Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Computer - Please Help


  • This topic is locked This topic is locked
7 replies to this topic

#1 golfguy

golfguy

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 08 October 2007 - 06:05 PM

Here is the log from Hijack this. What do I do?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:24 PM, on 10/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\_svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\_svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dtesmcd.exe
C:\WINDOWS\system32\uddews.exe
C:\WINDOWS\system32\sdvcdos.exe
C:\WINDOWS\system32\ddesam.exe
C:\WINDOWS\system32\sdrsrt.exe
C:\WINDOWS\system32\capxzkzr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\MicroTouch\TouchWare\MtsTsMon.exe
C:\Program Files\Fore! Reservations\4reserve.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {3ADCBC16-19FA-4C59-9C22-E17C71B5FD7A} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: Microsoft copyright - {971D5B7B-F7DF-43ee-B771-6B7FA09975C3} - tcprp.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: HelloWorldBHO - {B3A05538-8F91-49C1-8EE3-6EB142B41E2A} - C:\Program Files\Microsoft Help\Microsoft.System.Help.dll
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\system32\_svchost.exe
O4 - HKLM\..\Run: [belmande] update255.exe
O4 - HKLM\..\Run: [tresiod] C:\WINDOWS\system32\dtesmcd.exe
O4 - HKLM\..\Run: [fsdmccd] C:\WINDOWS\system32\uddews.exe
O4 - HKLM\..\Run: [gerscme] C:\WINDOWS\system32\sdvcdos.exe
O4 - HKLM\..\Run: [verdds] C:\WINDOWS\system32\ddesam.exe
O4 - HKLM\..\Run: [stdvcxs] C:\WINDOWS\system32\sdrsrt.exe
O4 - HKLM\..\Run: [cdnswfs] C:\WINDOWS\system32\capxzkzr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [belmande] update255.exe
O4 - HKCU\..\Run: [tresiod] C:\WINDOWS\system32\dtesmcd.exe
O4 - HKCU\..\Run: [fsdmccd] C:\WINDOWS\system32\uddews.exe
O4 - HKCU\..\Run: [gerscme] C:\WINDOWS\system32\sdvcdos.exe
O4 - HKCU\..\Run: [verdds] C:\WINDOWS\system32\ddesam.exe
O4 - HKCU\..\Run: [stdvcxs] C:\WINDOWS\system32\sdrsrt.exe
O4 - HKCU\..\Run: [cdnswfs] C:\WINDOWS\system32\capxzkzr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: .lnk = C:\WINDOWS\system32\msmapibx32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TouchWare Monitor.lnk = C:\Program Files\MicroTouch\TouchWare\MtsTsMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1187365981515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft Internet Explorer - Unknown owner - C:\WINDOWS\system32\_svchost.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7342 bytes

BC AdBot (Login to Remove)

 


#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:13 AM

Posted 09 October 2007 - 04:26 PM

Hello golfguy and welcome to BC :thumbsup:

My name is SNOWHITE and I will be helping you with your Malware problem.

PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER



Please follow the steps below exactly in the order they are written:

Step #1

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
Step #2

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.
Step #3

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next post please include the following reports:
  • SDFix report
  • Combofix report
  • New HijackThis log (run after ComboFix has finished its work.)
Let me know how the things went.

Regards,
SNOWHITE
Posted Image

#3 golfguy

golfguy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 11 October 2007 - 11:42 AM

WOW! Seems to be working better now! Here are the logs:


SDFix: Version 1.108

Run by Dave on Thu 10/11/2007 at 11:03 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Microsoft Internet Explorer

ImagePath:
C:\WINDOWS\system32\_svchost.exe -A

Microsoft Internet Explorer - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\msvb.dll - Deleted
C:\WINDOWS\search_res.txt - Deleted
C:\WINDOWS\sysdx.dll - Deleted
C:\WINDOWS\system32\delFSF.bat - Deleted
C:\WINDOWS\system32\RunOnce3.t__ - Deleted
C:\WINDOWS\system32\sipov.dll - Deleted
C:\WINDOWS\wpcjmd.log - Deleted
C:\WINDOWS\wsremover.exe - Deleted
C:\WINDOWS\system32\xpdx.sys - Deleted


Folder C:\Temp\fse - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\WINDOWS\\system32\\capxzkzr.exe"="C:\\WINDOWS\\system32\\capxzkzr.exe:*:Enabled:Server"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\capxzkzr.exe"="C:\\WINDOWS\\system32\\capxzkzr.exe:*:Enabled:Server"

Remaining Files:
---------------
catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-11 11:06:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden files ...

