Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Annoying Yellow Triangle Help


  • This topic is locked This topic is locked
17 replies to this topic

#1 teachersstop

teachersstop

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 21 November 2007 - 10:13 PM

Here is my hijack this log, I have that annoying flashing triangle. Please help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:10:32 PM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Entitlement Client\v3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcregist.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\?icrosoft.NET\j?vaw.exe
C:\Program Files\QdrModule\QdrModule9.exe
C:\Program Files\QdrPack\QdrPack9.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\hijackthis\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\bgiwpwkt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [acbf66e3] rundll32.exe "C:\WINDOWS\system32\pnqbnfwc.dll",b
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Orr] C:\WINDOWS\system32\?racle\d?xplore.exe
O4 - HKCU\..\Run: [Rqfxypf] C:\WINDOWS\system32\?ssembly\m?dtc.exe
O4 - HKCU\..\Run: [Vqvsempy] "C:\Program Files\Common Files\??pPatch\n?lookup.exe"
O4 - HKCU\..\Run: [Wzpqu] C:\WINDOWS\M?crosoft\?xplorer.exe
O4 - HKCU\..\Run: [Ajunxz] "C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\?icrosoft.NET\j?vaw.exe"
O4 - HKCU\..\Run: [QdrModule9] "C:\Program Files\QdrModule\QdrModule9.exe"
O4 - HKCU\..\Run: [QdrPack9] "C:\Program Files\QdrPack\QdrPack9.exe"
O4 - HKCU\..\Run: [Ealb] "C:\PROGRA~1\SKS~1\rundll32.exe" -vt ndrv
O4 - HKUS\S-1-5-21-2095030412-518018796-2087257638-1007\..\Run: [Power2GoExpress] NA (User 'QBPOSDBSrvUser')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - C:\WINDOWS\system32\QBPOSProtocol.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\csriegup.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Entitlement Service v3 - Intuit, Inc. - C:\Program Files\Common Files\Intuit\Entitlement Client\v3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: QBPOS Database Manager v6 (QBPOSDBServiceV6) - Intuit Inc. - C:\Program Files\Intuit\QuickBooks Point of Sale 6.0\DatabaseServer\QBPOSDBServiceV6.exe

--
End of file - 8017 bytes

BC AdBot (Login to Remove)

 


m

#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 PM

Posted 23 November 2007 - 11:21 AM

Hello teachersstop

Copy and Paste this post into a new text document or print it for reference

1. Re-open HijackThis and select "Do a System Scan only" and place a checkmark in the boxes before the following entries:

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\bgiwpwkt.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [acbf66e3] rundll32.exe "C:\WINDOWS\system32\pnqbnfwc.dll",b
O4 - HKCU\..\Run: [Orr] C:\WINDOWS\system32\?racle\d?xplore.exe
O4 - HKCU\..\Run: [Rqfxypf] C:\WINDOWS\system32\?ssembly\m?dtc.exe
O4 - HKCU\..\Run: [Vqvsempy] "C:\Program Files\Common Files\??pPatch\n?lookup.exe"
O4 - HKCU\..\Run: [Wzpqu] C:\WINDOWS\M?crosoft\?xplorer.exe
O4 - HKCU\..\Run: [Ajunxz] "C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\?icrosoft.NET\j?vaw.exe"
O4 - HKCU\..\Run: [Ealb] "C:\PROGRA~1\SKS~1\rundll32.exe" -vt ndrv
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\csriegup.exe (file missing)

Close any Explorer windows which may be open and click the "Fix Checked" button.



2. Now please download this latest version of VundoFix to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files,
    click YES
  • Once you click yes, your desktop will go blank as it starts removing
    Vundo.
  • When completed, it will prompt that it will reboot your computer,
    click OK.
  • Please post the contents of C:\vundofix.txt in your next reply
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button."
when VundoFix appears at reboot.

3. Please Re-scan with HijackThis and post the new log and the C:\vundofix.txt

Thank you

#3 teachersstop

teachersstop
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 26 November 2007 - 10:59 PM

Hello, I had stumbled on the vundo fix topic and ran it a last wednesday. It found several instances and removed them. I then did an avg full system scan it found some threats i removed them and then scanned again and it came back clean. On friday the flashing triangle alert was back. I ran the vundo fix again at 1:15 today and it got rid of it. I figured it would come back again and as I was typing this at 7:45, it just came back and the vundo fix is finding it now. After the scan it needed to reboot to remove some files, I did that and reran hijack this, here is my fix log and latest hijack log. Thanks so much for your time!!!!

Vundo Log:

VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 9:47:45 PM 11/21/2007

Listing files found while scanning....

