Operations\Local Settings\Temp\
,Clean virus from file ,Quarantine infected file,Scheduled scan,
12/29/2007 8:55:11 AM ,gebcc.dll ,Trojan.Vundo
,File ,Left alone ,MASTER ,Administrator

,C:\Documents and Settings\Normal Operations\Local Settings\Temp\ ,Infected ,C:\Documents and Settings\Normal Operations\Local Settings\Temp\
,Clean virus from file ,Quarantine infected file,Manual scan ,
12/29/2007 7:50:50 AM ,gebcc.dll ,Trojan.Vundo
,File ,Left alone ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temp\ ,Infected ,C:\Documents and Settings\Normal Operations\Local Settings\Temp\
,Clean virus from file ,Quarantine infected file,Manual scan ,
12/29/2007 12:03:34 AM ,gebcc.dll ,Trojan.Vundo
,File ,Left alone ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temp\ ,Infected ,C:\Documents and Settings\Normal Operations\Local Settings\Temp\
,Clean virus from file ,Quarantine infected file,Scheduled scan,
12/13/2007 12:13:55 PM ,was_winosurexe.sht ,Downloader
,File ,Quarantined ,MASTER ,Administrator
,C:\
,Infected ,Quarantine
,Clean virus from file ,Quarantine infected file,Manual scan ,
12/12/2007 12:04:26 AM ,ms03011[1].jar ,Compressed file
,Quarantined ,MASTER ,Normal Operations ,C:\Documents
and Settings\Normal Operations\Local Settings\Temporary Internet Files\Content.IE5\GX23G1IV\,Still contains 3 infected items ,Quarantine,Clean virus from file
,Quarantine infected file,Scheduled scan , ,
12/12/2007 12:04:26 AM ,Installer.class ,Trojan.ByteVerify
,File; Compressed file ,Quarantined ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temporary Internet Files\Content.IE5\GX23G1IV\ms03011[1].jar,Infected ,Quarantine
,Clean virus from file ,Quarantine infected file,Scheduled scan,
12/12/2007 12:04:26 AM ,ProxyClassLoader.class ,Downloader
,File; Compressed file ,Quarantined ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temporary Internet Files\Content.IE5\GX23G1IV\ms03011[1].jar,Infected ,Quarantine
,Clean virus from file ,Quarantine infected file,Scheduled scan,
12/12/2007 12:04:25 AM ,MagicApplet.class ,Trojan.ByteVerify
,File; Compressed file ,Quarantined ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temporary Internet Files\Content.IE5\GX23G1IV\ms03011[1].jar,Infected ,Quarantine

,Clean virus from file ,Quarantine infected file,Scheduled scan,
12/1/2007 12:52:24 AM ,scan[1].htm ,Downloader
,File ,Quarantined ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temporary
Internet Files\Content.IE5\TA366O9W\ ,Infected ,Quarantine
,Clean virus from file ,Quarantine infected file,Scheduled scan,
12/1/2007 12:51:32 AM ,9_swp[2] ,Downloader
,File ,Quarantined ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temporary
Internet Files\Content.IE5\TA366O9W\ ,Infected ,Quarantine
,Clean virus from file ,Quarantine infected file,Scheduled scan,
12/1/2007 12:42:00 AM ,scan[2].htm ,Downloader
,File ,Quarantined ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temporary
Internet Files\Content.IE5\KX2BKTQV\ ,Infected ,Quarantine
,Clean virus from file ,Quarantine infected file,Scheduled scan,
12/1/2007 12:42:00 AM ,scan[1].htm ,Downloader
,File ,Quarantined ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temporary
Internet Files\Content.IE5\KX2BKTQV\ ,Infected ,Quarantine
,Clean virus from file ,Quarantine infected file,Scheduled scan,
12/1/2007 12:39:04 AM ,4_swp[3] ,Downloader
,File ,Quarantined ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temporary
Internet Files\Content.IE5\KX2BKTQV\ ,Infected ,Quarantine
,Clean virus from file ,Quarantine infected file,Scheduled scan,
12/1/2007 12:39:04 AM ,4_swp[2] ,Downloader
,File ,Quarantined ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temporary
Internet Files\Content.IE5\KX2BKTQV\ ,Infected ,Quarantine
,Clean virus from file ,Quarantine infected file,Scheduled scan,
11/24/2007 12:44:06 AM ,in[1].htm ,Downloader
,File ,Quarantined ,MASTER ,Normal
Operations
,C:\Documents and Settings\Normal Operations\Local Settings\Temporary
Internet Files\Content.IE5\S1GFKJ8F\ ,Infected ,Quarantine
,Clean virus from file ,Quarantine infected file,Scheduled scan,
11/2/2007 7:21:54 PM ,fa015753 TSAdInstant ,Trojan.Dropper
,File ,Left alone ,MASTER ,SYSTEM
,E:\Program Files\MahJongg\Game\
,Infected ,E:\Program Files\MahJongg\Game\
,Clean virus from file ,Leave alone (log only) ,Manual scan ,
11/2/2007 7:21:53 PM ,egames.exe ,Trojan.Dropper
,File ,Left alone ,MASTER ,SYSTEM
,C:\Program Files\MahJongg\Game\
,Infected ,C:\Program Files\MahJongg\Game\
,Clean virus from file ,Leave alone (log only) ,Manual scan ,
10/26/2007 10:39:31 PM ,fa015753 TSAdInstant ,Trojan.Dropper
,File ,Left alone ,MASTER ,SYSTEM
,E:\Program Files\MahJongg\Game\
,Infected ,E:\Program Files\MahJongg\Game\
,Clean virus from file ,Leave alone (log only) ,Manual scan ,
10/26/2007 10:39:30 PM ,egames.exe ,Trojan.Dropper
,File ,Left alone ,MASTER ,SYSTEM
,C:\Program Files\MahJongg\Game\
,Infected ,C:\Program Files\MahJongg\Game\
,Clean virus from file ,Leave alone (log only) ,Manual scan ,


