Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Get Rid Of Trojan.vundo


  • This topic is locked This topic is locked
13 replies to this topic

#1 fitzgera

fitzgera

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 01 October 2007 - 07:32 PM

Several days my computer has been bogged down, we keep getting redirected, and Norton, Windows Defender, and Spybot can't get rid of the trojan. I can't even run Spybot most of the times due to floating point errors. I couldn't run Adaware at all for that reason as well. I uninstalled it and attempted to reload it but couldn't do that. Also, my Security Center has been disabled. I am able to restart it using Services.msc after reboot. I really need your help. Here is the Hijackthis log. Thank you in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:39 PM, on 10/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\qlikewfj.dll",sitypnow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Extern/RoadRunner...an/pestscan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase2474.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://scwp1-central.mnb.gd-ais.com/Intern.../WhlCompMgr.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.29.11/ttinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02D5CC6D-6F71-4269-9564-50B35380AEEA}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{02D5CC6D-6F71-4269-9564-50B35380AEEA}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{02D5CC6D-6F71-4269-9564-50B35380AEEA}: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs:
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: (no name) - http://www.google.com/images/logo_sm.gif
O24 - Desktop Component 1: (no name) - http://www.alvinlee.com/alvreading.jpg
O24 - Desktop Component 2: (no name) - http://www.google.com/intl/en/images/logo.gif
O24 - Desktop Component 3: (no name) - http://h03.net/DontLink/ghouls/ANIghoul4.gif

--
End of file - 6520 bytes

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:50 AM

Posted 03 October 2007 - 09:12 PM

Hello and welcome to BC:thumbsup:

Please download ComboFix

Note: It is important that it is saved directly to your desktop.

Close all browsers.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log for you. Post that log in your next reply and a fresh HijackThis log please.
  • Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.


#3 fitzgera

fitzgera
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 04 October 2007 - 06:34 AM

Thank you so much for responding.

I had some trouble with ComboFix. Kept getting "Freeware implementation of REG.EXE has encountered a problem and needs to close." This dialog repeatedly would pop up when I trid closing it. SO I ran it in Safe mode and it worked well.

The logs for ComboFix and HJT are below.

Note that the Windows Security Center is diabled usually when I login and the Internet Explorer is set to Accept All Cookies. I have to enable to Sceurity Center and change the cookies setting most every time. I appreciate alll your help.

ComboFix 07-10-04.5 - Michael 2007-10-04 6:58:29.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.125 [GMT -4:00]
Running from: C:\Documents and Settings\Michael\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\WINDOWS\Downloaded Program Files\Quarantine
C:\WINDOWS\system32\abbyjyeb.dll
C:\WINDOWS\system32\ademamjs.dll
C:\WINDOWS\system32\adhyyjyj.dll
C:\WINDOWS\SYSTEM32\advymwln.ini
C:\WINDOWS\system32\adwxhksw.dll
C:\WINDOWS\SYSTEM32\afvhwwjw.ini
C:\WINDOWS\system32\agaenfnv.dll
C:\WINDOWS\system32\ahtiwojo.dll
C:\WINDOWS\SYSTEM32\aicedqja.ini
C:\WINDOWS\SYSTEM32\ajafkgre.ini
C:\WINDOWS\SYSTEM32\ajgemhcv.ini
C:\WINDOWS\system32\ajqdecia.dll
C:\WINDOWS\SYSTEM32\ajunjlag.ini
C:\WINDOWS\system32\akhiotkf.dll
C:\WINDOWS\system32\aklrhxun.dll
C:\WINDOWS\SYSTEM32\akypsjhe.ini
C:\WINDOWS\SYSTEM32\aluhonws.ini
C:\WINDOWS\SYSTEM32\ammlsxln.ini
C:\WINDOWS\SYSTEM32\anjigcfx.ini
C:\WINDOWS\SYSTEM32\aohiyrip.ini
C:\WINDOWS\SYSTEM32\apnryslk.ini
C:\WINDOWS\system32\apxjwnqs.dll
C:\WINDOWS\system32\auegkaro.dll
C:\WINDOWS\SYSTEM32\awwgpldv.ini
C:\WINDOWS\SYSTEM32\bcqltjis.ini
C:\WINDOWS\system32\bdufvfdh.dll
C:\WINDOWS\SYSTEM32\bdvetsxo.ini
C:\WINDOWS\system32\bewreukn.dll
C:\WINDOWS\SYSTEM32\beyjybba.ini
C:\WINDOWS\SYSTEM32\bgafsmbj.ini
C:\WINDOWS\SYSTEM32\bgpqbrqg.ini
C:\WINDOWS\system32\bieecvtd.dll
C:\WINDOWS\SYSTEM32\bikcqmfx.ini
C:\WINDOWS\SYSTEM32\biuworem.ini
C:\WINDOWS\SYSTEM32\bjhsgcrw.ini
C:\WINDOWS\system32\bkavmpdm.dll
C:\WINDOWS\SYSTEM32\btibogtx.ini
C:\WINDOWS\system32\bvewvdat.dll
C:\WINDOWS\system32\bxycvmsy.dll
C:\WINDOWS\SYSTEM32\bybiepup.ini
C:\WINDOWS\SYSTEM32\cbhmlflp.ini
C:\WINDOWS\system32\cdmplcml.dll
C:\WINDOWS\SYSTEM32\cexvpsye.ini
C:\WINDOWS\SYSTEM32\cfhkj.bak1
C:\WINDOWS\SYSTEM32\cfhkj.bak2
C:\WINDOWS\SYSTEM32\cfhkj.ini
C:\WINDOWS\SYSTEM32\cfhkj.ini2
C:\WINDOWS\SYSTEM32\cfhkj.tmp
C:\WINDOWS\SYSTEM32\chkwsmvx.ini
C:\WINDOWS\system32\cjmxjqhx.dll
C:\WINDOWS\SYSTEM32\clbidbfn.ini
C:\WINDOWS\SYSTEM32\cnhupbgx.ini
C:\WINDOWS\SYSTEM32\cnkewdgw.ini
C:\WINDOWS\system32\cokofpes.dll
C:\WINDOWS\system32\cpriydyu.dll
C:\WINDOWS\SYSTEM32\cqegtivq.ini
C:\WINDOWS\SYSTEM32\cqxyughi.ini
C:\WINDOWS\SYSTEM32\crvrxevv.ini
C:\WINDOWS\SYSTEM32\ctswsjbw.ini
C:\WINDOWS\system32\cvfhibae.dll
C:\WINDOWS\system32\cvtmarht.dll
C:\WINDOWS\system32\cwiqiufe.dll
C:\WINDOWS\SYSTEM32\cycpcxuu.ini
C:\WINDOWS\system32\ddrbrbnp.dll
C:\WINDOWS\system32\dffhkgwh.dll
C:\WINDOWS\system32\djupwuan.dll
C:\WINDOWS\system32\dlfwwbgq.dll
C:\WINDOWS\SYSTEM32\dobjecdr.ini
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\dtvacgrg.dll
C:\WINDOWS\SYSTEM32\dtvceeib.ini
C:\WINDOWS\SYSTEM32\dtwkyclm.ini
C:\WINDOWS\system32\duwvdlgn.dll
C:\WINDOWS\system32\dwoyoxov.dll
C:\WINDOWS\system32\dxmatcds.dll
C:\WINDOWS\system32\dxuygsmy.dll
C:\WINDOWS\system32\dxvdcepr.dll
C:\WINDOWS\system32\dxxvlukm.dll
C:\WINDOWS\SYSTEM32\eabihfvc.ini
C:\WINDOWS\SYSTEM32\efuiqiwc.ini
C:\WINDOWS\system32\egfhpgmk.dll
C:\WINDOWS\system32\ehbhjptt.dll
C:\WINDOWS\system32\ehjspyka.dll
C:\WINDOWS\SYSTEM32\ehrlvvlf.ini
C:\WINDOWS\system32\eicfqmtg.dll
C:\WINDOWS\system32\eldqmrtn.dll
C:\WINDOWS\system32\emaobfko.dll
C:\WINDOWS\SYSTEM32\eqkmoiau.ini
C:\WINDOWS\SYSTEM32\erevuxds.ini
C:\WINDOWS\system32\ergkfaja.dll
C:\WINDOWS\system32\erhoymen.dll
C:\WINDOWS\SYSTEM32\etkonrms.ini
C:\WINDOWS\SYSTEM32\etrrdoii.ini
C:\WINDOWS\SYSTEM32\eukeamns.ini
C:\WINDOWS\system32\evsbutfu.dll
C:\WINDOWS\SYSTEM32\ewluxkho.ini
C:\WINDOWS\SYSTEM32\eyqkfxkk.ini
C:\WINDOWS\system32\eyspvxec.dll
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\faxfvftn.dll
C:\WINDOWS\system32\fcpgpjah.dll
C:\WINDOWS\system32\fexnojqt.dll
C:\WINDOWS\system32\ffdumvhw.dll
C:\WINDOWS\system32\ffliabwu.dll
C:\WINDOWS\system32\fgpxslcv.dll
C:\WINDOWS\SYSTEM32\fiqootpk.ini
C:\WINDOWS\SYSTEM32\fjisnreg.ini
C:\WINDOWS\SYSTEM32\fktoihka.ini
C:\WINDOWS\SYSTEM32\fljahhrq.ini
C:\WINDOWS\system32\flvvlrhe.dll
C:\WINDOWS\SYSTEM32\fmgiylqn.ini
C:\WINDOWS\SYSTEM32\fmmsqohp.ini
C:\WINDOWS\SYSTEM32\fmmxwlss.ini
C:\WINDOWS\SYSTEM32\fnsnfuyl.ini
C:\WINDOWS\SYSTEM32\fomjyduu.ini
C:\WINDOWS\SYSTEM32\fownmquw.ini
C:\WINDOWS\SYSTEM32\frumaauk.ini
C:\WINDOWS\SYSTEM32\fsxbjbtl.ini
C:\WINDOWS\SYSTEM32\ftnsmcyk.ini
C:\WINDOWS\SYSTEM32\fumgkftr.ini
C:\WINDOWS\SYSTEM32\fvuwlply.ini
C:\WINDOWS\SYSTEM32\fxlqicij.ini
C:\WINDOWS\system32\galjnuja.dll
C:\WINDOWS\system32\gbcobyqn.dll
C:\WINDOWS\SYSTEM32\gbpdskrs.ini
C:\WINDOWS\system32\gbyaowmp.dll
C:\WINDOWS\SYSTEM32\gdbvxxdn.ini
C:\WINDOWS\system32\gdinhwhu.dll
C:\WINDOWS\SYSTEM32\gdxknkim.ini
C:\WINDOWS\system32\gernsijf.dll
C:\WINDOWS\SYSTEM32\gfbxlarh.ini
C:\WINDOWS\SYSTEM32\ggetalan.ini
C:\WINDOWS\system32\gjsynier.dll
C:\WINDOWS\system32\gjttwrvg.dll
C:\WINDOWS\system32\gmweifhm.dll
C:\WINDOWS\system32\gndjwxnw.dll
C:\WINDOWS\SYSTEM32\gqooyrgq.ini
C:\WINDOWS\system32\gqrbqpgb.dll
C:\WINDOWS\SYSTEM32\grgcavtd.ini
C:\WINDOWS\SYSTEM32\grjxunpl.ini
C:\WINDOWS\SYSTEM32\grkbftvk.ini
C:\WINDOWS\system32\grkqkydm.dll
C:\WINDOWS\system32\gsjgdaex.dll
C:\WINDOWS\SYSTEM32\gtmqfcie.ini
C:\WINDOWS\SYSTEM32\guhigthn.ini
C:\WINDOWS\SYSTEM32\gvrwttjg.ini
C:\WINDOWS\SYSTEM32\gynrrppj.ini
C:\WINDOWS\SYSTEM32\hajpgpcf.ini
C:\WINDOWS\system32\hcumyxbo.dll
C:\WINDOWS\SYSTEM32\hdfvfudb.ini
C:\WINDOWS\SYSTEM32\hdjtworl.ini
C:\WINDOWS\SYSTEM32\hgrainoj.ini
C:\WINDOWS\system32\hkjscwxm.dll
C:\WINDOWS\system32\hmqdcwol.dll
C:\WINDOWS\system32\hralxbfg.dll
C:\WINDOWS\system32\hsxhrgyh.dll
C:\WINDOWS\SYSTEM32\hvfbtfdn.ini
C:\WINDOWS\SYSTEM32\hwgkhffd.ini
C:\WINDOWS\SYSTEM32\hygrhxsh.ini
C:\WINDOWS\system32\iasqjqxr.dll
C:\WINDOWS\system32\ibvhylpp.dll
C:\WINDOWS\system32\icxkqpnm.dll
C:\WINDOWS\system32\idounxgj.dll
C:\WINDOWS\system32\ihguyxqc.dll
C:\WINDOWS\system32\iianuixn.dll
C:\WINDOWS\SYSTEM32\iilyberu.ini
C:\WINDOWS\system32\iiodrrte.dll
C:\WINDOWS\SYSTEM32\ijxmhipk.ini
C:\WINDOWS\system32\iknasefy.dll
C:\WINDOWS\system32\ikxbkves.dll
C:\WINDOWS\SYSTEM32\incomlyt.ini
C:\WINDOWS\SYSTEM32\iojxaaeu.ini
C:\WINDOWS\system32\irsuhqkq.dll
C:\WINDOWS\SYSTEM32\iruaueam.ini
C:\WINDOWS\system32\iseojpit.dll
C:\WINDOWS\system32\ittsvytl.dll
C:\WINDOWS\SYSTEM32\iwwtuwdu.ini
C:\WINDOWS\system32\ixwvmthk.dll
C:\WINDOWS\SYSTEM32\iyluowyv.ini
C:\WINDOWS\SYSTEM32\iyslsoiy.ini
C:\WINDOWS\system32\jbmsfagb.dll
C:\WINDOWS\SYSTEM32\jgxnuodi.ini
C:\WINDOWS\system32\jiciqlxf.dll
C:\WINDOWS\system32\jjryhuky.dll
C:\WINDOWS\SYSTEM32\jkhfc.dll
C:\WINDOWS\SYSTEM32\jkyhgiqs.ini
C:\WINDOWS\system32\joniargh.dll
C:\WINDOWS\system32\jpprrnyg.dll
C:\WINDOWS\system32\jqfsogbo.dll
C:\WINDOWS\system32\jqjsxlhp.dll
C:\WINDOWS\system32\jqndrfes.dll
C:\WINDOWS\SYSTEM32\jqntsvat.ini
C:\WINDOWS\SYSTEM32\jxtryofk.ini
C:\WINDOWS\SYSTEM32\jyjyyhda.ini
C:\WINDOWS\system32\jylccvpm.dll
C:\WINDOWS\system32\kaituyfv.dll
C:\WINDOWS\system32\kfoyrtxj.dll
C:\WINDOWS\SYSTEM32\khjdkxqu.ini
C:\WINDOWS\SYSTEM32\khtmvwxi.ini
C:\WINDOWS\system32\khwvhawx.dll
C:\WINDOWS\system32\kkxfkqye.dll
C:\WINDOWS\system32\klohidkq.dll
C:\WINDOWS\system32\klsyrnpa.dll
C:\WINDOWS\SYSTEM32\kmgphfge.ini
C:\WINDOWS\system32\kpihmxji.dll
C:\WINDOWS\SYSTEM32\kpkvlgim.ini
C:\WINDOWS\system32\kptooqif.dll
C:\WINDOWS\system32\kriarsfr.dll
C:\WINDOWS\SYSTEM32\ksiqkxpn.ini
C:\WINDOWS\system32\kuaamurf.dll
C:\WINDOWS\SYSTEM32\kuflvsfw.ini
C:\WINDOWS\system32\kvmkeaxx.dll
C:\WINDOWS\system32\kvtfbkrg.dll
C:\WINDOWS\system32\kycmsntf.dll
C:\WINDOWS\SYSTEM32\lbdjcqxm.ini
C:\WINDOWS\SYSTEM32\lekgcris.ini
C:\WINDOWS\SYSTEM32\lghtksww.ini
C:\WINDOWS\SYSTEM32\lmclpmdc.ini
C:\WINDOWS\system32\lnovklim.dll
C:\WINDOWS\SYSTEM32\lowcdqmh.ini
C:\WINDOWS\system32\lpnuxjrg.dll
C:\WINDOWS\SYSTEM32\lqgeomyr.ini
C:\WINDOWS\SYSTEM32\lroohdss.ini
C:\WINDOWS\system32\lrowtjdh.dll
C:\WINDOWS\system32\ltbjbxsf.dll
C:\WINDOWS\system32\lthfjghq.dll
C:\WINDOWS\SYSTEM32\ltyvstti.ini
C:\WINDOWS\SYSTEM32\luinnfws.ini
C:\WINDOWS\SYSTEM32\lutjseby.ini
C:\WINDOWS\SYSTEM32\lvektnwp.ini
C:\WINDOWS\system32\lvvwdrvo.dll
C:\WINDOWS\system32\lxvmkfko.dll
C:\WINDOWS\system32\lyufnsnf.dll
C:\WINDOWS\system32\maeuauri.dll
C:\WINDOWS\system32\mdhmgapy.dll
C:\WINDOWS\SYSTEM32\mdpmvakb.ini
C:\WINDOWS\SYSTEM32\mdykqkrg.ini
C:\WINDOWS\system32\merowuib.dll
C:\WINDOWS\SYSTEM32\mhfiewmg.ini
C:\WINDOWS\system32\miglvkpk.dll
C:\WINDOWS\system32\miknkxdg.dll
C:\WINDOWS\SYSTEM32\milkvonl.ini
C:\WINDOWS\SYSTEM32\mjbtihxv.ini
C:\WINDOWS\SYSTEM32\mkulvxxd.ini
C:\WINDOWS\system32\mlcykwtd.dll
C:\WINDOWS\SYSTEM32\mnpqkxci.ini
C:\WINDOWS\SYSTEM32\mnupxhqx.ini
C:\WINDOWS\SYSTEM32\mpvcclyj.ini
C:\WINDOWS\system32\mqubbrov.dll
C:\WINDOWS\system32\mxqcjdbl.dll
C:\WINDOWS\SYSTEM32\mxwcsjkh.ini
C:\WINDOWS\SYSTEM32\myonrtqv.ini
C:\WINDOWS\system32\nalategg.dll
C:\WINDOWS\SYSTEM32\nauwpujd.ini
C:\WINDOWS\system32\ndftbfvh.dll
C:\WINDOWS\system32\ndxxvbdg.dll
C:\WINDOWS\SYSTEM32\nemyohre.ini
C:\WINDOWS\system32\nfbdiblc.dll
C:\WINDOWS\SYSTEM32\ngldvwud.ini
C:\WINDOWS\system32\ngqitoxy.dll
C:\WINDOWS\system32\nhtgihug.dll
C:\WINDOWS\system32\nkbndqvp.dll
C:\WINDOWS\SYSTEM32\nkkgtjfr.ini
C:\WINDOWS\SYSTEM32\nkuerweb.ini
C:\WINDOWS\system32\nlwmyvda.dll
C:\WINDOWS\system32\nlxslmma.dll
C:\WINDOWS\SYSTEM32\nmjvhrdt.ini
C:\WINDOWS\system32\noxwnmjw.dll
C:\WINDOWS\system32\npxkqisk.dll
C:\WINDOWS\system32\nqlyigmf.dll
C:\WINDOWS\system32\nquglvyv.dll
C:\WINDOWS\SYSTEM32\nqybocbg.ini
C:\WINDOWS\SYSTEM32\nspqnjfr.ini
C:\WINDOWS\SYSTEM32\ntfvfxaf.ini
C:\WINDOWS\SYSTEM32\ntrmqdle.ini
C:\WINDOWS\system32\nuuikhxw.dll
C:\WINDOWS\SYSTEM32\nuxhrlka.ini
C:\WINDOWS\SYSTEM32\nxiunaii.ini
C:\WINDOWS\SYSTEM32\obgosfqj.ini
C:\WINDOWS\SYSTEM32\obxymuch.ini
C:\WINDOWS\system32\ohkxulwe.dll
C:\WINDOWS\SYSTEM32\ojdcqdtt.ini
C:\WINDOWS\SYSTEM32\ojowitha.ini
C:\WINDOWS\SYSTEM32\okfboame.ini
C:\WINDOWS\SYSTEM32\okfkmvxl.ini
C:\WINDOWS\SYSTEM32\oncogcxv.ini
C:\WINDOWS\SYSTEM32\orakgeua.ini
C:\WINDOWS\SYSTEM32\otfrcsks.ini
C:\WINDOWS\SYSTEM32\ovrdwvvl.ini
C:\WINDOWS\system32\oxstevdb.dll
C:\WINDOWS\system32\pbjqvkjr.dll
C:\WINDOWS\system32\pbvxkhnv.dll
C:\WINDOWS\system32\pcnyktts.dll
C:\WINDOWS\SYSTEM32\pfheehos.ini
C:\WINDOWS\system32\pfphhlqy.dll
C:\WINDOWS\SYSTEM32\phlxsjqj.ini
C:\WINDOWS\system32\phoqsmmf.dll
C:\WINDOWS\system32\piryihoa.dll
C:\WINDOWS\system32\plflmhbc.dll
C:\WINDOWS\SYSTEM32\pmveskww.ini
C:\WINDOWS\SYSTEM32\pmwoaybg.ini
C:\WINDOWS\SYSTEM32\pnbrbrdd.ini
C:\WINDOWS\system32\pnnittht.dll
C:\WINDOWS\SYSTEM32\pplyhvbi.ini
C:\WINDOWS\system32\prdmyscs.dll
C:\WINDOWS\SYSTEM32\pricksbs.ini
C:\WINDOWS\system32\pupeibyb.dll
C:\WINDOWS\SYSTEM32\pvqdnbkn.ini
C:\WINDOWS\system32\pwdeemmt.dll
C:\WINDOWS\system32\pwgxynqs.dll
C:\WINDOWS\system32\pwntkevl.dll
C:\WINDOWS\SYSTEM32\pxnskjuv.ini
C:\WINDOWS\system32\qfayxbow.dll
C:\WINDOWS\SYSTEM32\qgbwwfld.ini
C:\WINDOWS\system32\qgjkrgwy.dll
C:\WINDOWS\system32\qgryooqg.dll
C:\WINDOWS\SYSTEM32\qhgjfhtl.ini
C:\WINDOWS\SYSTEM32\qkdiholk.ini
C:\WINDOWS\SYSTEM32\qkqhusri.ini
C:\WINDOWS\SYSTEM32\qmjfinnx.ini
C:\WINDOWS\system32\qpkgnspq.dll
C:\WINDOWS\SYSTEM32\qpsngkpq.ini
C:\WINDOWS\system32\qrhhajlf.dll
C:\WINDOWS\system32\qvitgeqc.dll
C:\WINDOWS\SYSTEM32\raxdufiv.ini
C:\WINDOWS\SYSTEM32\rbrtbuny.ini
C:\WINDOWS\system32\rdcejbod.dll
C:\WINDOWS\SYSTEM32\reinysjg.ini
C:\WINDOWS\system32\rfjnqpsn.dll
C:\WINDOWS\system32\rfjtgkkn.dll
C:\WINDOWS\SYSTEM32\rfsrairk.ini
C:\WINDOWS\SYSTEM32\rghljgvy.ini
C:\WINDOWS\SYSTEM32\rjkvqjbp.ini
C:\WINDOWS\SYSTEM32\rpecdvxd.ini
C:\WINDOWS\system32\rqakvwow.dll
C:\WINDOWS\system32\rsajsrpy.dll
C:\WINDOWS\system32\rtfkgmuf.dll
C:\WINDOWS\system32\ruskbtgx.dll
C:\WINDOWS\SYSTEM32\ruwlapiv.ini
C:\WINDOWS\SYSTEM32\rvewkily.ini
C:\WINDOWS\SYSTEM32\rxqjqsai.ini
C:\WINDOWS\system32\rymoegql.dll
C:\WINDOWS\system32\sbskcirp.dll
C:\WINDOWS\system32\sbwputwv.dll
C:\WINDOWS\SYSTEM32\scsymdrp.ini
C:\WINDOWS\SYSTEM32\sdctamxd.ini
C:\WINDOWS\system32\sdxuvere.dll
C:\WINDOWS\SYSTEM32\sefrdnqj.ini
C:\WINDOWS\SYSTEM32\sepfokoc.ini
C:\WINDOWS\SYSTEM32\sevkbxki.ini
C:\WINDOWS\system32\sijtlqcb.dll
C:\WINDOWS\system32\sircgkel.dll
C:\WINDOWS\SYSTEM32\sjmameda.ini
C:\WINDOWS\system32\skscrfto.dll
C:\WINDOWS\system32\smrnokte.dll
C:\WINDOWS\SYSTEM32\sngnhbdx.ini
C:\WINDOWS\system32\snmaekue.dll
C:\WINDOWS\system32\soheehfp.dll
C:\WINDOWS\system32\spfvghqt.dll
C:\WINDOWS\system32\sqighykj.dll
C:\WINDOWS\SYSTEM32\sqnwjxpa.ini
C:\WINDOWS\SYSTEM32\sqnyxgwp.ini
C:\WINDOWS\system32\srksdpbg.dll
C:\WINDOWS\system32\ssdhoorl.dll
C:\WINDOWS\system32\sslwxmmf.dll
C:\WINDOWS\SYSTEM32\sttkyncp.ini
C:\WINDOWS\system32\swfnniul.dll
C:\WINDOWS\system32\swnohula.dll
C:\WINDOWS\system32\taanctaw.dll
C:\WINDOWS\SYSTEM32\tadvwevb.ini
C:\WINDOWS\system32\tavstnqj.dll
C:\WINDOWS\system32\tdrhvjmn.dll
C:\WINDOWS\SYSTEM32\thramtvc.ini
C:\WINDOWS\SYSTEM32\thttinnp.ini
C:\WINDOWS\SYSTEM32\tipjoesi.ini
C:\WINDOWS\SYSTEM32\tmmeedwp.ini
C:\WINDOWS\SYSTEM32\tqhgvfps.ini
C:\WINDOWS\SYSTEM32\tqjonxef.ini
C:\WINDOWS\system32\ttdqcdjo.dll
C:\WINDOWS\SYSTEM32\ttpjhbhe.ini
C:\WINDOWS\SYSTEM32\txhltosx.ini
C:\WINDOWS\system32\tylmocni.dll
C:\WINDOWS\system32\tymllskx.dll
C:\WINDOWS\system32\uaiomkqe.dll
C:\WINDOWS\system32\udwutwwi.dll
C:\WINDOWS\system32\ueaaxjoi.dll
C:\WINDOWS\SYSTEM32\uftubsve.ini
C:\WINDOWS\SYSTEM32\uhwhnidg.ini
C:\WINDOWS\system32\uqxkdjhk.dll
C:\WINDOWS\system32\urebylii.dll
C:\WINDOWS\system32\usygkshr.dll
C:\WINDOWS\system32\uudyjmof.dll
C:\WINDOWS\system32\uuxcpcyc.dll
C:\WINDOWS\SYSTEM32\uwbailff.ini
C:\WINDOWS\SYSTEM32\uydyirpc.ini
C:\WINDOWS\system32\vchmegja.dll
C:\WINDOWS\SYSTEM32\vclsxpgf.ini
C:\WINDOWS\system32\vdlpgwwa.dll
C:\WINDOWS\SYSTEM32\vfyutiak.ini
C:\WINDOWS\system32\vifudxar.dll
C:\WINDOWS\system32\vipalwur.dll
C:\WINDOWS\SYSTEM32\vnfneaga.ini
C:\WINDOWS\SYSTEM32\vnhkxvbp.ini
C:\WINDOWS\SYSTEM32\vorbbuqm.ini
C:\WINDOWS\SYSTEM32\voxoyowd.ini
C:\WINDOWS\system32\vqtrnoym.dll
C:\WINDOWS\system32\vujksnxp.dll
C:\WINDOWS\system32\vvexrvrc.dll
C:\WINDOWS\SYSTEM32\vwtupwbs.ini
C:\WINDOWS\system32\vxcgocno.dll
C:\WINDOWS\system32\vxhitbjm.dll
C:\WINDOWS\SYSTEM32\vyvlguqn.ini
C:\WINDOWS\system32\vywoulyi.dll
C:\WINDOWS\SYSTEM32\watcnaat.ini
C:\WINDOWS\system32\wbjswstc.dll
C:\WINDOWS\system32\wfsvlfuk.dll
C:\WINDOWS\system32\wgdweknc.dll
C:\WINDOWS\SYSTEM32\whvmudff.ini
C:\WINDOWS\SYSTEM32\wjmnwxon.ini
C:\WINDOWS\system32\wjwwhvfa.dll
C:\WINDOWS\SYSTEM32\wnxwjdng.ini
C:\WINDOWS\SYSTEM32\wobxyafq.ini
C:\WINDOWS\SYSTEM32\wowvkaqr.ini
C:\WINDOWS\system32\wrcgshjb.dll
C:\WINDOWS\SYSTEM32\wskhxwda.ini
C:\WINDOWS\system32\wuqmnwof.dll
C:\WINDOWS\system32\wwksevmp.dll
C:\WINDOWS\system32\wwskthgl.dll
C:\WINDOWS\system32\wwuouafy.dll
C:\WINDOWS\SYSTEM32\wxhkiuun.ini
C:\WINDOWS\system32\xdbhngns.dll
C:\WINDOWS\SYSTEM32\xeadgjsg.ini
C:\WINDOWS\system32\xfcgijna.dll
C:\WINDOWS\system32\xfmqckib.dll
C:\WINDOWS\system32\xgbpuhnc.dll
C:\WINDOWS\SYSTEM32\xgtbksur.ini
C:\WINDOWS\SYSTEM32\xhqjxmjc.ini
C:\WINDOWS\SYSTEM32\xksllmyt.ini
C:\WINDOWS\system32\xnnifjmq.dll
C:\WINDOWS\SYSTEM32\xoacndry.ini
C:\WINDOWS\system32\xqhxpunm.dll
C:\WINDOWS\system32\xsotlhxt.dll
C:\WINDOWS\system32\xtgobitb.dll
C:\WINDOWS\system32\xvmswkhc.dll
C:\WINDOWS\SYSTEM32\xwahvwhk.ini
C:\WINDOWS\SYSTEM32\xxaekmvk.ini
C:\WINDOWS\system32\ybesjtul.dll
C:\WINDOWS\SYSTEM32\ybqawvky.ini
C:\WINDOWS\SYSTEM32\yfauouww.ini
C:\WINDOWS\SYSTEM32\yfesanki.ini
C:\WINDOWS\system32\yioslsyi.dll
C:\WINDOWS\SYSTEM32\ykuhyrjj.ini
C:\WINDOWS\system32\ykvwaqby.dll
C:\WINDOWS\system32\ylikwevr.dll
C:\WINDOWS\system32\ylplwuvf.dll
C:\WINDOWS\SYSTEM32\ymsgyuxd.ini
C:\WINDOWS\system32\ynubtrbr.dll
C:\WINDOWS\SYSTEM32\ypagmhdm.ini
C:\WINDOWS\SYSTEM32\yprsjasr.ini
C:\WINDOWS\SYSTEM32\yqlhhpfp.ini
C:\WINDOWS\system32\yrdncaox.dll
C:\WINDOWS\SYSTEM32\ysmvcyxb.ini
C:\WINDOWS\system32\yvgjlhgr.dll
C:\WINDOWS\SYSTEM32\ywgrkjgq.ini
C:\WINDOWS\SYSTEM32\yxotiqgn.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-09-04 to 2007-10-04 )))))))))))))))))))))))))))))))
.