C:\WINDOWS\system32\drivers\Cwdw77.sys

scan completed successfully
hidden files: 1


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 4 Aug 2004 47,380 ..SHR --- "C:\WINDOWS\system32\capxzkzr.exe"
Wed 4 Aug 2004 76,353 ..SHR --- "C:\WINDOWS\system32\ddesam.exe"
Wed 4 Aug 2004 72,373 ..SHR --- "C:\WINDOWS\system32\dtesmcd.exe"
Wed 4 Aug 2004 70,793 ..SHR --- "C:\WINDOWS\system32\sdrsrt.exe"
Wed 4 Aug 2004 74,455 ..SHR --- "C:\WINDOWS\system32\sdvcdos.exe"
Wed 4 Aug 2004 89,172 ..SHR --- "C:\WINDOWS\system32\sysgkooi.exe"
Wed 4 Aug 2004 76,360 ..SHR --- "C:\WINDOWS\system32\uddews.exe"
Sat 6 Oct 2007 0 A..H. --- "C:\Documents and Settings\WildRidge Bar\Local Settings\Temp\BIT54.tmp"
Wed 8 Aug 2007 85,946 A..H. --- "C:\Documents and Settings\WildRidge Bar\Local Settings\Temp\BITC2.tmp"
Sat 6 Oct 2007 0 A..H. --- "C:\Documents and Settings\WildRidge Bar\Local Settings\Temp\BITC6.tmp"

Finished!

ComboFix 07-10-11.8 - Dave 2007-10-11 11:24:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.239 [GMT -5:00]
Running from: C:\Documents and Settings\Dave\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\0.exe
C:\0.exe
C:\Documents and Settings\Dave\Start Menu\Programs\Startup\.lnk
C:\Documents and Settings\Wild Ridge Bar II\Desktop\Error Cleaner.url
C:\Documents and Settings\Wild Ridge Bar II\Desktop\Privacy Protector.url
C:\Documents and Settings\Wild Ridge Bar II\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Wild Ridge Bar II\Start Menu\Programs\Startup\.lnk
C:\Documents and Settings\WildRidge Bar\Desktop\Error Cleaner.url
C:\Documents and Settings\WildRidge Bar\Desktop\Privacy Protector.url
C:\Documents and Settings\WildRidge Bar\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\WildRidge Bar\Start Menu\Programs\Startup\.lnk
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\Microsoft Help\Microsoft.System.Help.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Program Files\Temporary\wininstall.exe
C:\Program Files\WinAble
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\drivers\bg_bg.gif
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\close_ico.gif
C:\WINDOWS\system32\drivers\CWDW77.sys
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\icon_warning_big.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\remove_spyware_header.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\spyware_detected.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_ico.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drivers\yellow_warning_ico.gif
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\msmapibx32.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\tsitra801.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\wpcjmd.log
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CWDW77


((((((((((((((((((((((((( Files Created from 2007-09-11 to 2007-10-11 )))))))))))))))))))))))))))))))
.