****************************************************************************
****
************************REGISTRY MECHANIC SCAN
LOG******************************
****************************************************************************
****


----------------------------------------------------------------------------
------------------------
Registry Mechanic 5.2.0.310
----------------------------------------------------------------------------
------------------------
Start of Scan
1/12/2008 12:01:22 PM
Your System Information :
CPU: Intel Pentium
IE: Internet Explorer 6.0.2800
MEMORY FREE: 1509664
MEMORY TOTAL: 2096300
VIRTUAL FREE: 2012868
VIRTUAL TOTAL: 2097024
WINDOWS VER: Windows 2000 5.0 (Build 2195)

----------------------------------------------------------------------------
------------------------
Running processes: Process ID
----------------------------------------------------------------------------
------------------------
[System Process] 0
System 8
SMSS.EXE 184
CSRSS.EXE 212
WINLOGON.EXE 232
SERVICES.EXE 260
LSASS.EXE 272
svchost.exe 464
spoolsv.exe 492
defwatch.exe 520
svchost.exe 540
hidserv.exe 556
PDS.EXE 592
rtvscan.exe 640
nvsvc32.exe 704
regsvc.exe 728
RioMSC.exe 740
mstask.exe 760
svcntaux.exe 792
SonyIEx.exe 864
stisvc.exe 896
WinMgmt.exe 928
svchost.exe 948
XFR.EXE 964
MSGSYS.EXE 1024
explorer.exe 1264
CFD.exe 1428
vptray.exe 1440
rundll32.exe 1476
RTHDCPL.EXE 1492
point32.exe 1500
qttask.exe 1520
SDTrayApp.exe 1544
E_FATIBPA.EXE 1548
QuickDCF.exe 1376
Webshots.scr 1536
wuauclt.exe 768
swdsvc.exe 1720
RegMech.exe 656
----------------------------------------------------------------------------
------------------------
Sections Scanned:
----------------------------------------------------------------------------
------------------------

FX - 2
Location:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExt
s\.bak\OpenWithList
Value : default = blank
Parsed :

----------------------------------------------------------------------------
------------------------
Registry Mechanic 5.2.0.310
----------------------------------------------------------------------------
------------------------
End of Scan
1/12/2008 12:02:14 PM
Your System Information :
CPU: Intel Pentium
IE: Internet Explorer 6.0.2800
MEMORY FREE: 1509664
MEMORY TOTAL: 2096300
VIRTUAL FREE: 2012868
VIRTUAL TOTAL: 2097024
WINDOWS VER: Windows 2000 5.0 (Build 2195)

****************************************************************************
****
***********************HIJACK THIS SCAN
LOG*************************************
****************************************************************************
****

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:43:11 PM, on 1/12/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal

Running processes:
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\NavNT\vptray.exe C:\WINNT\RTHDCPL.EXE C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Spyware Doctor\SDTrayApp.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\Program Files\ASUS\PC Probe II\Probe2.exe C:\PROGRA~1\Webshots\Webshots.scr C:\ProcessExplorer\procexp.exe C:\Program Files\HijackThis\Something.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p..._CLSID}
r={SUB_PVER}&ar=home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {37483B57-D22A-408E-8997-67914497BCDB} - C:\DOCUME~1\NORMAL~1\LOCALS~1\Temp\gebcc.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BS_PopupCatcher\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo RX580 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIBPA.EXE /FU "C:\DOCUME~1\NORMAL~1\LOCALS~1\Temp\E_S9D.tmp" /EF "HKCU"
O4 - HKUS\.DEFAULT\..\RunOnce: [FPVInstaller] C:\Program Files\FinePixViewer\INSTALLGUIDE\InstallGuide5.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FXCDUpdater1] Command.com /c del C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FUJIFILM\FXCDChkr.exe (User 'Default
user')
O4 - Startup: Probe2.exe.lnk = C:\Program Files\ASUS\PC Probe II\Probe2.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...b?url=http://ww
w.viewpoint.com/cgi-bin/installer.v4/vet_install_premium.pl?1&4&04.00.09.13&
premium&unknown&http://www.toyota.co...ftback/interact
ive3d_liftback.html?noreloadredir
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DLM Control) - http://dlm.tools.aka...tivex-2.2.3.0.c
ab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SonyIEx - Unknown owner - C:\WINNT\system32\SonyIEx.exe

--
End of file - 5121 bytes

****************************************************************************
****
***************************HIJACK THIS STARTUP
LIST*****************************
****************************************************************************
****

StartupList report, 1/12/2008, 12:19:11 PM StartupList version: 1.52.2 Started from : C:\Program Files\HijackThis\HiJackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections ==================================================

Running processes:

C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\NavNT\vptray.exe C:\WINNT\RTHDCPL.EXE C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Spyware Doctor\SDTrayApp.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\Program Files\ASUS\PC Probe II\Probe2.exe C:\PROGRA~1\Webshots\Webshots.scr C:\Program Files\HijackThis\HiJackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Normal Operations\Start Menu\Programs\Startup] Probe2.exe.lnk = C:\Program Files\ASUS\PC Probe II\Probe2.exe Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup] Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] *Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe vptray = C:\Program Files\NavNT\vptray.exe NeroFilterCheck = C:\WINNT\system32\NeroCheck.exe REGSHAVE = C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN blspcloader = "C:\Program Files\BS_PopupCatcher\BellSouth Internet Tools\blsloader.exe"
NvCplDaemon = RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
NvMediaCenter = RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
RTHDCPL = RTHDCPL.EXE
Alcmtr = ALCMTR.EXE
IntelliPoint = "C:\Program Files\Microsoft IntelliPoint\point32.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime SDTray = "C:\Program Files\Spyware Doctor\SDTrayApp.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

EPSON Stylus Photo RX580 Series =
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIBPA.EXE /FU "C:\DOCUME~1\NORMAL~1\LOCALS~1\Temp\E_S9D.tmp" /EF "HKCU"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\UltraEdit.txt\shell\open\command

(Default) = notepad.exe %1

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\Windows: load= HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx CODEBASE = http://www.apple.com...ex/qtplugin.cab

[MetaStreamCtl Class]
InProcServer32 = C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_0305000D.dll

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\macromed\Director\SwDir.dll
CODEBASE =
http://fpdownload.ma...director/sw.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
CODEBASE =
http://fpdownload.ma...director/sw.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\Macromed\Flash\Flash9c.ocx
CODEBASE =
http://download.macr...ash/swflash.cab

[DLM Control]
InProcServer32 = C:\WINNT\DOWNLO~1\DOWNLO~1.OCX CODEBASE = http://dlm.tools.aka...tivex-2.2.3.0.c
ab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll NameSpace #2: C:\WINNT\System32\winrnr.dll Protocol #1: C:\WINNT\system32\msafd.dll Protocol #2: C:\WINNT\system32\msafd.dll Protocol #3: C:\WINNT\system32\msafd.dll Protocol #4: C:\WINNT\system32\rsvpsp.dll Protocol #5: C:\WINNT\system32\rsvpsp.dll Protocol #6: C:\WINNT\system32\msafd.dll Protocol #7: C:\WINNT\system32\msafd.dll Protocol #8: C:\WINNT\system32\msafd.dll Protocol #9: C:\WINNT\system32\msafd.dll Protocol #10: C:\WINNT\system32\msafd.dll Protocol #11: C:\WINNT\system32\msafd.dll

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\system32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 14,484 bytes
Report generated in 0.062 seconds

****************************************************************************
****
*********************************** FINIS
**************************************
****************************************************************************
****

In advance, much obliged.

Abraham









E-mail message checked by Spyware Doctor (5.5.0.178) Database version: 5.08970 http://www.pctools.com/spyware-doctor/
  • 0

Advertisements

#2
JSntgRvr
Posted 15 January 2008 - 06:29 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, Abraham3 :)

Welcome.

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 4.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" in your next reply..
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Click here to download Dr.Web CureIt and save it to your desktop.
  • Doubleclick the drweb-cureit.exe file and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new HijackThis log.

  • 0

#3
JSntgRvr
Posted 24 January 2008 - 05:40 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP