Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

So Angry! Probably Virtumonde Related.


  • This topic is locked This topic is locked
16 replies to this topic

#1 throneberry

throneberry

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 10 October 2007 - 05:52 PM

Hello, I'm new to the forum. My frustrating problem is everytime I boot my computer and open Firefox, a few seconds later it'll open a page in Internet Explorer. Also I'll get a red Windows Alert in my toolbar about lack a anti-virus programs, which while true that I don't have a real time monitor, I think it might be bogus. It didn't use to bug me about it constantly with a balloon. I come to you after trying everything I had to throw at this problem (Ad Aware, Spyware Doctor, SUPERAntispyware, etc.) and they'll register all kinds of stuff (notably Virtumonde and Winfix) but after I wipe it and reboot, the stuff seems to return. I've tried running those programs in Safe Mode, still nothing. Internet still works, although it seems a little buggier than usual, but other computer operation seems very sluggish. Here's my log, and thanks in advance for any help you can provide me!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:35:12 PM, on 10/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Browser Mouse\MOffice.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Browser Mouse\MOUSE32A.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\MOffice.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\cvvmyecn.dll",sitypnow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 5970 bytes

BC AdBot (Login to Remove)

 


#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:27 PM

Posted 10 October 2007 - 06:48 PM

Hello throneberry and welcome to BC :thumbsup:

My name is SNOWHITE and I will be helping you with your Malware problem.

Please follow the steps below exactly in the order they are written:

Step #1

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors:
[/list]It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

Step #2

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Step #3

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
In your next post please include the following reports:
  • VundoFix report
  • dss scan reports main.txt and extra.txt
Let me know how the things went.

Regards,
SNOWHITE
Posted Image

#3 throneberry

throneberry
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 10 October 2007 - 07:31 PM

Great, thanks for the help.

I ran Vundofix and it found a couple files. I chose delete but it couldn't delete one of them. It rebooted and ran again and didn't find anything. I don't recall exactly the names of the files.

Here's the Deckard's log:

Deckard's System Scanner v20070905.67
Run by Owner on 2007-10-10 20:25:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:29 PM, on 10/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Browser Mouse\MOffice.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Browser Mouse\MOUSE32A.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {E01B79DD-E279-4F63-A028-12BF8DA4BDF9} - C:\WINDOWS\system32\vturr.dll
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\MOffice.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6423 bytes

-- Files created between 2007-09-10 and 2007-10-10 -----------------------------

2007-10-10 20:09:51 0 d-------- C:\VundoFix Backups
2007-10-10 18:34:37 0 d-------- C:\Program Files\Trend Micro
2007-10-10 18:00:24 0 d-------- C:\Documents and Settings\Owner\.housecall6.6
2007-10-10 17:06:56 80448 --a------ C:\WINDOWS\system32\jhyhlavp.dll
2007-10-10 17:00:48 84544 -----n--- C:\WINDOWS\system32\cvvmyecn.dll
2007-10-10 16:56:19 488603 ---hs---- C:\WINDOWS\system32\rrutv.bak2
2007-10-10 11:26:05 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-10 11:25:23 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-10-10 11:25:22 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-10-10 11:24:41 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-10 11:15:58 3440 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-10 11:12:02 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-10 11:12:02 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-10-10 11:12:02 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-10-10 11:12:02 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-10-10 11:12:02 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-10 10:56:04 0 d-------- C:\WINDOWS\pss
2007-10-10 00:03:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-09 16:55:24 537627 ---hs---- C:\WINDOWS\system32\rrutv.bak1
2007-10-09 16:54:58 303712 -----n--- C:\WINDOWS\system32\vturr.dll
2007-10-09 12:46:03 75328 --a------ C:\WINDOWS\system32\jduodvqu.exe <Not Verified; ; DDC>
2007-10-06 18:42:03 0 d-------- C:\drvrtmp
2007-10-01 17:57:16 0 d-------- C:\Program Files\iPod
2007-10-01 17:56:57 0 d-------- C:\Program Files\iTunes