2007-10-11 11:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-11 11:08 76,353 --a------ C:\WINDOWS\qadewfr.exe
2007-10-11 11:08 70,793 --a------ C:\WINDOWS\htygtywe.exe
2007-10-11 11:02 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-10 21:23 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2007-10-10 10:05 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-09 19:32 76,360 --a------ C:\WINDOWS\huyrtvfe.exe
2007-10-09 19:32 74,455 --a------ C:\WINDOWS\reefcdsf.exe
2007-10-08 17:27 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-08 15:14 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-08 13:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-08 12:53 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-08 12:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-08 12:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-08 10:11 72,373 --a------ C:\WINDOWS\vdfgdsds.exe
2007-10-08 10:11 47,380 --a------ C:\WINDOWS\nhgvrdsty.exe
2007-10-08 10:03 212,992 --a------ C:\WINDOWS\system32\update288.exe
2007-10-08 10:03 58,368 --a------ C:\WINDOWS\system32\update289.exe
2007-10-07 01:13 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-10-06 23:58 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-10-06 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-10-06 11:37 <DIR> d-------- C:\Program Files\SystemDefender
2007-10-06 11:29 <DIR> d-------- C:\Program Files\Microsoft Help
2007-10-06 11:28 35,887 --a------ C:\WINDOWS\system32\update246.exe
2007-10-06 10:39 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-10-06 10:08 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-05 18:11 20,992 --a------ C:\WINDOWS\system32\update281.exe
2007-10-05 18:05 <DIR> d-------- C:\Program Files\Temporary
2007-10-05 17:54 20,992 --a------ C:\WINDOWS\system32\update177.exe
2007-10-05 17:53 113,152 --a------ C:\WINDOWS\system32\update176.exe
2007-10-05 17:53 19,456 --a------ C:\WINDOWS\system32\update125.exe
2007-10-05 17:52 7,680 --a------ C:\WINDOWS\system32\_svchost.exe
2007-10-05 17:52 7,680 --a------ C:\Documents and Settings\WildRidge Bar\ie_update3r.exe
2007-10-03 12:14 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-03 09:48 3,584 --a------ C:\WINDOWS\system32\drivers\ohbusb.sys
2007-09-19 15:55 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\MySpace
2007-09-19 11:00 <DIR> d-------- C:\Program Files\MySpace
2007-09-19 11:00 <DIR> d-------- C:\Documents and Settings\WildRidge Bar\Application Data\MySpace
2007-09-13 22:14 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-11 16:08 3,584 ----a-w C:\WINDOWS\system32\drivers\ohbusb.syt
2007-10-11 15:57 --------- d-----w C:\Program Files\Fore! Reservations
2007-10-11 01:51 --------- d-----w C:\Documents and Settings\WildRidge Bar\Application Data\U3
2007-10-10 22:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-10 00:31 --------- d-----w C:\Documents and Settings\Dave\Application Data\U3
2007-10-08 20:54 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-08 20:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-07 06:06 7,168 ----a-w C:\WINDOWS\system32\drivers\1031ABF5-B208-4712-AAAA-D79577273835.cxv
2007-10-07 05:10 8,192 ----a-w C:\WINDOWS\system32\drivers\2DF6A7B7-E4D5-4099-834D-5FD5735FD159.cxv
2007-09-08 13:20 --------- d-----w C:\Documents and Settings\WildRidge Bar\Application Data\AdobeUM
2007-08-27 15:13 --------- d-----w C:\Documents and Settings\Wild Ridge Bar II\Application Data\MSN6
2007-08-27 15:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2007-08-20 17:58 --------- d-----w C:\Program Files\Google
2007-08-17 17:51 --------- d-----w C:\Program Files\Crystal Decisions
2007-08-17 17:51 --------- d-----w C:\Program Files\Common Files\Crystal Decisions
2007-08-17 17:42 --------- d-----w C:\Program Files\Dell 720
2007-08-17 17:40 --------- d-----w C:\Program Files\MicroTouch
2007-08-17 16:53 --------- d-----w C:\Program Files\Common Files\Adobe
2007-08-17 16:23 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-08-17 16:22 --------- d-----w C:\Program Files\Common Files\L&H
2007-08-17 16:09 --------- d-----w C:\Program Files\Symantec
2007-08-17 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-08-17 15:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-08-17 15:22 --------- d-----w C:\Program Files\Intel
2007-08-17 15:22 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-08-17 15:19 --------- d-----w C:\Program Files\Analog Devices
2007-08-17 15:04 --------- d-----w C:\Program Files\microsoft frontpage
2004-08-04 05:56:50 47,380 --sh--r C:\WINDOWS\system32\capxzkzr.exe
2004-08-04 05:56:50 76,353 --sh--r C:\WINDOWS\system32\ddesam.exe
2004-08-04 05:56:50 72,373 --sh--r C:\WINDOWS\system32\dtesmcd.exe
2004-08-04 05:56:50 70,793 --sh--r C:\WINDOWS\system32\sdrsrt.exe
2004-08-04 05:56:50 74,455 --sh--r C:\WINDOWS\system32\sdvcdos.exe
2004-08-04 05:56:50 89,172 --sh--r C:\WINDOWS\system32\sysgkooi.exe
2004-08-04 05:56:50 76,360 --sh--r C:\WINDOWS\system32\uddews.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33]
"tresiod"="C:\WINDOWS\system32\dtesmcd.exe" [2004-08-04 00:56]
"fsdmccd"="C:\WINDOWS\system32\uddews.exe" [2004-08-04 00:56]
"gerscme"="C:\WINDOWS\system32\sdvcdos.exe" [2004-08-04 00:56]
"verdds"="C:\WINDOWS\system32\ddesam.exe" [2004-08-04 00:56]
"stdvcxs"="C:\WINDOWS\system32\sdrsrt.exe" [2004-08-04 00:56]
"cdnswfs"="C:\WINDOWS\system32\capxzkzr.exe" [2004-08-04 00:56]
"mnicsev"="sysgkooi.exe" [2004-08-04 00:56 C:\WINDOWS\system32\sysgkooi.exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-20 12:58]
"belmande"="update255.exe" []
"tresiod"="C:\WINDOWS\system32\dtesmcd.exe" [2004-08-04 00:56]
"fsdmccd"="C:\WINDOWS\system32\uddews.exe" [2004-08-04 00:56]
"gerscme"="C:\WINDOWS\system32\sdvcdos.exe" [2004-08-04 00:56]
"verdds"="C:\WINDOWS\system32\ddesam.exe" [2004-08-04 00:56]
"stdvcxs"="C:\WINDOWS\system32\sdrsrt.exe" [2004-08-04 00:56]
"cdnswfs"="C:\WINDOWS\system32\capxzkzr.exe" [2004-08-04 00:56]
"mnicsev"="sysgkooi.exe" [2004-08-04 00:56 C:\WINDOWS\system32\sysgkooi.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-20 12:58:49]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
TouchWare Monitor.lnk - C:\Program Files\MicroTouch\TouchWare\MtsTsMon.exe [2007-08-17 12:40:22]

R2 ohbusb;Open Host Controller Miniport USB Driver;\??\C:\WINDOWS\system32\drivers\ohbusb.sys
R3 EraserUtilDrv10733;EraserUtilDrv10733;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10733.sys
R3 MtsTch;TouchWare Service;C:\WINDOWS\system32\DRIVERS\MtsUsb.sys