C:\windows\system32\bgiwpwkt.dll
C:\windows\system32\bgiwpwkt.dllbox
C:\windows\system32\liahigjx.dll
C:\windows\system32\pqstv.ini
C:\windows\system32\pqstv.ini2
C:\windows\system32\vtsqp.dll
C:\WINDOWS\system32\vxyommof.dll

Beginning removal...

Attempting to delete C:\windows\system32\bgiwpwkt.dll
C:\windows\system32\bgiwpwkt.dll Has been deleted!

Attempting to delete C:\windows\system32\bgiwpwkt.dllbox
C:\windows\system32\bgiwpwkt.dllbox Has been deleted!

Attempting to delete C:\windows\system32\liahigjx.dll
C:\windows\system32\liahigjx.dll Has been deleted!

Attempting to delete C:\windows\system32\pqstv.ini
C:\windows\system32\pqstv.ini Has been deleted!

Attempting to delete C:\windows\system32\pqstv.ini2
C:\windows\system32\pqstv.ini2 Has been deleted!

Attempting to delete C:\windows\system32\vtsqp.dll
C:\windows\system32\vtsqp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 10:22:10 PM 11/21/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 1:06:01 PM 11/26/2007

Listing files found while scanning....

C:\windows\system32\bihtwgnj.exe
C:\windows\system32\crovflbr.exe
C:\windows\system32\rauupfkk.dll
C:\windows\system32\rauupfkk.dllbox
C:\windows\system32\tppqevmd.exe
C:\windows\system32\usniptei.dll

Beginning removal...

Attempting to delete C:\windows\system32\bihtwgnj.exe
C:\windows\system32\bihtwgnj.exe Has been deleted!

Attempting to delete C:\windows\system32\crovflbr.exe
C:\windows\system32\crovflbr.exe Has been deleted!

Attempting to delete C:\windows\system32\rauupfkk.dll
C:\windows\system32\rauupfkk.dll Has been deleted!

Attempting to delete C:\windows\system32\rauupfkk.dllbox
C:\windows\system32\rauupfkk.dllbox Has been deleted!

Attempting to delete C:\windows\system32\tppqevmd.exe
C:\windows\system32\tppqevmd.exe Has been deleted!

Attempting to delete C:\windows\system32\usniptei.dll
C:\windows\system32\usniptei.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 7:11:12 PM 11/26/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 7:33:59 PM 11/26/2007

Listing files found while scanning....

C:\windows\system32\auqyuxbs.dll
C:\WINDOWS\system32\xfnmtbix.dll
C:\windows\system32\xfnmtbix.dllbox

Beginning removal...

Attempting to delete C:\windows\system32\auqyuxbs.dll
C:\windows\system32\auqyuxbs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xfnmtbix.dll
C:\WINDOWS\system32\xfnmtbix.dll Could not be deleted.

Attempting to delete C:\windows\system32\xfnmtbix.dllbox
C:\windows\system32\xfnmtbix.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\xfnmtbix.dll
C:\WINDOWS\system32\xfnmtbix.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 7:49:02 PM 11/26/2007

Listing files found while scanning....

No infected files were found.




Hijack Scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:13 PM, on 11/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Entitlement Client\v3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\McAfee\MSC\mcregist.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\hijackthis\HijackThis.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2095030412-518018796-2087257638-1007\..\Run: [Power2GoExpress] NA (User 'QBPOSDBSrvUser')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - C:\WINDOWS\system32\QBPOSProtocol.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Intuit Entitlement Service v3 - Intuit, Inc. - C:\Program Files\Common Files\Intuit\Entitlement Client\v3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: QBPOS Database Manager v6 (QBPOSDBServiceV6) - Intuit Inc. - C:\Program Files\Intuit\QuickBooks Point of Sale 6.0\DatabaseServer\QBPOSDBServiceV6.exe

--
End of file - 5358 bytes

#4 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 PM

Posted 27 November 2007 - 01:42 PM

Hello teachersstop :thumbsup:

Thank you for doing that for me

Copy and Paste this post into a new text document or print it for reference

1. Re-open HijackThis and select "Do a System Scan only" and place a checkmark in the boxes before the following entry:
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
Close any Explorer windows which may be open and click the "Fix Checked" button.


2. Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". (Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them unaccessible for doing a scan. If this is the case, press the WINKEY + M key or Alt + Spacebar to "Minimize" the AVG display. Then right-click on AVG in the Task Bar and select "Maximize". If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)

Scan with AVG Anti-Spyware as follows:
  • Click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
  • Under "Reports" select "Do not automatically generate reports".
  • Click the "Scan" tab to return to scanning options.
  • Click "Complete System Scan" to start.
  • When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
  • You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the :Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
  • Click on "Save Report" to view all completed scans. Click on the most recent scan you performed, select "Save report as" and save to your desktop. The default file name will be in date/time format: Report-Scan-200706-1606. A copy of each report will be saved in C:\Documents and Settings\<user profile>\Application Data\Grisoft\AVG Antispyware 7.5\Reports.
    • If you installed AVG AS over a previous version, reports are saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
    • If you are a Vista user, reports are saved in C:\Users\<username>\AppData\Roaming\Grisoft\AVG Antispyware 7.5\Reports\
  • Exit AVG Anti-Spyware when done, reboot normally and post the log report in your next response.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can continue to use as an on-demand scanner or you may purchase a license to use the full version.

3. Please Re-scan with HijackThis and post the new log and the Avg anti-spyware results.

Thank you

#5 teachersstop

teachersstop
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 28 November 2007 - 03:49 AM

Hello,

Thanks again for your time. I tried to do what you said. I ran the hijack this scan removed the 03 toolbar rebooted in safe mode, started the avg scan. Then during the scan process the triangle came back and really slowed the computer to a crawl. I ended up running vundofix again then back to normal mode to remove 03 toolbar then safe mode for the avg scan, quarantined one virus. Here is the avg report and also hijack log after scan.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:35:00 AM 11/28/2007

+ Scan result:



C:\VundoFix Backups\xccfnpnf.exe.bad -> Downloader.Tiny.id : Cleaned with backup (quarantined).


::Report end

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:29 AM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Entitlement Client\v3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [acbf66e3] rundll32.exe "C:\WINDOWS\system32\ltlbjosj.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2095030412-518018796-2087257638-1007\..\Run: [Power2GoExpress] NA (User 'QBPOSDBSrvUser')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - C:\WINDOWS\system32\QBPOSProtocol.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Intuit Entitlement Service v3 - Intuit, Inc. - C:\Program Files\Common Files\Intuit\Entitlement Client\v3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: QBPOS Database Manager v6 (QBPOSDBServiceV6) - Intuit Inc. - C:\Program Files\Intuit\QuickBooks Point of Sale 6.0\DatabaseServer\QBPOSDBServiceV6.exe

--
End of file - 5352 bytes

#6 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 PM

Posted 28 November 2007 - 06:05 AM

Hello teachersstop

I would like you do do this next for me :thumbsup:

Copy and Paste this post into a new text document or print it for reference

1. Re-open HijackThis and select "Do a System Scan only" and place a checkmark in the boxes before the following entries:

O4 - HKLM\..\Run: [acbf66e3] rundll32.exe "C:\WINDOWS\system32\ltlbjosj.dll",b

Close any Explorer windows which may be open and click the "Fix Checked" button.



2. Please download the OTMoveIt from here:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe
Save it to your desktop.
Do not run it yet!

Double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\ltlbjosj.dll


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


3. Download "ComboFix.exe" from one of these links and save this onto your desktop

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Doubleclick "combofix.exe" to launch the application Follow the prompts that will be displayed on the screen.

Important: Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it will produce a log called "combofix.txt" by default saved into your C folder
navigate to: Start >> My Computer >> Local Disk C and Copy and Paste combofix.txt log and a new HijackThis log back to me .

Thank you.

#7 teachersstop

teachersstop
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 28 November 2007 - 10:47 AM

Here you go, thanks so much:

ComboFix 07-11-19.4C - Owner 2007-11-28 7:35:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.91 [GMT -8:00]
Running from: C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\addon.dat
C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Owner.YOUR-99DDF15D27\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\ICROSO~1.NET
C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\ICROSO~1.NET\j?vaw.exe
C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\PPPATC~1
C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\YSTEM3~1
C:\Documents and Settings\Owner.YOUR-99DDF15D27\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Owner.YOUR-99DDF15D27\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Owner.YOUR-99DDF15D27\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\ppatch~1
C:\Program Files\Common Files\smante~1
C:\Program Files\Common Files\ymbols~1
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\sks~1
C:\Program Files\sks~1\??sks\
C:\WINDOWS\cookies.ini
C:\WINDOWS\mbols~1
C:\WINDOWS\mcroso~1
C:\WINDOWS\racle~1
C:\WINDOWS\ssembl~1
C:\WINDOWS\system32\aybeg.ini
C:\WINDOWS\system32\aybeg.ini2
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\gebya.dll
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\ssembl~1
H:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-27 21:57 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-11-27 10:13 784,030 --ahs---- C:\WINDOWS\system32\jsojbltl.ini
2007-11-27 10:10 78,912 --a------ C:\WINDOWS\system32\ecfdoidk.dll
2007-11-27 10:07 71,232 --a------ C:\WINDOWS\system32\xfqocrrn.exe
2007-11-26 19:24 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-26 19:24 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-26 10:13 80,960 --a------ C:\WINDOWS\system32\jpphgcxg.dll
2007-11-26 10:10 780,795 --ahs---- C:\WINDOWS\system32\wwcwpjsv.ini
2007-11-26 10:07 71,232 --a------ C:\WINDOWS\system32\ntdjhkbo.exe
2007-11-25 10:10 776,132 --ahs---- C:\WINDOWS\system32\efeqokth.ini
2007-11-25 10:07 79,936 --a------ C:\WINDOWS\system32\fnmsfagw.dll
2007-11-25 10:02 71,232 --a------ C:\WINDOWS\system32\jutubeag.exe
2007-11-23 10:18 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-23 10:08 83,520 --a------ C:\WINDOWS\system32\natctegr.dll
2007-11-23 10:05 776,012 --ahs---- C:\WINDOWS\system32\qdyoowtc.ini
2007-11-23 10:05 71,232 --a------ C:\WINDOWS\system32\ngqkqxeq.exe
2007-11-21 18:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-21 10:21 714,599 --ahs---- C:\WINDOWS\system32\cwfnbqnp.ini
2007-11-21 10:21 85,056 --a------ C:\WINDOWS\system32\pnqbnfwc.dll
2007-11-20 10:24 689,277 --ahs---- C:\WINDOWS\system32\kthmiyks.ini
2007-11-19 23:56 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-19 23:56 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-19 23:55 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-19 21:35 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Grisoft
2007-11-19 21:32 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-19 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-19 19:45 18,907 --a------ C:\WINDOWS\system32\Config.MPF
2007-11-19 19:42 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-11-19 19:42 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-11-19 19:42 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-11-19 19:42 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-11-19 19:42 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-11-19 19:41 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-11-19 19:35 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-11-19 19:25 <DIR> d--h----- C:\Program Files\Bifrost
2007-11-19 19:07 <DIR> d-------- C:\Program Files\uTorrent
2007-11-19 19:07 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\uTorrent
2007-11-19 10:19 685,970 --ahs---- C:\WINDOWS\system32\bsdndrio.ini
2007-11-19 10:19 85,056 --a------ C:\WINDOWS\system32\oirdndsb.dll
2007-11-18 10:21 677,998 --ahs---- C:\WINDOWS\system32\ptdfydcd.ini
2007-11-17 17:06 36,352 --a------ C:\WINDOWS\system32\hggfcyx.dll.vir
2007-11-01 10:30 158,992 --a------ C:\WINDOWS\system32\QBPOSProtocol.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 03:23 --------- d-----w C:\Program Files\WildTangent
2007-11-27 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
2007-11-27 03:22 --------- d-----w C:\Program Files\Gateway Games
2007-11-27 03:21 --------- d-----w C:\Program Files\BigFix
2007-11-27 03:19 --------- d-----w C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Move Networks
2007-11-27 03:16 --------- d-----w C:\Program Files\Google
2007-11-21 18:02 --------- d-----w C:\Program Files\McAfee
2007-11-20 08:16 --------- d-----w C:\Program Files\QuickTime
2007-11-20 08:16 --------- d-----w C:\Program Files\Digital Media Reader
2007-11-20 03:49 --------- d-----w C:\Program Files\McAfee.com
2007-11-20 03:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-11-20 03:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-20 02:24 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-11-20 02:24 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-09-15 22:48 50,184 ----a-w C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\GDIPFONTCACHEV1.DAT
2006-12-19 18:25 0 ----a-w C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C6D5A56-791E-4fe8-9D64-81781FA15D68}]
C:\Program Files\ISM\BndDrive6.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95416DAE-77FD-4974-8FC5-BCEC7336080F}]
C:\WINDOWS\system32\vtsqp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a095243e-5f78-4e04-813e-be7720e439ab}]
2007-11-27 10:10 78912 --a------ C:\WINDOWS\system32\ecfdoidk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 11:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 17:44]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 09:26]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 15:16]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-09-03 09:20:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebya.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R2 Intuit Entitlement Service v3;Intuit Entitlement Service v3;"C:\Program Files\Common Files\Intuit\Entitlement Client\v3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe"
R2 QBPOSDBServiceV6;QBPOS Database Manager v6;"C:\Program Files\Intuit\QuickBooks Point of Sale 6.0\DatabaseServer\QBPOSDBServiceV6.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60a4ee49-20f3-11db-9198-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bac41fab-a264-11db-a464-001676672b07}]
\Shell\AutoRun\command - J:\setupSNK.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7DA66733-1044-13F3-9E3A-6A0B7E1E9311}]
C:\Program Files\Bifrost\svchost.exe s
.
Contents of the 'Scheduled Tasks' folder
"2007-11-20 03:38:58 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2007-11-20 03:38:56 C:\WINDOWS\Tasks\McQcTask.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 07:41:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-28 7:44:35 - machine was rebooted
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:46:31 AM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Entitlement Client\v3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: BndDrive2 BHO Class - {8C6D5A56-791E-4fe8-9D64-81781FA15D68} - C:\Program Files\ISM\BndDrive6.dll (file missing)
O2 - BHO: (no name) - {95416DAE-77FD-4974-8FC5-BCEC7336080F} - C:\WINDOWS\system32\vtsqp.dll (file missing)
O2 - BHO: {ba934e02-77eb-e318-40e4-87f5e342590a} - {a095243e-5f78-4e04-813e-be7720e439ab} - C:\WINDOWS\system32\ecfdoidk.dll
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2095030412-518018796-2087257638-1007\..\Run: [Power2GoExpress] NA (User 'QBPOSDBSrvUser')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - C:\WINDOWS\system32\QBPOSProtocol.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Intuit Entitlement Service v3 - Intuit, Inc. - C:\Program Files\Common Files\Intuit\Entitlement Client\v3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: QBPOS Database Manager v6 (QBPOSDBServiceV6) - Intuit Inc. - C:\Program Files\Intuit\QuickBooks Point of Sale 6.0\DatabaseServer\QBPOSDBServiceV6.exe