2007-10-04 06:56 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-03 21:48 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-10-03 21:42 <DIR> d-------- C:\Documents and Settings\Michael\.housecall6.6
2007-10-03 20:32 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgArCln.sys
2007-10-03 16:27 77,376 --a------ C:\WINDOWS\SYSTEM32\cxdkojqo.dll
2007-10-03 13:26 77,376 --a------ C:\WINDOWS\SYSTEM32\egdmcayp.dll
2007-10-03 07:22 77,376 --a------ C:\WINDOWS\SYSTEM32\srwltjst.dll
2007-10-02 07:15 77,376 --a------ C:\WINDOWS\SYSTEM32\tdrpifpf.dll
2007-10-02 00:32 87,104 --a------ C:\WINDOWS\SYSTEM32\apyaordy.dll
2007-10-02 00:28 87,104 --a------ C:\WINDOWS\SYSTEM32\lwrupode.dll
2007-10-02 00:28 87,104 --a------ C:\WINDOWS\SYSTEM32\iifuylmf.dll
2007-10-02 00:25 87,104 --a------ C:\WINDOWS\SYSTEM32\ltswowmq.dll
2007-10-02 00:22 87,104 --a------ C:\WINDOWS\SYSTEM32\womulopl.dll
2007-10-02 00:18 87,104 --a------ C:\WINDOWS\SYSTEM32\ctqeecuc.dll
2007-10-02 00:15 87,104 --a------ C:\WINDOWS\SYSTEM32\kfiyreuc.dll
2007-10-02 00:12 87,104 --a------ C:\WINDOWS\SYSTEM32\iwbitlsf.dll
2007-10-02 00:09 87,104 --a------ C:\WINDOWS\SYSTEM32\hibpwlro.dll
2007-10-02 00:07 87,104 --a------ C:\WINDOWS\SYSTEM32\neijekfm.dll
2007-10-02 00:03 87,104 --a------ C:\WINDOWS\SYSTEM32\euhixqic.dll
2007-10-02 00:00 87,104 --a------ C:\WINDOWS\SYSTEM32\nbdjboup.dll
2007-10-01 23:57 87,104 --a------ C:\WINDOWS\SYSTEM32\pcbbohts.dll
2007-10-01 23:55 87,104 --a------ C:\WINDOWS\SYSTEM32\gmaowvga.dll
2007-10-01 23:51 87,104 --a------ C:\WINDOWS\SYSTEM32\heykfgad.dll
2007-10-01 23:48 87,104 --a------ C:\WINDOWS\SYSTEM32\jbvljicv.dll
2007-10-01 23:46 87,104 --a------ C:\WINDOWS\SYSTEM32\opmxmnbe.dll
2007-10-01 23:36 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-01 23:35 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\PC Tools
2007-10-01 20:09 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-01 20:02 87,104 --a------ C:\WINDOWS\SYSTEM32\qlikewfj.dll
2007-09-29 09:25 <DIR> d-------- C:\VundoFix Backups
2007-09-29 09:22 <DIR> d-------- C:\Program Files\VundoFix
2007-09-29 08:10 67,784 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MpFilter.sys
2007-09-29 08:10 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-09-29 07:37 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-09-28 07:08 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-09-27 20:14 <DIR> d-------- C:\Program Files\Windows Sidebar
2007-09-27 20:14 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-09-27 20:13 60,800 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-09-27 20:13 123,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2007-09-26 23:03 78,620 --a------ C:\WINDOWS\SYSTEM32\nwcvtoxu.dll
2007-09-26 17:37 81,540 --a------ C:\WINDOWS\SYSTEM32\owlxgqrq.dll
2007-09-26 17:06 81,540 --a------ C:\WINDOWS\SYSTEM32\qfrivmnb.dll
2007-09-26 07:15 <DIR> d-------- C:\Program Files\spybotsd15
2007-09-24 23:42 <DIR> d-------- C:\WINDOWS\SYSTEM32\vMW10a
2007-09-24 23:42 <DIR> d-------- C:\Temp\xOe
2007-09-18 14:43 43,696 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\srtspx.sys
2007-09-18 14:43 317,616 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\srtspl.sys
2007-09-18 14:43 278,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\srtsp.sys
2007-09-12 16:12 <DIR> d-------- C:\Temp
2007-09-08 18:11 79,688 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2007-09-08 18:11 62,280 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2007-09-08 18:11 41,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2007-09-08 18:11 29,000 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2007-09-08 18:11 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-09-08 18:11 <DIR> d-------- C:\Documents and Settings\Annemarie\Application Data\PC Tools
2007-09-06 19:27 <DIR> d-------- C:\Program Files\Disney