-- Find3M Report ---------------------------------------------------------------

2007-10-10 11:24:41 0 d-------- C:\Program Files\Common Files
2007-10-09 23:21:54 0 d-------- C:\Program Files\FinePixViewer
2007-10-09 12:44:07 0 d-------- C:\Documents and Settings\Owner\Application Data\Azureus
2007-10-09 09:30:39 0 d-------- C:\Program Files\Soulseek
2007-10-08 01:40:30 0 d-------- C:\Program Files\Dell
2007-10-08 01:39:51 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-10-08 01:31:34 2359350 --a------ C:\Documents and Settings\Owner\Application Data\ZBWallpaper_329.bmp
2007-10-08 01:31:17 2359350 --a------ C:\Documents and Settings\Owner\Application Data\ZBWallpaper_328.bmp
2007-10-01 17:55:16 0 d-------- C:\Program Files\Apple Software Update
2007-09-23 22:34:20 2359350 --a------ C:\Documents and Settings\Owner\Application Data\ZBWallpaper_327.bmp
2007-09-20 15:58:14 2359350 --a------ C:\Documents and Settings\Owner\Application Data\ZBWallpaper_326.bmp
2007-09-20 15:57:47 2359350 --a------ C:\Documents and Settings\Owner\Application Data\ZBWallpaper_325.bmp
2007-09-16 19:23:16 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2007-09-16 11:20:06 2359350 --a------ C:\Documents and Settings\Owner\Application Data\ZBWallpaper_324.bmp
2007-09-16 11:19:12 2359350 --a------ C:\Documents and Settings\Owner\Application Data\ZBWallpaper_323.bmp
2007-09-16 11:18:41 2359350 --a------ C:\Documents and Settings\Owner\Application Data\ZBWallpaper_322.bmp
2007-09-13 10:46:08 2359350 --a------ C:\Documents and Settings\Owner\Application Data\ZBWallpaper_321.bmp
2007-09-11 01:26:44 2359350 --a------ C:\Documents and Settings\Owner\Application Data\ZBWallpaper_320.bmp
2007-09-08 14:34:55 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-09-08 13:39:17 2359350 --a------ C:\Documents and Settings\Owner\Application Data\ZBWallpaper_319.bmp
2007-09-06 15:53:48 0 d-------- C:\Program Files\Azureus
2007-09-06 00:10:05 2359350 --a------ C:\Documents and Settings\Owner\Application Data\ZBWallpaper_318.bmp
2007-09-05 00:17:51 2359350 --a------ C:\Documents and Settings\Owner\Application Data\ZBWallpaper_317.bmp
2007-09-01 01:49:24 2359350 --a------ C:\Documents and Settings\Owner\Application Data\ZBWallpaper_316.bmp
2007-09-01 01:48:52 2359350 --a------ C:\Documents and Settings\Owner\Application Data\ZBWallpaper_315.bmp
2007-08-29 02:13:57 2359350 --a------ C:\Documents and Settings\Owner\Application Data\ZBWallpaper_314.bmp
2007-08-26 11:22:30 2359350 --a------ C:\Documents and Settings\Owner\Application Data\ZBWallpaper_313.bmp
2007-08-26 11:21:45 2359350 --a------ C:\Documents and Settings\Owner\Application Data\ZBWallpaper_312.bmp
2007-08-25 10:53:30 2359350 --a------ C:\Documents and Settings\Owner\Application Data\ZBWallpaper_311.bmp
2007-08-22 16:41:49 1317942 --a------ C:\Documents and Settings\Owner\Application Data\ZBWallpaper_310.bmp
2007-08-22 16:41:20 1317942 --a------ C:\Documents and Settings\Owner\Application Data\ZBWallpaper_309.bmp
2007-08-16 15:57:35 2359350 --a----c- C:\Documents and Settings\Owner\Application Data\ZBWallpaper_308.bmp
2007-08-12 17:27:45 2359350 --a----c- C:\Documents and Settings\Owner\Application Data\ZBWallpaper_307.bmp
2007-08-10 11:51:35 2359350 --a----c- C:\Documents and Settings\Owner\Application Data\ZBWallpaper_306.bmp
2007-08-08 22:00:14 2359350 --a----c- C:\Documents and Settings\Owner\Application Data\ZBWallpaper_305.bmp
2007-08-05 22:05:18 2359350 --a----c- C:\Documents and Settings\Owner\Application Data\ZBWallpaper_304.bmp
2007-08-01 18:40:49 2359350 --a----c- C:\Documents and Settings\Owner\Application Data\ZBWallpaper_303.bmp
2007-07-30 11:13:23 2359350 --a----c- C:\Documents and Settings\Owner\Application Data\ZBWallpaper_302.bmp
2007-07-27 14:48:32 2359350 --a----c- C:\Documents and Settings\Owner\Application Data\ZBWallpaper_301.bmp
2007-07-23 18:15:22 2359350 --a----c- C:\Documents and Settings\Owner\Application Data\ZBWallpaper_300.bmp
2007-07-19 22:29:28 2359350 --a----c- C:\Documents and Settings\Owner\Application Data\ZBWallpaper_299.bmp
2007-07-16 02:42:04 2359350 --a----c- C:\Documents and Settings\Owner\Application Data\ZBWallpaper_298.bmp
2007-07-16 02:40:44 2359350 --a----c- C:\Documents and Settings\Owner\Application Data\ZBWallpaper_297.bmp
2007-07-16 02:38:42 2359350 --a----c- C:\Documents and Settings\Owner\Application Data\ZBWallpaper_296.bmp
2007-07-14 19:03:35 2359350 --a----c- C:\Documents and Settings\Owner\Application Data\ZBWallpaper_295.bmp
2007-07-13 17:57:03 2359350 --a----c- C:\Documents and Settings\Owner\Application Data\ZBWallpaper_294.bmp
2007-07-11 00:00:19 2359350 --a----c- C:\Documents and Settings\Owner\Application Data\ZBWallpaper_293.bmp