--
End of file - 6055 bytes

#8 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 PM

Posted 28 November 2007 - 11:59 AM

Hello teachersstop

Please Open notepad - don't use any other text editor

I would like you to now Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\jsojbltl.ini
C:\WINDOWS\system32\ecfdoidk.dll
C:\WINDOWS\system32\xfqocrrn.exe
C:\WINDOWS\system32\jpphgcxg.dll
C:\WINDOWS\system32\wwcwpjsv.ini
C:\WINDOWS\system32\efeqokth.ini
C:\WINDOWS\system32\fnmsfagw.dll
C:\WINDOWS\system32\jutubeag.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\natctegr.dll
C:\WINDOWS\system32\qdyoowtc.ini
C:\WINDOWS\system32\ngqkqxeq.exe
C:\WINDOWS\system32\cwfnbqnp.ini
C:\WINDOWS\system32\pnqbnfwc.dll
C:\WINDOWS\system32\kthmiyks.ini
C:\WINDOWS\system32\bsdndrio.ini
C:\WINDOWS\system32\oirdndsb.dll
C:\WINDOWS\system32\ptdfydcd.ini

Folder::
C:\Program Files\ISM

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C6D5A56-791E-4fe8-9D64-81781FA15D68}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95416DAE-77FD-4974-8FC5-BCEC7336080F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a095243e-5f78-4e04-813e-be7720e439ab}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00



Name the file CFScript and Save it to your Desktop

Posted Image
Refering to the picture above, drag CFScript.txt into ComboFix.exe

Run ComboFix again and post the resultant log along with a new HijackThis log

Thank you

#9 teachersstop

teachersstop
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 28 November 2007 - 01:41 PM

thanks for your help

ComboFix 07-11-19.4C - Owner 2007-11-28 10:28:47.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.99 [GMT -8:00]
Running from: C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\bsdndrio.ini
C:\WINDOWS\system32\cwfnbqnp.ini
C:\WINDOWS\system32\ecfdoidk.dll
C:\WINDOWS\system32\efeqokth.ini
C:\WINDOWS\system32\fnmsfagw.dll
C:\WINDOWS\system32\jpphgcxg.dll
C:\WINDOWS\system32\jsojbltl.ini
C:\WINDOWS\system32\jutubeag.exe
C:\WINDOWS\system32\kthmiyks.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\natctegr.dll
C:\WINDOWS\system32\ngqkqxeq.exe
C:\WINDOWS\system32\oirdndsb.dll
C:\WINDOWS\system32\pnqbnfwc.dll
C:\WINDOWS\system32\ptdfydcd.ini
C:\WINDOWS\system32\qdyoowtc.ini
C:\WINDOWS\system32\wwcwpjsv.ini
C:\WINDOWS\system32\xfqocrrn.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bsdndrio.ini
C:\WINDOWS\system32\cwfnbqnp.ini
C:\WINDOWS\system32\ecfdoidk.dll
C:\WINDOWS\system32\efeqokth.ini
C:\WINDOWS\system32\fnmsfagw.dll
C:\WINDOWS\system32\jpphgcxg.dll
C:\WINDOWS\system32\jsojbltl.ini
C:\WINDOWS\system32\jutubeag.exe
C:\WINDOWS\system32\kthmiyks.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\natctegr.dll
C:\WINDOWS\system32\ngqkqxeq.exe
C:\WINDOWS\system32\oirdndsb.dll
C:\WINDOWS\system32\pnqbnfwc.dll
C:\WINDOWS\system32\ptdfydcd.ini
C:\WINDOWS\system32\qdyoowtc.ini
C:\WINDOWS\system32\wwcwpjsv.ini
C:\WINDOWS\system32\xfqocrrn.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-27 21:57 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-11-26 19:24 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-26 19:24 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-26 10:10 85,056 --a------ C:\WINDOWS\system32\vsjpwcww.dll
2007-11-22 10:11 738,296 --ahs---- C:\WINDOWS\system32\umhaxytd.ini
2007-11-21 18:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-19 23:56 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-19 23:55 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-19 21:35 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Grisoft
2007-11-19 21:32 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-19 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-19 19:45 18,907 --a------ C:\WINDOWS\system32\Config.MPF
2007-11-19 19:42 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-11-19 19:42 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-11-19 19:42 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-11-19 19:42 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-11-19 19:42 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-11-19 19:41 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-11-19 19:35 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-11-19 19:25 <DIR> d--h----- C:\Program Files\Bifrost
2007-11-19 19:07 <DIR> d-------- C:\Program Files\uTorrent
2007-11-19 19:07 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\uTorrent
2007-11-19 19:00 1,998 --a------ C:\WINDOWS\system32\tmp.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 03:23 --------- d-----w C:\Program Files\WildTangent
2007-11-27 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
2007-11-27 03:22 --------- d-----w C:\Program Files\Gateway Games
2007-11-27 03:21 --------- d-----w C:\Program Files\BigFix
2007-11-27 03:19 --------- d-----w C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Move Networks
2007-11-27 03:16 --------- d-----w C:\Program Files\Google
2007-11-21 18:02 --------- d-----w C:\Program Files\McAfee
2007-11-20 08:16 --------- d-----w C:\Program Files\QuickTime
2007-11-20 08:16 --------- d-----w C:\Program Files\Digital Media Reader
2007-11-20 03:49 --------- d-----w C:\Program Files\McAfee.com
2007-11-20 03:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-11-20 03:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-20 02:24 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-11-20 02:24 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-09-15 22:48 50,184 ----a-w C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\GDIPFONTCACHEV1.DAT
2006-12-19 18:25 0 ----a-w C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 11:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 17:44]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 09:26]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 15:16]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-09-03 09:20:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R2 Intuit Entitlement Service v3;Intuit Entitlement Service v3;"C:\Program Files\Common Files\Intuit\Entitlement Client\v3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe"
R2 QBPOSDBServiceV6;QBPOS Database Manager v6;"C:\Program Files\Intuit\QuickBooks Point of Sale 6.0\DatabaseServer\QBPOSDBServiceV6.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60a4ee49-20f3-11db-9198-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bac41fab-a264-11db-a464-001676672b07}]
\Shell\AutoRun\command - J:\setupSNK.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7DA66733-1044-13F3-9E3A-6A0B7E1E9311}]
C:\Program Files\Bifrost\svchost.exe s
.
Contents of the 'Scheduled Tasks' folder
"2007-11-20 03:38:58 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-11-20 03:38:56 C:\WINDOWS\Tasks\McQcTask.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 10:33:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-28 10:36:59 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-28 07:44
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:06 AM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Entitlement Client\v3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\MSC\mcregist.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\Rar$EX00.985\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2095030412-518018796-2087257638-1007\..\Run: [Power2GoExpress] NA (User 'QBPOSDBSrvUser')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - C:\WINDOWS\system32\QBPOSProtocol.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Intuit Entitlement Service v3 - Intuit, Inc. - C:\Program Files\Common Files\Intuit\Entitlement Client\v3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: QBPOS Database Manager v6 (QBPOSDBServiceV6) - Intuit Inc. - C:\Program Files\Intuit\QuickBooks Point of Sale 6.0\DatabaseServer\QBPOSDBServiceV6.exe

--
End of file - 5700 bytes

#10 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 PM

Posted 28 November 2007 - 03:47 PM

Hello teachersstop

Please note can you be so kind to only run HijackThis from this path
C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\hijackthis\HijackThis.exe

----------------

1. Double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\vsjpwcww.dll
C:\WINDOWS\system32\umhaxytd.ini
C:\WINDOWS\system32\tmp.reg


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


2. Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


3. Please now use Internet Explorer and run this online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases


Click OK
Now under select a target to scan: Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.