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-11 11:31:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-11 11:34:27 - machine was rebooted
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:59 AM, on 10/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\dtesmcd.exe
C:\WINDOWS\system32\uddews.exe
C:\WINDOWS\system32\sdvcdos.exe
C:\WINDOWS\system32\ddesam.exe
C:\WINDOWS\system32\sdrsrt.exe
C:\WINDOWS\system32\capxzkzr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\MicroTouch\TouchWare\MtsTsMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [tresiod] C:\WINDOWS\system32\dtesmcd.exe
O4 - HKLM\..\Run: [fsdmccd] C:\WINDOWS\system32\uddews.exe
O4 - HKLM\..\Run: [gerscme] C:\WINDOWS\system32\sdvcdos.exe
O4 - HKLM\..\Run: [verdds] C:\WINDOWS\system32\ddesam.exe
O4 - HKLM\..\Run: [stdvcxs] C:\WINDOWS\system32\sdrsrt.exe
O4 - HKLM\..\Run: [cdnswfs] C:\WINDOWS\system32\capxzkzr.exe
O4 - HKLM\..\Run: [mnicsev] sysgkooi.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [belmande] update255.exe
O4 - HKCU\..\Run: [tresiod] C:\WINDOWS\system32\dtesmcd.exe
O4 - HKCU\..\Run: [fsdmccd] C:\WINDOWS\system32\uddews.exe
O4 - HKCU\..\Run: [gerscme] C:\WINDOWS\system32\sdvcdos.exe
O4 - HKCU\..\Run: [verdds] C:\WINDOWS\system32\ddesam.exe
O4 - HKCU\..\Run: [stdvcxs] C:\WINDOWS\system32\sdrsrt.exe
O4 - HKCU\..\Run: [cdnswfs] C:\WINDOWS\system32\capxzkzr.exe
O4 - HKCU\..\Run: [mnicsev] sysgkooi.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TouchWare Monitor.lnk = C:\Program Files\MicroTouch\TouchWare\MtsTsMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1187365981515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6783 bytes


Let me know how it looks! Thank you!

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:13 AM

Posted 11 October 2007 - 02:48 PM

Hello golfguy,

One or more of the identified infections are capable of opening backdoor, also for monitoring your computer by taking screenshots, keeping key logs, including chats, e-mails, web sites visited, communicates with web sites using httpout protocols and has outbound communications.

Read here : http://fileinfo.prevx.com/adware/qqbda1103...ADEWFR.EXE.html

Also are you aware of this program AceSpy, More info here -> http://www.acespy.com/ http://www.spywareguide.com/spydet_656_acespy.html
Have you install it?

I recommend these actions:

1) use a known secure computer to change all of your online passwords
2) contact your bank and credit card company for possible unauthorised transactions

More info can be found here:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?


Should you have any questions, please feel free to ask.

PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER



Please follow the steps below exactly in the order they are written:

Step #1

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\update246.exe
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\update281.exe
C:\WINDOWS\system32\update177.exe
C:\WINDOWS\system32\update176.exe
C:\WINDOWS\system32\update125.exe
C:\WINDOWS\system32\dtesmcd.exe
C:\WINDOWS\system32\sdrsrt.exe
C:\WINDOWS\system32\sdvcdos.exe
C:\WINDOWS\system32\uddews.exe
C:\Documents and Settings\WildRidge Bar\ie_update3r.exe

Folder::
C:\WINDOWS\SxsCaPendDel
C:\WINDOWS\system32\acespy
C:\Program Files\Temporary
C:\Program Files\SystemDefender

Suspect::[29]
C:\WINDOWS\system32\drivers\ohbusb.sys
C:\WINDOWS\system32\drivers\ohbusb.syt
C:\WINDOWS\system32\drivers\1031ABF5-B208-4712-AAAA-D79577273835.cxv
C:\WINDOWS\system32\drivers\2DF6A7B7-E4D5-4099-834D-5FD5735FD159.cxv

Collect::[29]
C:\WINDOWS\qadewfr.exe
C:\WINDOWS\htygtywe.exe
C:\WINDOWS\huyrtvfe.exe
C:\WINDOWS\reefcdsf.exe
C:\WINDOWS\vdfgdsds.exe
C:\WINDOWS\nhgvrdsty.exe
C:\WINDOWS\system32\update288.exe
C:\WINDOWS\system32\update289.exe
C:\WINDOWS\system32\_svchost.exe
C:\WINDOWS\system32\capxzkzr.exe
C:\WINDOWS\system32\ddesam.exe
C:\WINDOWS\system32\sysgkooi.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[-HKEY_CLASSES_ROOT\CLSID\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_CLASSES_ROOT\CLSID\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[-HKEY_CLASSES_ROOT\CLSID\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[-HKEY_CLASSES_ROOT\CLSID\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[-HKEY_CLASSES_ROOT\CLSID\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[-HKEY_CLASSES_ROOT\CLSID\{e9147a0a-a866-4214-b47c-da821891240f}]
[-HKEY_CLASSES_ROOT\CLSID\{e9306072-417e-43e3-81d5-369490beef7c}]


Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. Additonally, ComboFix will generate the following files on your desktop
  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm
ComboFix may need to reboot to finish its work. Let it.

When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

If CF-Submit.htm is detected, ComboFix will generate this message box:

Posted Image

Clicking OK will cause the machine's browser to load CF-Submit.htm

Posted Image

Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"
Once the file has been submitted, please DELETE both files on your desktop.