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E01B79DD-E279-4F63-A028-12BF8DA4BDF9}]
10/09/2007 04:54 PM 303712 --------- C:\WINDOWS\system32\vturr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [06/02/2003 02:25 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/04/2005 04:18 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [10/23/2003 07:51 PM]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [06/25/2003 11:24 AM]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [05/21/2003 06:37 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 09:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 09:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 09:36 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"FLMOFFICE4DMOUSE"="C:\Program Files\Browser Mouse\MOffice.exe" [09/30/2006 06:59 PM]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [02/04/2002 10:32 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [05/14/2007 06:22 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/26/2007 02:42 PM]
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 04:59 AM C:\WINDOWS\BCMSMMSG.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vturr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:27 PM

Posted 10 October 2007 - 08:24 PM

Hi throneberry, you haven't posted the reports i asked from you, in future please follow the steps exactly as they are written and post the reports i ask from you. If there is something you don't understand do not hesitate to ask me. You also haven't followed my instructions about installing antivirus program, without protection we are just going to loose time and your computer will just reinfect it self, so please install antivirus and after that follow these steps:

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply also include new HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
SNOWHITE
Posted Image

#5 throneberry

throneberry
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 10 October 2007 - 09:04 PM

I downloaded Antivir and it kept detecting a system32/vturr.dll Trojan. Every time I clicked delete, the screen would disappear, then reappear with the same prompt. I finally had to shut it down.

combofix ran, then rebooted. Antivir automatically opened after the reboot was complete, but hasn't reported anything. Maybe that's a good sign. Here's the log:

ComboFix 07-10-11.1 - Owner 2007-10-10 21:41:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.37 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cvvmyecn.dll
C:\WINDOWS\system32\ggafybgt.exe
C:\WINDOWS\system32\jduodvqu.exe
C:\WINDOWS\system32\jhyhlavp.dll
C:\WINDOWS\system32\rrutv.bak1
C:\WINDOWS\system32\rrutv.bak1
C:\WINDOWS\system32\rrutv.bak2
C:\WINDOWS\system32\rrutv.bak2
C:\WINDOWS\system32\rrutv.ini
C:\WINDOWS\system32\rrutv.ini
C:\WINDOWS\system32\vturr.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-09-11 to 2007-10-11 )))))))))))))))))))))))))))))))
.

2007-10-10 21:40 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-10 21:30 <DIR> d-------- C:\Program Files\Avira
2007-10-10 21:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-10-10 20:20 <DIR> d-------- C:\Deckard
2007-10-10 20:09 <DIR> d-------- C:\VundoFix Backups
2007-10-10 18:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-10 18:00 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2007-10-10 11:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-10 11:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-10 11:25 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-10-10 11:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-10 11:15 3,440 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-10 11:12 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-10 11:12 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-10 11:12 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-10 11:12 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-10 11:12 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-10 10:56 <DIR> d-------- C:\WINDOWS\pss
2007-10-10 07:17 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-10 00:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-06 18:42 <DIR> d-------- C:\drvrtmp
2007-10-06 18:42 145,408 --a------ C:\WINDOWS\system32\drivers\e100b325.sys
2007-10-06 18:42 145,408 --a--c--- C:\WINDOWS\system32\dllcache\e100b325.sys
2007-10-06 18:42 118,784 --a------ C:\WINDOWS\system32\Prounstl.exe
2007-10-06 18:42 24,064 --a------ C:\WINDOWS\system32\IntelNic.dll
2007-10-06 18:42 12,288 --a------ C:\WINDOWS\system32\e100bmsg.dll
2007-10-01 17:57 <DIR> d-------- C:\Program Files\iPod
2007-10-01 17:56 <DIR> d-------- C:\Program Files\iTunes
2007-10-01 17:53 30,336 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-10 03:21 --------- d-----w C:\Program Files\FinePixViewer
2007-10-09 16:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2007-10-09 13:30 --------- d-----w C:\Program Files\Soulseek
2007-10-08 05:40 --------- d-----w C:\Program Files\Dell
2007-10-08 05:39 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-10-01 21:55 --------- d-----w C:\Program Files\Apple Software Update
2007-09-08 18:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-06 19:53 --------- d-----w C:\Program Files\Azureus
2006-12-01 06:04 81,920 ----a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2006-12-01 06:04 47,360 -c--a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2007-02-01 16:38:38 848 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 14:25]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-04 16:18]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 18:37]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"FLMOFFICE4DMOUSE"="C:\Program Files\Browser Mouse\MOffice.exe" [2006-09-30 18:59]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 18:22]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-10 21:34]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vturr.dll

*Newly Created Service* - SSMDRV
.
Contents of the 'Scheduled Tasks' folder
"2007-10-08 15:26:27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-10 21:55:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-10 21:59:47 - machine was rebooted
.
--- E O F ---

#6 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:27 PM

Posted 11 October 2007 - 11:38 AM

Hello throneberry,

Please follow the steps below exactly in the order they are written:

Step #1

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\vturr.dll

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Step #2

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Start AntiVir
  • Right-Click the AntiVir icon on your desktop and select Start update.
  • After the update is done, make sure that AntiVir Guard is Activated
  • Check the box: Expert Mode. Expand all the drop-down lists. Under the Scanner heading select Scan. Make sure next is selected:
    • All files
    • Scan boot sectors of selected drives
    • Search master boot sectors
    • Scan memory
    • Ignore offline files
  • Under Scan process:
    • Allow stopping the scanner
      • Scanner priority: low
    Press OK button.
  • Under the Scanner heading select Scan then select Action for concerning files. Make sure next is selected:
  • Under Action for concerning files select
    • Automatic
    • Copy file to quarantine before action
    • Primary action set to - repair
    • Secondary action set to - delete
    Press OK button.
  • Under the Scanner heading select Scan then select Archives. Make sure next is selected:
    • Scan archives
    • All archive types
    • Smart extensions
    • Limit recursion depth
    • Maximum recursion depth set to - 20
  • Into the Archives box, leave everything checked.

    Press OK button.
  • Under the Guard heading select Scan. Check the box: All files
    • Leave everything else as default.
    Press OK button.

    Close AntiVir and reboot in Safe Mode. Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. Use your up arrow key to highlight Safe Mode then hit Enter.



    Step #3
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
    If you use Firefox browserClick Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browserClick Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    Step #4

    On-demand Scanning with AntiVir

    1. Right-Click the AntiVir icon on your desktop and select Start AntiVir.

    2. Select the Scanner tab. Right-click on Local Hard Disks. Select Scan.

    3. When the scan has finished, reboot in Normal Mode. Post the report back from the scan here in this thread.
Step #5
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
In your next post please include the following reports:
  • ComboFix report
  • AntiVir scan report
  • New HijackThis log (run after AntiVir has finished its work.)
  • Uninstall list
Let me know how the things went.

Regards,
SNOWHITE
Posted Image

#7 throneberry

throneberry
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 12 October 2007 - 09:04 AM

Thank you for your continuing help. I appreciate it. Here are the logs you requested:

Combofix log:

ComboFix 07-10-11.1 - Owner 2007-10-12 1:28:31.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.71 [GMT -4:00]
Running from: C:\Program Files\Antivirus stuff\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\vturr.dll
.

((((((((((((((((((((((((( Files Created from 2007-09-12 to 2007-10-12 )))))))))))))))))))))))))))))))
.

2007-10-10 23:05 <DIR> d-------- C:\Program Files\YPOPs
2007-10-10 22:18 <DIR> d-------- C:\Program Files\Antivirus stuff
2007-10-10 21:40 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-10 21:30 <DIR> d-------- C:\Program Files\Avira
2007-10-10 21:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-10-10 20:20 <DIR> d-------- C:\Deckard
2007-10-10 20:09 <DIR> d-------- C:\VundoFix Backups
2007-10-10 18:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-10 18:00 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2007-10-10 11:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-10 11:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-10 11:25 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-10-10 11:15 3,440 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-10 11:12 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-10 11:12 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-10 11:12 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-10 11:12 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-10 11:12 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-10 10:56 <DIR> d-------- C:\WINDOWS\pss
2007-10-10 07:17 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-10 00:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-06 18:42 <DIR> d-------- C:\drvrtmp
2007-10-06 18:42 145,408 --a------ C:\WINDOWS\system32\drivers\e100b325.sys
2007-10-06 18:42 145,408 --a--c--- C:\WINDOWS\system32\dllcache\e100b325.sys
2007-10-06 18:42 118,784 --a------ C:\WINDOWS\system32\Prounstl.exe
2007-10-06 18:42 24,064 --a------ C:\WINDOWS\system32\IntelNic.dll
2007-10-06 18:42 12,288 --a------ C:\WINDOWS\system32\e100bmsg.dll
2007-10-01 17:57 <DIR> d-------- C:\Program Files\iPod
2007-10-01 17:56 <DIR> d-------- C:\Program Files\iTunes
2007-10-01 17:53 30,336 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-11 20:59 --------- d-----w C:\Program Files\Soulseek
2007-10-11 19:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2007-10-11 03:40 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-10-10 03:21 --------- d-----w C:\Program Files\FinePixViewer
2007-10-08 05:40 --------- d-----w C:\Program Files\Dell
2007-10-01 21:55 --------- d-----w C:\Program Files\Apple Software Update
2007-09-08 18:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-06 19:53 --------- d-----w C:\Program Files\Azureus
2006-12-01 06:04 81,920 ----a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2006-12-01 06:04 47,360 -c--a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2007-02-01 16:38:38 848 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 14:25]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-04 16:18]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 18:37]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"FLMOFFICE4DMOUSE"="C:\Program Files\Browser Mouse\MOffice.exe" [2006-09-30 18:59]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 18:22]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-10 21:34]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