Copy and paste that information in your next post along with a new HijackThis log and can you let me know how this system is running

Thank you

#11 teachersstop

teachersstop
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 28 November 2007 - 06:22 PM

here are the logs. i tried running the hijack this from the same location. I dont think i did anything different when i ran the hijack this. hopefully this is how u needed it. thanks again


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:50 PM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Entitlement Client\v3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\MSC\mcregist.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Intuit\QuickBooks Point of Sale 6.0\qbpos.exe
C:\Program Files\Intuit\QuickBooks Point of Sale 6.0\EftSvr.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\Rar$EX00.015\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2095030412-518018796-2087257638-1007\..\Run: [Power2GoExpress] NA (User 'QBPOSDBSrvUser')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O18 - Protocol: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - C:\WINDOWS\system32\QBPOSProtocol.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Intuit Entitlement Service v3 - Intuit, Inc. - C:\Program Files\Common Files\Intuit\Entitlement Client\v3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: QBPOS Database Manager v6 (QBPOSDBServiceV6) - Intuit Inc. - C:\Program Files\Intuit\QuickBooks Point of Sale 6.0\DatabaseServer\QBPOSDBServiceV6.exe

--
End of file - 5903 bytes


KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 28, 2007 3:13:57 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/11/2007
Kaspersky Anti-Virus database records: 467900


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
H:\
I:\

Scan Statistics
Total number of scanned objects 53087
Number of viruses found 10
Number of infected objects 33
Number of suspicious objects 0
Duration of the scan process 00:53:32

Infected Object Name Virus Name Last Action
C:\36A.tmp Infected: Trojan-Downloader.Win32.Small.gvr skipped

C:\52.tmp/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped

C:\52.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.b skipped

C:\52.tmp/stream Infected: not-a-virus:AdWare.Win32.AdBand.b skipped

C:\52.tmp NSIS: infected - 3 skipped

C:\Documents and Settings\All Users\Application Data\Intuit\QuickBooks Point of Sale 6.0\eftrun.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Intuit\QuickBooks Point of Sale 6.0\QBPOSRun.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\SpamKiller\Logs\Filtering.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped

C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks Point of Sale 6.0\Data\Teachers Stop Upgrad\qbpos.db Object is locked skipped

C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks Point of Sale 6.0\Data\Teachers Stop Upgrad\qbpos.log Object is locked skipped

C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks Point of Sale 6.0\Data\Teachers Stop Upgrad\SvrMsgs20071128QBPR3RT-99DDF15D27 Teachers Stop Upgrad.log Object is locked skipped

C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks Point of Sale 6.0\Practice\Al's Sports Hut\qbpos.db Object is locked skipped

C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks Point of Sale 6.0\Practice\Al's Sports Hut\qbpos.log Object is locked skipped

C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks Point of Sale 6.0\Practice\Al's Sports Hut\SvrMsgs20071128QBPP3RT-99DDF15D27 Al's Sports Hut.log Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner.YOUR-99DDF15D27\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\Application Data\ApplicationHistory\qbpos.exe.fe268165.ini.inuse Object is locked skipped

C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\History\History.IE5\MSHist012007112820071129\index.dat Object is locked skipped

C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\Owner.YOUR-99DDF15D27\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Owner.YOUR-99DDF15D27\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\QBPOSDBSrvUser\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\QBPOSDBSrvUser\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\QBPOSDBSrvUser\Local Settings\Temp\asat0000.tmp Object is locked skipped

C:\Documents and Settings\QBPOSDBSrvUser\Local Settings\Temp\asat0001.tmp Object is locked skipped

C:\Documents and Settings\QBPOSDBSrvUser\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\QBPOSDBSrvUser\ntuser.dat.LOG Object is locked skipped

C:\qoobox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\jutubeag.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\natctegr.dll.vir Infected: Trojan.Win32.BHO.zo skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\ngqkqxeq.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\oirdndsb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\pnqbnfwc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\xfqocrrn.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped

C:\qoobox\Quarantine\catchme2007-11-28_ 74136.79.zip/gebya.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ayv skipped

C:\qoobox\Quarantine\catchme2007-11-28_ 74136.79.zip ZIP: infected - 1 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP2\A0000012.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP2\A0000021.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ayv skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP3\A0000078.exe Infected: Trojan.Win32.Obfuscated.kp skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP3\A0000080.dll Infected: Trojan.Win32.BHO.zo skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP3\A0000081.exe Infected: Trojan.Win32.Obfuscated.kp skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP3\A0000082.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP3\A0000083.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP3\A0000087.exe Infected: Trojan.Win32.Obfuscated.kp skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP3\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\ModemLog_PCI Soft Data Fax Modem with SmartCP.txt Object is locked skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{50CB6D43-0F2A-4B14-8AB3-7E6A39B112E1}.crmlog Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\hggfcyx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped

C:\WINDOWS\system32\ntdjhkbo.exe Infected: Trojan.Win32.Obfuscated.kp skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\mcafee_mfOe9PrKbdTmvEx Object is locked skipped

C:\WINDOWS\Temp\mcmsc_ALKqhSqtHWc3euw Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\_OTMoveIt\MovedFiles\WINDOWS\system32\ltlbjosj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

C:\_OTMoveIt\MovedFiles\WINDOWS\system32\vsjpwcww.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

H:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP3\change.log Object is locked skipped

Scan process completed.