Step #2

- Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • - Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
    http://www.ewido.net/en/download/
    • Install AVG Anti-Spyware by double clicking the installer.
    • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
    • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

- Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
- Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

- Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

Step #3Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
Post the following reports/logs into your next reply:
  • Combofix.txt
  • AVG Anti-Spyware report
  • A new HijackThis log (run after AVG Anti-Spyware has finished its work.)
  • Uninstall list
Let me know how the things went.

Regards,

Edited by SNOWHITE, 11 October 2007 - 02:52 PM.

SNOWHITE
Posted Image

#5 golfguy

golfguy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 11 October 2007 - 05:10 PM

ok, here it is:

ComboFix 07-10-11.8 - Dave 2007-10-11 15:04:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.220 [GMT -5:00]
Running from: C:\Documents and Settings\Dave\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dave\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\Documents and Settings\WildRidge Bar\ie_update3r.exe
C:\WINDOWS\system32\dtesmcd.exe
C:\WINDOWS\system32\sdrsrt.exe
C:\WINDOWS\system32\sdvcdos.exe
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\uddews.exe
C:\WINDOWS\system32\update125.exe
C:\WINDOWS\system32\update176.exe
C:\WINDOWS\system32\update177.exe
C:\WINDOWS\system32\update246.exe
C:\WINDOWS\system32\update281.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\WildRidge Bar\ie_update3r.exe
C:\Program Files\SystemDefender
C:\Program Files\Temporary
C:\WINDOWS\htygtywe.exe
C:\WINDOWS\huyrtvfe.exe
C:\WINDOWS\nhgvrdsty.exe
C:\WINDOWS\qadewfr.exe
C:\WINDOWS\reefcdsf.exe
C:\WINDOWS\SxsCaPendDel
C:\WINDOWS\system32\_svchost.exe
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\capxzkzr.exe
C:\WINDOWS\system32\ddesam.exe
C:\WINDOWS\system32\dtesmcd.exe
C:\WINDOWS\system32\sdrsrt.exe
C:\WINDOWS\system32\sdvcdos.exe
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\sysgkooi.exe
C:\WINDOWS\system32\uddews.exe
C:\WINDOWS\system32\update125.exe
C:\WINDOWS\system32\update176.exe
C:\WINDOWS\system32\update177.exe
C:\WINDOWS\system32\update246.exe
C:\WINDOWS\system32\update281.exe
C:\WINDOWS\system32\update288.exe
C:\WINDOWS\system32\update289.exe
C:\WINDOWS\vdfgdsds.exe
C:\WINDOWS\wpcjmd.log

.
((((((((((((((((((((((((( Files Created from 2007-09-11 to 2007-10-11 )))))))))))))))))))))))))))))))
.

2007-10-11 11:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-11 11:02 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-10 21:23 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2007-10-10 10:05 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-08 17:27 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-08 15:14 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-08 13:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-08 12:53 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-08 12:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-08 12:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-06 23:58 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-10-06 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-10-06 11:29 <DIR> d-------- C:\Program Files\Microsoft Help
2007-10-03 12:14 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-03 09:48 3,584 --a------ C:\WINDOWS\system32\drivers\ohbusb.sys
2007-09-19 15:55 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\MySpace
2007-09-19 11:00 <DIR> d-------- C:\Program Files\MySpace
2007-09-19 11:00 <DIR> d-------- C:\Documents and Settings\WildRidge Bar\Application Data\MySpace
2007-09-13 22:14 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-11 16:08 3,584 ----a-w C:\WINDOWS\system32\drivers\ohbusb.syt
2007-10-11 15:57 --------- d-----w C:\Program Files\Fore! Reservations
2007-10-11 01:51 --------- d-----w C:\Documents and Settings\WildRidge Bar\Application Data\U3
2007-10-10 22:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-10 00:31 --------- d-----w C:\Documents and Settings\Dave\Application Data\U3
2007-10-08 20:54 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-08 20:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-07 06:06 7,168 ----a-w C:\WINDOWS\system32\drivers\1031ABF5-B208-4712-AAAA-D79577273835.cxv
2007-10-07 05:10 8,192 ----a-w C:\WINDOWS\system32\drivers\2DF6A7B7-E4D5-4099-834D-5FD5735FD159.cxv
2007-09-08 13:20 --------- d-----w C:\Documents and Settings\WildRidge Bar\Application Data\AdobeUM
2007-08-27 15:13 --------- d-----w C:\Documents and Settings\Wild Ridge Bar II\Application Data\MSN6
2007-08-27 15:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-20 17:58 --------- d-----w C:\Program Files\Google
2007-08-17 17:51 --------- d-----w C:\Program Files\Crystal Decisions
2007-08-17 17:51 --------- d-----w C:\Program Files\Common Files\Crystal Decisions
2007-08-17 17:42 --------- d-----w C:\Program Files\Dell 720
2007-08-17 17:40 --------- d-----w C:\Program Files\MicroTouch
2007-08-17 16:53 --------- d-----w C:\Program Files\Common Files\Adobe
2007-08-17 16:23 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-08-17 16:22 --------- d-----w C:\Program Files\Common Files\L&H
2007-08-17 16:09 --------- d-----w C:\Program Files\Symantec
2007-08-17 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-08-17 15:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-08-17 15:22 --------- d-----w C:\Program Files\Intel
2007-08-17 15:22 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-08-17 15:19 --------- d-----w C:\Program Files\Analog Devices
2007-08-17 15:04 --------- d-----w C:\Program Files\microsoft frontpage
2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33]
"tresiod"="C:\WINDOWS\system32\dtesmcd.exe" []
"fsdmccd"="C:\WINDOWS\system32\uddews.exe" []
"gerscme"="C:\WINDOWS\system32\sdvcdos.exe" []
"verdds"="C:\WINDOWS\system32\ddesam.exe" []
"stdvcxs"="C:\WINDOWS\system32\sdrsrt.exe" []
"cdnswfs"="C:\WINDOWS\system32\capxzkzr.exe" []
"mnicsev"="sysgkooi.exe" []
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-20 12:58]
"belmande"="update255.exe" []
"tresiod"="C:\WINDOWS\system32\dtesmcd.exe" []
"fsdmccd"="C:\WINDOWS\system32\uddews.exe" []
"gerscme"="C:\WINDOWS\system32\sdvcdos.exe" []
"verdds"="C:\WINDOWS\system32\ddesam.exe" []
"stdvcxs"="C:\WINDOWS\system32\sdrsrt.exe" []
"cdnswfs"="C:\WINDOWS\system32\capxzkzr.exe" []
"mnicsev"="sysgkooi.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-20 12:58:49]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
TouchWare Monitor.lnk - C:\Program Files\MicroTouch\TouchWare\MtsTsMon.exe [2007-08-17 12:40:22]