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-03 18:36 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-10-03 16:07 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-03 16:07 10740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-03 16:07 --------- d-------- C:\Program Files\Symantec
2007-09-30 13:43 --------- d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-27 20:21 --------- d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-18 14:44 1430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 14:44 1421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 14:44 1415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 14:44 10662 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 14:44 10662 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 14:44 10658 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-05 07:12 --------- d-------- C:\Program Files\Spybot - Search & Destroy 1.4
2007-08-14 20:46 13206 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2007-08-13 16:50 96432 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2007-08-13 16:50 41008 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2007-08-13 16:50 38576 --a------ C:\WINDOWS\system32\drivers\symids.sys
2007-08-13 16:50 37424 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2007-08-13 16:50 22320 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2007-08-13 16:50 188464 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2007-08-13 16:50 1613 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2007-08-13 16:50 13616 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2007-08-09 20:27 31280 --a------ C:\WINDOWS\system32\drivers\SymIM.sys
2007-07-21 15:03 7649240 --a------ C:\Program Files\Windows-KB890830-V1.31.exe
2007-07-01 10:51 2 --a------ C:\Documents and Settings\Michael\Application Data\xxx.exe
2005-12-02 20:57 6910088 --a------ C:\Program Files\MicrosoftAntiSpywareInstall.exe
2005-12-02 18:33 621 --a------ C:\Program Files\Shortcut to Windows-KB890830-V1.10-ENU.lnk
2005-12-02 18:32 1012064 --a------ C:\Program Files\Windows-KB890830-V1.10-ENU.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-09-27 20:19 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-25 01:07]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-25 00:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, append.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker0]
"C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ReminderApp"=C:\Program Files\Nova Development\Greeting Card Factory Deluxe 6.0\ReminderApp.exe
"gwiz"=C:\WINDOWS\system32\arpl.exe
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"<NO NAME>"=
"SearchIndexer"=rundll32.exe "C:\WINDOWS\system32\dxmatcds.dll",sitypnow