.
Contents of the 'Scheduled Tasks' folder
"2007-10-08 15:26:27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-12 01:34:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-12 1:36:43
C:\ComboFix2.txt ... 2007-10-10 21:59
.
--- E O F ---

AntiVir report:




AntiVir PersonalEdition Classic
Report file date: Friday, October 12, 2007 02:00

Scanning for 877201 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: Owner
Computer name: BEN

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 18:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 17:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 20:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 17:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 01:34:29
ANTIVIR1.VDF : 7.0.0.0 1640448 Bytes 9/13/2007 01:34:29
ANTIVIR2.VDF : 7.0.0.57 446464 Bytes 10/7/2007 01:34:29
ANTIVIR3.VDF : 7.0.0.79 146944 Bytes 10/11/2007 01:31:50
AVEWIN32.DLL : 7.6.0.20 2753024 Bytes 10/11/2007 01:34:30
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 15:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 12:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 18:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 8/3/2007 13:46:00
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 12:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 17:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 12:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 16:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 17:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 17:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 14:37:21

Configuration settings for the scan:
Jobname..........................: Local Hard Disks
Configuration file...............: c:\program files\avira\antivir personaledition classic\alldiscs.avp
Logging..........................: low
Primary action...................: repair
Secondary action.................: delete
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Deviating archive types..........: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox,
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Friday, October 12, 2007 02:00

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
12 processes with 12 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[NOTE] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '31' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\19\59e95193-2e0a4dbb
[DETECTION] Contains detection pattern of the Java virus JAVA/Dldr.Agent.C
[INFO] A backup was created as '47740f5d.qua' ( QUARANTINE )
[INFO] The file was deleted!
C:\qoobox\Quarantine\catchme2007-10-10_215519.21.zip
[0] Archive type: ZIP
--> vturr.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] A backup was created as '47832245.qua' ( QUARANTINE )
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\WINDOWS\system32\cvvmyecn.dll.vir
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] A backup was created as '4785225b.qua' ( QUARANTINE )
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\WINDOWS\system32\ggafybgt.exe.vir
[DETECTION] Is the Trojan horse TR/Click.Agent.NP
[INFO] A backup was created as '4770224c.qua' ( QUARANTINE )
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\WINDOWS\system32\jduodvqu.exe.vir
[DETECTION] Is the Trojan horse TR/Fotomoto.E
[INFO] A backup was created as '4784224a.qua' ( QUARANTINE )
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\WINDOWS\system32\jhyhlavp.dll.vir
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] A backup was created as '4788224e.qua' ( QUARANTINE )
[INFO] The file was deleted!
C:\qoobox\Quarantine\C\WINDOWS\system32\vturr.dll.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] A backup was created as '4784225b.qua' ( QUARANTINE )
[INFO] The file was deleted!
C:\VundoFix Backups\cvvmyecn.dll.bad
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] A backup was created as '47852278.qua' ( QUARANTINE )
[INFO] The file was deleted!


End of the scan: Friday, October 12, 2007 04:01
Used time: 2:01:13 min

The scan has been done completely.