R2 ohbusb;Open Host Controller Miniport USB Driver;\??\C:\WINDOWS\system32\drivers\ohbusb.sys
R3 MtsTch;TouchWare Service;C:\WINDOWS\system32\DRIVERS\MtsUsb.sys

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-11 15:06:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-11 15:07:15
C:\ComboFix2.txt ... 2007-10-11 11:34
.
--- E O F ---

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:39:38 PM 10/11/2007

+ Scan result:



HKU\S-1-5-21-746137067-2077806209-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5AF2622-8C75-4DFB-9693-23AB7686A456} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{42D10B07-9028-4F5B-8134-D7E07ABE275F}\RP51\A0009761.exe -> Downloader.Adload.lv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{42D10B07-9028-4F5B-8134-D7E07ABE275F}\RP54\A0010959.sys -> Downloader.Agent.acl : Cleaned with backup (quarantined).
C:\Documents and Settings\WildRidge Bar\Desktop\ieupdr2.exe -> Downloader.Small.fww : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{42D10B07-9028-4F5B-8134-D7E07ABE275F}\RP58\A0013633.exe -> Downloader.Small.fww : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{42D10B07-9028-4F5B-8134-D7E07ABE275F}\RP59\A0014717.exe -> Downloader.Small.fww : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{42D10B07-9028-4F5B-8134-D7E07ABE275F}\RP59\A0014724.exe -> Downloader.Small.fww : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\0.exe.vir -> Downloader.Small.fww : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\Documents and Settings\WildRidge Bar\ie_update3r.exe.vir -> Downloader.Small.fww : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{42D10B07-9028-4F5B-8134-D7E07ABE275F}\RP51\A0009751.dll -> Downloader.VB.bkb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{42D10B07-9028-4F5B-8134-D7E07ABE275F}\RP51\A0009748.exe -> Not-A-Virus.Hoax.Win32.Renos.kj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{42D10B07-9028-4F5B-8134-D7E07ABE275F}\RP54\A0010897.exe -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{42D10B07-9028-4F5B-8134-D7E07ABE275F}\RP59\A0014729.exe -> Proxy.Xorpix.bt : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\WINDOWS\system32\update125.exe.vir -> Proxy.Xorpix.bt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{42D10B07-9028-4F5B-8134-D7E07ABE275F}\RP54\A0010960.sys -> Rootkit.Agent.jc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{42D10B07-9028-4F5B-8134-D7E07ABE275F}\RP58\A0013690.sys -> Rootkit.Agent.js : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\Cwdw77.sys.vir -> Rootkit.Agent.js : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{42D10B07-9028-4F5B-8134-D7E07ABE275F}\RP58\A0013679.exe -> Trojan.Agent.bqn : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\Program Files\Temporary\wininstall.exe.vir -> Trojan.Agent.bqn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{42D10B07-9028-4F5B-8134-D7E07ABE275F}\RP58\A0013644.dll -> Trojan.BHO.es : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\Program Files\Microsoft Help\Microsoft.System.Help.dll.vir -> Trojan.BHO.es : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{42D10B07-9028-4F5B-8134-D7E07ABE275F}\RP48\A0006688.sys -> Trojan.Kolweb.s : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{42D10B07-9028-4F5B-8134-D7E07ABE275F}\RP54\A0010963.exe -> Trojan.Small.rn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{42D10B07-9028-4F5B-8134-D7E07ABE275F}\RP54\A0010964.exe -> Trojan.Small.rn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{42D10B07-9028-4F5B-8134-D7E07ABE275F}\RP59\A0014721.exe -> Trojan.Spambot.bxa : Cleaned with backup (quarantined).