R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\system32\Drivers\COH_Mon.sys
S3 EL90X;3Com EtherLink XL 90X Adapter Driver;C:\WINDOWS\system32\DRIVERS\el90xnd5.sys
S3 MpFilter;Microsoft Malware Protection Driver;C:\WINDOWS\system32\DRIVERS\MpFilter.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-04 11:17:18 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-10-04 10:24:21 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Michael.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-04 07:19:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-04 7:22:51 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-04 07:22
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:29:14 AM, on 10/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\help.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Extern/RoadRunner...an/pestscan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase2474.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://scwp1-central.mnb.gd-ais.com/Intern.../WhlCompMgr.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.29.11/ttinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02D5CC6D-6F71-4269-9564-50B35380AEEA}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{02D5CC6D-6F71-4269-9564-50B35380AEEA}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{02D5CC6D-6F71-4269-9564-50B35380AEEA}: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs:
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: (no name) - http://www.google.com/images/logo_sm.gif
O24 - Desktop Component 1: (no name) - http://www.alvinlee.com/alvreading.jpg
O24 - Desktop Component 2: (no name) - http://www.google.com/intl/en/images/logo.gif
O24 - Desktop Component 3: (no name) - http://h03.net/DontLink/ghouls/ANIghoul4.gif

--
End of file - 6641 bytes

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:50 AM

Posted 04 October 2007 - 11:33 AM

Hi,

Please disable Windows Defender Real Time Protection as it may interfere with the fix.

To disable Windows Defender:
  • Open Windows Defender
  • Click Tools
  • Click General Settings
  • Scroll down to Real Time Protection Options
  • Uncheck Turn on Real Time Protection (recommended)
  • After you uncheck this, click on the Save button
  • Close Windows Defender
Once your log is clean you can re-enable Windows Defender Real Time Protection.