9284 Scanning directories
395175 Files were scanned
8 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
8 files were deleted
0 files were repaired
8 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
395167 Files not concerned
3592 Archives were scanned
1 Warnings
0 Notes

#8 throneberry

throneberry
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 12 October 2007 - 09:05 AM

HijackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:31 AM, on 10/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Browser Mouse\MOffice.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Browser Mouse\MOUSE32A.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\MOffice.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6743 bytes


Uninstall list:

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Photoshop CS
Adobe Reader 7.0.9
Allok AVI to DVD SVCD VCD Converter 2.1.8
Apple Mobile Device Support
Apple Software Update
Avira AntiVir PersonalEdition Classic
Azureus
BCM V.92 56K Modem
Browser Mouse
BUM
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
CardRd81
CCScore
Corel Paint Shop Pro X
CR2
Dell AIO Printer A920
Dell ResourceCD
DVD Decrypter (Remove Only)
DVD Shrink 3.2
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
ESSTUTOR
essvatgt
essvcpt
ESSvpaht
ESSvpot
FaxTools
FinePix Studio
FinePixViewer Resource
FinePixViewer Ver.5.3
FUJIFILM USB Driver
HijackThis 2.0.2
HLPIndex
HLPPDOCK
HLPSFO
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
hp deskjet 5600
hp deskjet 5600 series
HP Memories Disc
HP Photo and Imaging 2.0 - Deskjet Series
hp print screen utility
ImageMixer VCD2 LE for FinePix
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 2
Java™ SE Runtime Environment 6 Update 1
Kodak EasyShare software
KSU
MathPlayer
MaxBlast 4
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.7)
MSN Messenger 6.2
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nero Suite
Notifier
OfotoXMI
OTtBP
OTtBPSDK
QuickTime
RealPlayer
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
SFR
SFR2
SHASTA
SKIN0001
SKINXSDK
Sonic RecordNow! Deluxe
SoulSeek Client 156c
SoundMAX
SPSS 12.0 for Windows
Spybot - Search & Destroy
Universal Media Player
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
VPRINTOL
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888240
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WIRELESS
WordPerfect Office 11
Yahoo! Mail Quick Select Tool (PhotoMail)

#9 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:27 PM

Posted 12 October 2007 - 06:29 PM

Hello throneberry,

PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER



Please follow the steps below exactly in the order they are written:

Step #1

- Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • - Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
    http://www.ewido.net/en/download/
    • Install AVG Anti-Spyware by double clicking the installer.
    • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
    • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

- Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
- Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

- Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.


Step #2

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 3 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u3...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • J2SE Runtime Environment 5.0 Update 10
      J2SE Runtime Environment 5.0 Update 11
      J2SE Runtime Environment 5.0 Update 4
      J2SE Runtime Environment 5.0 Update 6
      J2SE Runtime Environment 5.0 Update 9
      Java™ 6 Update 2
      Java™ SE Runtime Environment 6 Update 1
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
In your next post please include the following reports:
  • AVG Anti-Spyware report (if available)
  • New HijackThis log (run after AVG Anti-Spyware has finished its work.)
Let me know how the things went.

Regards,
SNOWHITE
Posted Image

#10 throneberry

throneberry
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 13 October 2007 - 12:31 AM

I don't have the AVG report as it wasn't available, but it found 5 items. Two were cookies and three looked serious, all starting with Downloader, if that helps. Desktop performance seems to be better and I don't seem to be getting the Internet Explorer pop-up, but the probably fake Windows Alert telling me I might not have a firewall installed has made a reappearance today after being gone for a few days. I took care of the Java problem. Thanks for the tip.

Here's the new Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:14 AM, on 10/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Browser Mouse\MOffice.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Browser Mouse\MOUSE32A.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\MOffice.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6855 bytes

#11 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:27 PM

Posted 15 October 2007 - 08:29 AM

Hi throneberry,

probably fake Windows Alert telling me I might not have a firewall installed


You really don't have firewall installed, so its most probably that the security center is popping up with alert. Can you make a screenshot from the alert and show it to me?


As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:
[/list]
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Next,

* Click start then run, type prefetch then press enter, click edit then select all, (all files will highlight), right click any file, click delete, confirm.


* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Please do an online scan with Kaspersky WebScanner

NOTE: This Scanner will work with Internet Explorer Only!


Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As... button:
  • Under Save as type select Text file write name for the file and save it to your Desktop.
  • Locate the file at the Desktop, open it, then copy and paste that information in your next post.
Please post back with Kaspersky scan report and new Hijackthis log, also let me know hows the computer running.

Regards,
SNOWHITE
Posted Image

#12 throneberry

throneberry
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 15 October 2007 - 04:34 PM

Okay, I installed the firewall. I guess I'm just not used to seeing that balloon since I've been using the Windows XP firewall. Like you said, I needed a new firewall anyway.

I ran the Kaspersky scan and it, of course, said I was infected. Here's the report:

Scan Statistics
Total number of scanned objects 82084
Number of viruses found 1
Number of infected objects 1
Number of suspicious objects 0
Duration of the scan process 06:29:20

Infected Object Name Virus Name Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p4eybn9u.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p4eybn9u.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p4eybn9u.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p4eybn9u.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p4eybn9u.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p4eybn9u.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p4eybn9u.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p4eybn9u.default\webappsstore.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\p4eybn9u.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\p4eybn9u.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\p4eybn9u.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\p4eybn9u.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\fla325.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFA0BE.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{94A88485-74B9-47CC-A9EF-7D6233EAE769}\RP1191\A0109965.exe Object is locked skipped
C:\System Volume Information\_restore{94A88485-74B9-47CC-A9EF-7D6233EAE769}\RP1191\A0111971.dll Object is locked skipped
C:\System Volume Information\_restore{94A88485-74B9-47CC-A9EF-7D6233EAE769}\RP1193\A0113168.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{94A88485-74B9-47CC-A9EF-7D6233EAE769}\RP1209\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\BEN.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{673E6370-2961-4E6D-B84C-51FBF32A6AB9}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\ZLT03728.TMP Object is locked skipped
C:\WINDOWS\TEMP\ZLT0372e.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

Here's the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:23:00 PM, on 10/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Browser Mouse\MOffice.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Browser Mouse\MOUSE32A.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\MOffice.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6934 bytes



Computer seems relatively okay now, despite Kaspersky telling me I'm infected. The only problem that sticks out now is AntiVir frequently needs to block what looks to me like the same viruses over and over. For instance, while I ran the Kaspersky scanner (took 6 hours) it detected four or five viruses. It lists the last detected one as "TR/Fotomoto.E" which I'm almost certain I've deleted multiple times since installing AntiVir.

That's the update for now. Thanks for you patience and time.

#13 throneberry

throneberry
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 15 October 2007 - 06:18 PM

I take that back. My computer does not seem okay. It's now running slower than it's ever been.

#14 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:27 PM

Posted 17 October 2007 - 03:40 PM

I take that back. My computer does not seem okay. It's now running slower than it's ever been.

Hello throneberry, i don't see malware related problems in your reports. The one in your Kaspersky report is in system restore point and it is not malware related, it points to an legit program reboot.exe, which is usually flagged by antivirus programs as risk tool. We are going to clean system restore, but before that lets run another scan :

Please run this online scan:

Panda ActiveScan
  • Once you are on the Panda site, click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

My computer does not seem okay. It's now running slower than it's ever been.


Follow this link Help! My computer is slow!

Post the contents of the Panda scan report, along with a new HijackThis Log and let me know how is the computer running.

Regards,

Edited by SNOWHITE, 17 October 2007 - 03:43 PM.

SNOWHITE
Posted Image

#15 throneberry

throneberry
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 22 October 2007 - 05:03 PM

I think the ZoneAlarm was the cause of the slow down. Wiped that and things seem okay now.

I guess my computer is running at a decent pace now. I should probably spring for something with a little more RAM.

Thanks again for all the help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users