::Report end

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:15 PM, on 10/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\MicroTouch\TouchWare\MtsTsMon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [tresiod] C:\WINDOWS\system32\dtesmcd.exe
O4 - HKLM\..\Run: [fsdmccd] C:\WINDOWS\system32\uddews.exe
O4 - HKLM\..\Run: [gerscme] C:\WINDOWS\system32\sdvcdos.exe
O4 - HKLM\..\Run: [verdds] C:\WINDOWS\system32\ddesam.exe
O4 - HKLM\..\Run: [stdvcxs] C:\WINDOWS\system32\sdrsrt.exe
O4 - HKLM\..\Run: [cdnswfs] C:\WINDOWS\system32\capxzkzr.exe
O4 - HKLM\..\Run: [mnicsev] sysgkooi.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [belmande] update255.exe
O4 - HKCU\..\Run: [tresiod] C:\WINDOWS\system32\dtesmcd.exe
O4 - HKCU\..\Run: [fsdmccd] C:\WINDOWS\system32\uddews.exe
O4 - HKCU\..\Run: [gerscme] C:\WINDOWS\system32\sdvcdos.exe
O4 - HKCU\..\Run: [verdds] C:\WINDOWS\system32\ddesam.exe
O4 - HKCU\..\Run: [stdvcxs] C:\WINDOWS\system32\sdrsrt.exe
O4 - HKCU\..\Run: [cdnswfs] C:\WINDOWS\system32\capxzkzr.exe
O4 - HKCU\..\Run: [mnicsev] sysgkooi.exe
O4 - HKUS\S-1-5-21-746137067-2077806209-839522115-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'WildRidge Bar')
O4 - HKUS\S-1-5-21-746137067-2077806209-839522115-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'WildRidge Bar')
O4 - HKUS\S-1-5-21-746137067-2077806209-839522115-1004\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'WildRidge Bar')
O4 - HKUS\S-1-5-21-746137067-2077806209-839522115-1004\..\Run: [autoload] C:\WINDOWS\system32\drivers\smss.exe (User 'WildRidge Bar')
O4 - HKUS\S-1-5-21-746137067-2077806209-839522115-1004\..\Run: [autorun] C:\Documents and Settings\WildRidge Bar\smss.exe (User 'WildRidge Bar')
O4 - HKUS\S-1-5-21-746137067-2077806209-839522115-1004\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe (User 'WildRidge Bar')
O4 - HKUS\S-1-5-21-746137067-2077806209-839522115-1004\..\Run: [cdnswfs] C:\WINDOWS\system32\capxzkzr.exe (User 'WildRidge Bar')
O4 - HKUS\S-1-5-21-746137067-2077806209-839522115-1004\..\Run: [gerscme] C:\WINDOWS\system32\sdvcdos.exe (User 'WildRidge Bar')
O4 - HKUS\S-1-5-21-746137067-2077806209-839522115-1004\..\Run: [fsdmccd] C:\WINDOWS\system32\uddews.exe (User 'WildRidge Bar')
O4 - HKUS\S-1-5-21-746137067-2077806209-839522115-1004\..\Run: [tresiod] C:\WINDOWS\system32\dtesmcd.exe (User 'WildRidge Bar')
O4 - HKUS\S-1-5-21-746137067-2077806209-839522115-1004\..\Run: [stdvcxs] C:\WINDOWS\system32\sdrsrt.exe (User 'WildRidge Bar')
O4 - HKUS\S-1-5-21-746137067-2077806209-839522115-1004\..\Run: [verdds] C:\WINDOWS\system32\ddesam.exe (User 'WildRidge Bar')
O4 - HKUS\S-1-5-21-746137067-2077806209-839522115-1004\..\Run: [mnicsev] sysgkooi.exe (User 'WildRidge Bar')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TouchWare Monitor.lnk = C:\Program Files\MicroTouch\TouchWare\MtsTsMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1187365981515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8005 bytes

Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Reader 7.0.8
AVG Anti-Spyware 7.5
Dell Photo Printer 720
Fore! Reservations 2006
Google Updater
HijackThis 2.0.2
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
LiveUpdate 3.1 (Symantec Corporation)
Microsoft Office XP Professional with FrontPage
Panda ActiveScan
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
SoundMAX
Spybot - Search & Destroy
Symantec AntiVirus
TouchWare 5.64 SR5
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2

How does everything look now?

#6 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:13 AM

Posted 11 October 2007 - 05:20 PM

Have you uploaded the Submit [Date Time].zip as instructed in my previous post?