==========================================

Scan with HijackThis and put a checkmark against the following entries:

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O20 - AppInit_DLLs:


Close all browsers/windows other than HijackThis and click on "fix checked". Do not reboot if prompted.

=========================================

Open notepad (it must be notepad, not wordpad, or it won't work) and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\SYSTEM32\cxdkojqo.dll
C:\WINDOWS\SYSTEM32\egdmcayp.dll
C:\WINDOWS\SYSTEM32\srwltjst.dll
C:\WINDOWS\SYSTEM32\tdrpifpf.dll
C:\WINDOWS\SYSTEM32\apyaordy.dll
C:\WINDOWS\SYSTEM32\lwrupode.dll
C:\WINDOWS\SYSTEM32\iifuylmf.dll
C:\WINDOWS\SYSTEM32\ltswowmq.dll
C:\WINDOWS\SYSTEM32\womulopl.dll
C:\WINDOWS\SYSTEM32\ctqeecuc.dll
C:\WINDOWS\SYSTEM32\kfiyreuc.dll
C:\WINDOWS\SYSTEM32\iwbitlsf.dll
C:\WINDOWS\SYSTEM32\hibpwlro.dll
C:\WINDOWS\SYSTEM32\neijekfm.dll
C:\WINDOWS\SYSTEM32\euhixqic.dll
C:\WINDOWS\SYSTEM32\nbdjboup.dll
C:\WINDOWS\SYSTEM32\pcbbohts.dll
C:\WINDOWS\SYSTEM32\gmaowvga.dll
C:\WINDOWS\SYSTEM32\heykfgad.dll
C:\WINDOWS\SYSTEM32\jbvljicv.dll
C:\WINDOWS\SYSTEM32\opmxmnbe.dll
C:\WINDOWS\SYSTEM32\qlikewfj.dll
C:\WINDOWS\SYSTEM32\nwcvtoxu.dll
C:\WINDOWS\SYSTEM32\owlxgqrq.dll
C:\WINDOWS\SYSTEM32\qfrivmnb.dll
C:\Documents and Settings\Michael\Application Data\xxx.exe

Folder::
C:\VundoFix Backups
C:\Program Files\VundoFix
C:\WINDOWS\SYSTEM32\vMW10a
C:\Temp\xOe
C:\Program Files\Ebates_MoeMoneyMaker

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"gwiz"=-
"KernelFaultCheck"=-
"<NO NAME>"=-
"SearchIndexer"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


================================

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Click Start>Run, type in appwiz.cpl and press Enter. From the list
  • Remove all entries J2SE or J2SE Runtime Environment that are listed.
Now reboot your computer.
Download the latest version of Java Runtime Environment, and install it to your computer.

================================

Download the enclosed folder. It contains a program written by Rathat, and it is a policy Controller. Save and extract this program to the desktop. Once extracted, click on the RatsCheddar.exe file. Enable everything then click on Exit.

Warning: This program was developed for Windows XP ONLY. Do not run this program in any other Operating System.

================================

Restart your computer. Post a fresh HijackThis log along with the combofix.txt, please.

Edited by amateur, 04 October 2007 - 11:35 AM.


#5 fitzgera

fitzgera
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 04 October 2007 - 07:13 PM

Thanks again. Things are definitely getting better. One thing though. The J2SE and J2SE Runtime Environment were not in Add/Remove Programs and I couldn't find them to remove. I loaded the updated Java 6.3 which replaced the 6.2 that I loaded Saturday. Here are the ComboFix and HJT logs.

ComboFix 07-10-04.5 - Michael 2007-10-04 18:56:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.53 [GMT -4:00]
Running from: C:\Documents and Settings\Michael\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Michael\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\Documents and Settings\Michael\Application Data\xxx.exe
C:\WINDOWS\SYSTEM32\apyaordy.dll
C:\WINDOWS\SYSTEM32\ctqeecuc.dll
C:\WINDOWS\SYSTEM32\cxdkojqo.dll
C:\WINDOWS\SYSTEM32\egdmcayp.dll
C:\WINDOWS\SYSTEM32\euhixqic.dll
C:\WINDOWS\SYSTEM32\gmaowvga.dll
C:\WINDOWS\SYSTEM32\heykfgad.dll
C:\WINDOWS\SYSTEM32\hibpwlro.dll
C:\WINDOWS\SYSTEM32\iifuylmf.dll
C:\WINDOWS\SYSTEM32\iwbitlsf.dll
C:\WINDOWS\SYSTEM32\jbvljicv.dll
C:\WINDOWS\SYSTEM32\kfiyreuc.dll
C:\WINDOWS\SYSTEM32\ltswowmq.dll
C:\WINDOWS\SYSTEM32\lwrupode.dll
C:\WINDOWS\SYSTEM32\nbdjboup.dll
C:\WINDOWS\SYSTEM32\neijekfm.dll
C:\WINDOWS\SYSTEM32\nwcvtoxu.dll
C:\WINDOWS\SYSTEM32\opmxmnbe.dll
C:\WINDOWS\SYSTEM32\owlxgqrq.dll
C:\WINDOWS\SYSTEM32\pcbbohts.dll
C:\WINDOWS\SYSTEM32\qfrivmnb.dll
C:\WINDOWS\SYSTEM32\qlikewfj.dll
C:\WINDOWS\SYSTEM32\srwltjst.dll
C:\WINDOWS\SYSTEM32\tdrpifpf.dll
C:\WINDOWS\SYSTEM32\womulopl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Michael\Application Data\xxx.exe
C:\Program Files\VundoFix
C:\Program Files\VundoFix\VundoFix.exe
C:\Temp\xOe
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\gjlmhwkv.ini.bad
C:\VundoFix Backups\rhskgysu.ini.bad
C:\VundoFix Backups\usygkshr.dll.bad
C:\VundoFix Backups\vkwhmljg.dll.bad
C:\WINDOWS\SYSTEM32\apyaordy.dll
C:\WINDOWS\SYSTEM32\ctqeecuc.dll
C:\WINDOWS\SYSTEM32\cxdkojqo.dll
C:\WINDOWS\SYSTEM32\egdmcayp.dll
C:\WINDOWS\SYSTEM32\euhixqic.dll
C:\WINDOWS\SYSTEM32\gmaowvga.dll
C:\WINDOWS\SYSTEM32\heykfgad.dll
C:\WINDOWS\SYSTEM32\hibpwlro.dll
C:\WINDOWS\SYSTEM32\iifuylmf.dll
C:\WINDOWS\SYSTEM32\iwbitlsf.dll
C:\WINDOWS\SYSTEM32\jbvljicv.dll
C:\WINDOWS\SYSTEM32\kfiyreuc.dll
C:\WINDOWS\SYSTEM32\ltswowmq.dll
C:\WINDOWS\SYSTEM32\lwrupode.dll
C:\WINDOWS\SYSTEM32\nbdjboup.dll
C:\WINDOWS\SYSTEM32\neijekfm.dll
C:\WINDOWS\SYSTEM32\nwcvtoxu.dll
C:\WINDOWS\SYSTEM32\opmxmnbe.dll
C:\WINDOWS\SYSTEM32\owlxgqrq.dll
C:\WINDOWS\SYSTEM32\pcbbohts.dll
C:\WINDOWS\SYSTEM32\qfrivmnb.dll
C:\WINDOWS\SYSTEM32\qlikewfj.dll
C:\WINDOWS\SYSTEM32\srwltjst.dll
C:\WINDOWS\SYSTEM32\tdrpifpf.dll
C:\WINDOWS\SYSTEM32\vMW10a
C:\WINDOWS\SYSTEM32\womulopl.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-04 to 2007-10-04 )))))))))))))))))))))))))))))))
.