I will need sometime to research your reports and be back with new instructions as soon as possible.
SNOWHITE
Posted Image

#7 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:13 AM

Posted 14 October 2007 - 04:44 PM

Hello golfguy,

PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER



Please follow the steps below exactly in the order they are written:

Step #1

Please re-open HiJackThis and click on "Do a system scan only". Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [tresiod] C:\WINDOWS\system32\dtesmcd.exe
O4 - HKLM\..\Run: [fsdmccd] C:\WINDOWS\system32\uddews.exe
O4 - HKLM\..\Run: [gerscme] C:\WINDOWS\system32\sdvcdos.exe
O4 - HKLM\..\Run: [verdds] C:\WINDOWS\system32\ddesam.exe
O4 - HKLM\..\Run: [stdvcxs] C:\WINDOWS\system32\sdrsrt.exe
O4 - HKLM\..\Run: [cdnswfs] C:\WINDOWS\system32\capxzkzr.exe
O4 - HKLM\..\Run: [mnicsev] sysgkooi.exe
O4 - HKCU\..\Run: [belmande] update255.exe
O4 - HKCU\..\Run: [tresiod] C:\WINDOWS\system32\dtesmcd.exe
O4 - HKCU\..\Run: [fsdmccd] C:\WINDOWS\system32\uddews.exe
O4 - HKCU\..\Run: [gerscme] C:\WINDOWS\system32\sdvcdos.exe
O4 - HKCU\..\Run: [verdds] C:\WINDOWS\system32\ddesam.exe
O4 - HKCU\..\Run: [stdvcxs] C:\WINDOWS\system32\sdrsrt.exe
O4 - HKCU\..\Run: [cdnswfs] C:\WINDOWS\system32\capxzkzr.exe
O4 - HKCU\..\Run: [mnicsev] sysgkooi.exe
O4 - HKUS\S-1-5-21-746137067-2077806209-839522115-1004\..\Run: [autoload] C:\WINDOWS\system32\drivers\smss.exe (User 'WildRidge Bar')
O4 - HKUS\S-1-5-21-746137067-2077806209-839522115-1004\..\Run: [autorun] C:\Documents and Settings\WildRidge Bar\smss.exe (User 'WildRidge Bar')
O4 - HKUS\S-1-5-21-746137067-2077806209-839522115-1004\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe (User 'WildRidge Bar')
O4 - HKUS\S-1-5-21-746137067-2077806209-839522115-1004\..\Run: [cdnswfs] C:\WINDOWS\system32\capxzkzr.exe (User 'WildRidge Bar')
O4 - HKUS\S-1-5-21-746137067-2077806209-839522115-1004\..\Run: [gerscme] C:\WINDOWS\system32\sdvcdos.exe (User 'WildRidge Bar')
O4 - HKUS\S-1-5-21-746137067-2077806209-839522115-1004\..\Run: [fsdmccd] C:\WINDOWS\system32\uddews.exe (User 'WildRidge Bar')
O4 - HKUS\S-1-5-21-746137067-2077806209-839522115-1004\..\Run: [tresiod] C:\WINDOWS\system32\dtesmcd.exe (User 'WildRidge Bar')
O4 - HKUS\S-1-5-21-746137067-2077806209-839522115-1004\..\Run: [stdvcxs] C:\WINDOWS\system32\sdrsrt.exe (User 'WildRidge Bar')
O4 - HKUS\S-1-5-21-746137067-2077806209-839522115-1004\..\Run: [verdds] C:\WINDOWS\system32\ddesam.exe (User 'WildRidge Bar')
O4 - HKUS\S-1-5-21-746137067-2077806209-839522115-1004\..\Run: [mnicsev] sysgkooi.exe (User 'WildRidge Bar')

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Step #2

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\drivers\smss.exe
C:\Documents and Settings\WildRidge Bar\smss.exe
C:\WINDOWS\system32\capxzkzr.exe
C:\WINDOWS\system32\sdvcdos.exe
C:\WINDOWS\system32\uddews.exe
C:\WINDOWS\system32\dtesmcd.exe
C:\WINDOWS\system32\sdrsrt.exe
C:\WINDOWS\system32\ddesam.exe

Folder::
C:\Program Files\WinAble

Suspect::[29]
C:\WINDOWS\system32\drivers\ohbusb.sys
C:\WINDOWS\system32\drivers\ohbusb.syt
C:\WINDOWS\system32\drivers\1031ABF5-B208-4712-AAAA-D79577273835.cxv
C:\WINDOWS\system32\drivers\2DF6A7B7-E4D5-4099-834D-5FD5735FD159.cxv


Save this as "CFScript"


Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. Additonally, ComboFix will generate the following files on your desktop
  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm
ComboFix may need to reboot to finish its work. Let it.

When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

If CF-Submit.htm is detected, ComboFix will generate this message box:

Posted Image

Clicking OK will cause the machine's browser to load CF-Submit.htm

Posted Image

Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"
Once the file has been submitted, please DELETE both files on your desktop.

Step #3

Please do an online scan with Kaspersky WebScanner

NOTE: This Scanner will work with Internet Explorer Only!


Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As... button:
  • Under Save as type select Text file write name for the file and save it to your Desktop.
  • Locate the file at the Desktop, open it, then copy and paste that information in your next post.
Post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log (run after ComboFix has finished its work.)
  • Kaspersky report

How does everything look now?


It looks much better then before, but due to the nature of the infections present at the computer, we will need to do more research. Please stay with me until i let you know that your ok to go.

Regards,
SNOWHITE
Posted Image

#8 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:03:13 AM

Posted 27 October 2007 - 11:23 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Thank you :thumbsup:
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users