2007-10-04 06:56 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-03 21:48 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-10-03 21:42 <DIR> d-------- C:\Documents and Settings\Michael\.housecall6.6
2007-10-03 20:32 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgArCln.sys
2007-10-01 23:36 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-01 23:35 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\PC Tools
2007-10-01 20:09 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-29 08:10 67,784 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MpFilter.sys
2007-09-29 08:10 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-09-29 07:37 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-09-28 07:08 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-09-27 20:14 <DIR> d-------- C:\Program Files\Windows Sidebar
2007-09-27 20:14 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-09-27 20:13 60,800 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-09-27 20:13 123,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2007-09-26 07:15 <DIR> d-------- C:\Program Files\spybotsd15
2007-09-18 14:43 43,696 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\srtspx.sys
2007-09-18 14:43 317,616 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\srtspl.sys
2007-09-18 14:43 278,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\srtsp.sys
2007-09-12 16:12 <DIR> d-------- C:\Temp
2007-09-08 18:11 79,688 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2007-09-08 18:11 62,280 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2007-09-08 18:11 41,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2007-09-08 18:11 29,000 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2007-09-08 18:11 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-09-08 18:11 <DIR> d-------- C:\Documents and Settings\Annemarie\Application Data\PC Tools
2007-09-06 19:27 <DIR> d-------- C:\Program Files\Disney

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-04 07:30 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-10-03 16:07 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-03 16:07 10740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-03 16:07 --------- d-------- C:\Program Files\Symantec
2007-09-30 13:43 --------- d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-27 20:21 --------- d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-18 14:44 1430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 14:44 1421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 14:44 1415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 14:44 10662 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 14:44 10662 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 14:44 10658 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-05 07:12 --------- d-------- C:\Program Files\Spybot - Search & Destroy 1.4
2007-08-14 20:46 13206 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2007-08-13 16:50 96432 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2007-08-13 16:50 41008 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2007-08-13 16:50 38576 --a------ C:\WINDOWS\system32\drivers\symids.sys
2007-08-13 16:50 37424 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2007-08-13 16:50 22320 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2007-08-13 16:50 188464 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2007-08-13 16:50 1613 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2007-08-13 16:50 13616 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2007-08-09 20:27 31280 --a------ C:\WINDOWS\system32\drivers\SymIM.sys
2007-07-21 15:03 7649240 --a------ C:\Program Files\Windows-KB890830-V1.31.exe
2005-12-02 20:57 6910088 --a------ C:\Program Files\MicrosoftAntiSpywareInstall.exe
2005-12-02 18:33 621 --a------ C:\Program Files\Shortcut to Windows-KB890830-V1.10-ENU.lnk
2005-12-02 18:32 1012064 --a------ C:\Program Files\Windows-KB890830-V1.10-ENU.exe
.

((((((((((((((((((((((((((((( snapshot@2007-10-04_ 7.21.37.73 )))))))))))))))))))))))))))))))))))))))))
.
----atw 16,384 2007-10-04 23:05:33 C:\WINDOWS\TEMP\Perflib_Perfdata_5e8.dat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-09-27 20:19 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-25 01:07]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-25 00:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ReminderApp"=C:\Program Files\Nova Development\Greeting Card Factory Deluxe 6.0\ReminderApp.exe
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"<NO NAME>"=

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\system32\Drivers\COH_Mon.sys
S3 EL90X;3Com EtherLink XL 90X Adapter Driver;C:\WINDOWS\system32\DRIVERS\el90xnd5.sys
S3 MpFilter;Microsoft Malware Protection Driver;C:\WINDOWS\system32\DRIVERS\MpFilter.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-04 23:08:24 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-10-04 10:24:21 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Michael.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-04 19:08:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-04 19:13:28 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-04 19:12
C:\ComboFix2.txt ... 2007-10-04 07:22
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:37 PM, on 10/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Extern/RoadRunner...an/pestscan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase2474.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://scwp1-central.mnb.gd-ais.com/Intern.../WhlCompMgr.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.29.11/ttinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02D5CC6D-6F71-4269-9564-50B35380AEEA}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{02D5CC6D-6F71-4269-9564-50B35380AEEA}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{02D5CC6D-6F71-4269-9564-50B35380AEEA}: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: (no name) - http://www.google.com/images/logo_sm.gif
O24 - Desktop Component 1: (no name) - http://www.alvinlee.com/alvreading.jpg
O24 - Desktop Component 2: (no name) - http://www.google.com/intl/en/images/logo.gif
O24 - Desktop Component 3: (no name) - http://h03.net/DontLink/ghouls/ANIghoul4.gif

--
End of file - 6553 bytes

#6 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:50 AM

Posted 04 October 2007 - 08:38 PM

Hi,

Things are definitely getting better.

Glad to hear that. :thumbsup:

One thing though. The J2SE and J2SE Runtime Environment were not in Add/Remove Programs


Did you restart your computer since you updated to 1.6u3? If not, please do so. If yes, check again. I can see JRE 1.6.0_02 running in the log.

=======================

Did you set these yourself?

O24 - Desktop Component 0: (no name) - http://www.google.com/images/logo_sm.gif
O24 - Desktop Component 1: (no name) - http://www.alvinlee.com/alvreading.jpg
O24 - Desktop Component 2: (no name) - http://www.google.com/intl/en/images/logo.gif
O24 - Desktop Component 3: (no name) - http://h03.net/DontLink/ghouls/ANIghoul4.gif

=======================

Go to Start>Control Panel>Add/Remove Programs and remove if Kaspersky online scanner is present prior to downloading the most up-to-date one.

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
  • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop in txt format.
Copy and paste that information from Kapersky in your next post.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans for no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Or use Firefox with IE-Tab plugin

==========================

Please post a fresh HijackThis log and the Kaspersky report.

#7 fitzgera

fitzgera
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 05 October 2007 - 07:43 AM

Well things are really not that great still. Late last night my we received the following bugus error message: "500 Internal Server Error - Sorry, something went wrong. A team of highly trained monkeys has been dispathed to deal with the situation ...."

To answere some of your questions:

1.6u3 - I think that's OK now
Desktop Components - No, I don't think we set those.

I really appreciate all your help.


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, October 05, 2007 8:29:16 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 5/10/2007
Kaspersky Anti-Virus database records: 401532
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 76120
Number of viruses found: 8
Number of infected objects: 44
Number of suspicious objects: 0
Duration of the scan process: 01:13:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\119b11e147d282c73e6def835a616c2a_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\da9bc10e6ec44a78f5eb1c8ec80817f1_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-02192007-214729.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip/winstall.exe Infected: Trojan-Downloader.Win32.Small.cpg skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurlodu.zip/vtyjmaaa.exe Infected: Trojan.Win32.Zapchast.ca skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurlodu.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurlodu1.zip/vfvkvdph.exe Infected: Trojan.Win32.Zapchast.ca skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurlodu1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurlodu2.zip/puomaaaa.exe Infected: Trojan.Win32.Zapchast.ca skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurlodu2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurlodu3.zip/gfljtaaa.exe Infected: Trojan.Win32.Zapchast.ca skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurlodu3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\ccSubSDK\submissions.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\volatile.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-10-05_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{762E41E5-7727-4907-8C5F-7980249CDD55}.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{762E41E5-7727-4907-8C5F-7980249CDD55}.sds Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\9CB3CD38.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\F50FC1BE.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\3e021ed8-3533f166.bac_a00120/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\3e021ed8-3533f166.bac_a00120 ZIP: infected - 1 skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\3e021ed8-3533f166.bac_a00120 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\A0147119.exe.bac_a00120 Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\A0147121.dll.bac_a00120 Infected: Trojan.Win32.BHO.hj skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\A0147176.exe.bac_a00120 Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\A0147179.dll.bac_a00120 Infected: Trojan.Win32.BHO.hj skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\arr3.jar-53b20018-51257ee3.zip.bac_a00120/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\arr3.jar-53b20018-51257ee3.zip.bac_a00120 ZIP: infected - 1 skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\arr3.jar-53b20018-51257ee3.zip.bac_a00120 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\{0B677D79-F7C2-4A0B-81EB-5176982E7156}.bac_a00120 Infected: Trojan.Win32.Qhost.a skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\{0C2F7C61-86D6-4FDE-ACA7-9AE9B0E31AA7}.bac_a00120 Infected: Trojan.Win32.Qhost.a skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\{157E1F4E-64C1-47F4-834E-B3335D347BF1}.bac_a00120 Infected: Trojan.Win32.Qhost.a skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\{49C2BEF8-BDD3-49A3-97D2-2A5C31180EE2}.bac_a00120 Infected: Trojan.Win32.Qhost.a skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\{64116C6F-A706-4452-98B6-4633976CB210}.bac_a00120 Infected: Trojan.Win32.Qhost.a skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\{7CCEAF1D-DBA2-4D8C-8609-7154397627F7}.bac_a00120 Infected: Trojan.Win32.Qhost.a skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\{83F6E3D9-A7C8-419B-AFAB-57707FEF1D4A}.bac_a00120 Infected: Trojan.Win32.Qhost.a skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\{8BD4E21E-4980-49E6-B4C2-34782459AFAD}.bac_a00120 Infected: Trojan.Win32.Qhost.a skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\{996C2D79-174E-4346-9429-F70BC8A3B421}.bac_a00120 Infected: Trojan.Win32.Qhost.a skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\{9973DD09-6936-4E4E-A627-5E984DBF7115}.bac_a00120 Infected: Trojan.Win32.Qhost.a skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\{9C00A77F-E615-4141-8F28-9D5E6701BD8F}.bac_a00120 Infected: Trojan.Win32.Qhost.a skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\{9C71F9DD-D2EA-4026-AC10-1267F387504F}.bac_a00120 Infected: Trojan.Win32.Qhost.a skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\{A7D9D241-95C3-4F28-A092-1E8160457972}.bac_a00120 Infected: Trojan.Win32.Qhost.a skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\{CF2A2C63-972D-4B2D-A08F-7E83280EC9E0}.bac_a00120 Infected: Trojan.Win32.Qhost.a skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\{DD270210-754D-4566-B5F3-A072F2D91CC0}.bac_a00120 Infected: Trojan.Win32.Qhost.a skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\{F6981552-6CA8-4B37-8697-4C0584F5E420}.bac_a00120 Infected: Trojan.Win32.Qhost.a skipped
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\{F79B6163-0A51-4D3A-8188-C020C2A4B054}.bac_a00120 Infected: Trojan.Win32.Qhost.a skipped
C:\Documents and Settings\Michael\Application Data\Sun\Java\Deployment\cache\6.0\24\3e021ed8-3533f166/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Michael\Application Data\Sun\Java\Deployment\cache\6.0\24\3e021ed8-3533f166 ZIP: infected - 1 skipped
C:\Documents and Settings\Michael\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-53b20018-51257ee3.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Michael\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-53b20018-51257ee3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Michael\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Michael\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Michael\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1523\A0146441.exe Infected: Trojan.Win32.VB.bgu skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1525\A0146545.dll Infected: Trojan-Downloader.Win32.Agent.dpq skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1531\A0147190.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1554\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\JET2025.tmp Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_550.dat Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:33:11 AM, on 10/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Extern/RoadRunner...an/pestscan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase2474.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://scwp1-central.mnb.gd-ais.com/Intern.../WhlCompMgr.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.29.11/ttinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02D5CC6D-6F71-4269-9564-50B35380AEEA}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{02D5CC6D-6F71-4269-9564-50B35380AEEA}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{02D5CC6D-6F71-4269-9564-50B35380AEEA}: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: (no name) - http://www.google.com/images/logo_sm.gif
O24 - Desktop Component 1: (no name) - http://www.alvinlee.com/alvreading.jpg
O24 - Desktop Component 2: (no name) - http://www.google.com/intl/en/images/logo.gif
O24 - Desktop Component 3: (no name) - http://h03.net/DontLink/ghouls/ANIghoul4.gif

--
End of file - 6744 bytes

#8 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:50 AM

Posted 05 October 2007 - 08:41 AM

Hi,

That's a weird message. I'll be researching on that one.

Disable Windows Defender again.

Scan with HijackThis and put a checkmark against the following entries:

O24 - Desktop Component 0: (no name) - http://www.google.com/images/logo_sm.gif
O24 - Desktop Component 1: (no name) - http://www.alvinlee.com/alvreading.jpg
O24 - Desktop Component 2: (no name) - http://www.google.com/intl/en/images/logo.gif
O24 - Desktop Component 3: (no name) - http://h03.net/DontLink/ghouls/ANIghoul4.gif

Close all browsers/windows other than HijackThis and click on "fix checked".

====================================

Open SpyBot Search & Destroy
Click on Recovery button
Highlight all items
Select Purge selected items

====================================

Please empty the quarantine folder of TrendMicro Housecall

C:\Documents and Settings\Michael\.housecall6.6\Quarantine

====================================

Please go to Control Panel > Java -or- Java Plugin > General tab > Temporary Internet Files > Delete Files:
Checkmark all 3 options
Click "OK"

If those settings are different, the "Clear Cache" option might be under the "Cache" tab instead.

====================================

Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

Firefox :
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Opera :
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

When you have finished, click on the Exit button in the Main menu.

For Technical Support, double-click the e-mail address located at the bottom of each menu

===================================

Restart your computer and try another online scanner.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, we need to change the default settings.
  • In the Menu Bar, Go to Options>Change Settings.
  • Click on the Actions tab
  • Using the drop down menus, change each item under Objects and Malware to Report
  • Next, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'No to All' if it asks if you want to cure/move the file.
  • After the scan has completed, in the Dr.Web CureIt menu on top, click File and choose Save Report List
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Post the contents of the log from Dr.Web you saved previously in your next reply.
=================================

Please post back a fresh HijackThis log and the Dr.WebCurit report.

#9 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:50 AM

Posted 05 October 2007 - 04:05 PM

That error message appears to be a bug with some servers, not something related to your machine.

http://rip747.wordpress.com/2007/07/11/you...-error-message/
http://news.softpedia.com/news/Freaky-YouT...ror-50879.shtml
http://my.opera.com/devblog/blog/2007/08/30/my-opera-outage

#10 fitzgera

fitzgera
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 05 October 2007 - 07:39 PM

Thanks again. Here are the logs.

setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2;Probably BACKDOOR.Trojan;;
qdiagd.ocx;C:\Program Files\DellSupport;Probably DLOADER.Trojan;;
A0146441.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1523;BackDoor.Generic.1601;;
A0147190.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1531;Trojan.EzulaAd;;
runos.exe;C:\WINDOWS;Trojan.MulDrop.4313;;


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:46 PM, on 10/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Extern/RoadRunner...an/pestscan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase2474.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://scwp1-central.mnb.gd-ais.com/Intern.../WhlCompMgr.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.29.11/ttinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02D5CC6D-6F71-4269-9564-50B35380AEEA}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{02D5CC6D-6F71-4269-9564-50B35380AEEA}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{02D5CC6D-6F71-4269-9564-50B35380AEEA}: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 6386 bytes

#11 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:50 AM

Posted 05 October 2007 - 08:28 PM

Hi,

The logs are clean. There is only one item in Dr.WebCurit log that needs to be deleted:

Using Windows Explorer (right click on Start, click on Explore) locate and delete the following file;

C:\WINDOWS\runos.exe

Let me know if you run into any problem deleting it.

===========================

Please delete Combofix and Dr.WebCurit from your desktop.

Also delete the following folder:

C:\QooBox

and empty the recycle bin.

===========================

Create a new System Restore point to prevent reinfection from old restore points.

Go to Start>Run and type sysdm.cpl. Press Enter
  • Select the System Restore Tab
  • Place a check in "Turn off System Restore on all drives"
  • Click Apply
  • next, uncheck the same checkbox.
  • Click Apply
  • Click OK
You can also find instructions on how to disable and re enable system restore here:
Windows XP System Restore Guide

==================================================

A colleague of ours has excellent information and tips on the prevention of malware here and more on improving speed/system performance after malware removal here .
If you want to fight back the Malware Writers, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

Happy Surfing! :thumbsup:

#12 fitzgera

fitzgera
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 06 October 2007 - 07:38 AM

Thank you so much for all your help. It is amazing how much work is required to clean it up. I learned a lot and hope to be able to get rid of the malware myself next time. Hopefully that won't be neceassry. If I ever need help again, I'll be back here. You guys are great.

Thanks!

#13 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:50 AM

Posted 06 October 2007 - 07:49 AM

You're welcome. Glad we could help. Stay Safe! :thumbsup:

#14 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:50 AM

Posted 08 October 2007 - 06:49 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please PM me with the address of the thread, and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users