#12 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 PM

Posted 29 November 2007 - 07:27 AM

Hello teachersstop

Copy and Paste this post into a new text document or print it out for reference.

1. Double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\ntdjhkbo.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


2. Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • paste the contents of the Report.txt back on the forum
Thank you

#13 teachersstop

teachersstop
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 29 November 2007 - 10:30 AM

Hello, Here is the sdfix report and I also ran another hijack this just in case. Thanks again for your conintued efforts:


SDFix: Version 1.116

Run by Owner on Thu 11/29/2007 at 07:16 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\36F.TMP - Deleted
C:\370.TMP - Deleted
C:\371.TMP - Deleted
C:\372.TMP - Deleted
C:\58.TMP - Deleted
C:\59.TMP - Deleted
C:\5A.TMP - Deleted
C:\5B.TMP - Deleted



Folder C:\Program Files\Bifrost - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 07:24:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\24\n\21]
"DisplayName"="\x5ac8\x347\x5ac8\x347\1"
"DeviceDesc"="\x5ac8\x347\x5ac8\x347\1"
"ProviderName"="\x27d4\21\xee18\x7c90\x2844\21\b"
"MFG"="\x4f8"
"ReinstallString"="C:\WINDOWS\System32\ReinstallBackups\\xa14\21\x80\xc010\DriverFiles\.INF"
"DeviceInstanceIds"=str(7):"d:\i386\apps\app32749\smbus\smbusati.inf"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 20 Nov 2007 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Tue 20 Nov 2007 211 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"

Finished!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:34 AM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Entitlement Client\v3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\MSC\mcregist.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2095030412-518018796-2087257638-1007\..\Run: [Power2GoExpress] NA (User 'QBPOSDBSrvUser')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O18 - Protocol: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - C:\WINDOWS\system32\QBPOSProtocol.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Intuit Entitlement Service v3 - Intuit, Inc. - C:\Program Files\Common Files\Intuit\Entitlement Client\v3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: QBPOS Database Manager v6 (QBPOSDBServiceV6) - Intuit Inc. - C:\Program Files\Intuit\QuickBooks Point of Sale 6.0\DatabaseServer\QBPOSDBServiceV6.exe

--
End of file - 5892 bytes

#14 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 PM

Posted 29 November 2007 - 12:36 PM

Hello teachersstop

Thank you for running the SDFIX tool this has help to clean up what was showing in first online scan

Can you please now navigate to and delete these bold entries ( if present )

on your desktop SmitfraudFix.zip
C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\SmitfraudFix.exe
C:\36A.tmp
C:\52.tmp

Then run the Kaspersky WebScanner once more, please post the scan result's and can you also let me know how your system is running now.

Thank you.

#15 teachersstop

teachersstop
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 29 November 2007 - 02:31 PM

here is the report...the system appears to be running fine. at least there are not any triangles poping up.
thanks

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, November 29, 2007 11:27:54 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/11/2007
Kaspersky Anti-Virus database records: 468442
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 53589
Number of viruses found: 7
Number of infected objects: 23
Number of suspicious objects: 0
Duration of the scan process: 00:51:38

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\SpamKiller\Logs\Filtering.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks Point of Sale 6.0\Data\Teachers Stop Upgrad\qbpos.db Object is locked skipped
C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks Point of Sale 6.0\Data\Teachers Stop Upgrad\qbpos.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks Point of Sale 6.0\Data\Teachers Stop Upgrad\SvrMsgs20071129QBPR3RT-99DDF15D27 Teachers Stop Upgrad.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks Point of Sale 6.0\Practice\Al's Sports Hut\qbpos.db Object is locked skipped
C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks Point of Sale 6.0\Practice\Al's Sports Hut\qbpos.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks Point of Sale 6.0\Practice\Al's Sports Hut\SvrMsgs20071129QBPP3RT-99DDF15D27 Al's Sports Hut.log Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Microsoft\Internet Explorer\UserData\index.dat Object is locked skipped
C:\Documents and Settings\Owner.YOUR-99DDF15D27\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\History\History.IE5\MSHist012007112920071130\index.dat Object is locked skipped
C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\Temp\Perflib_Perfdata_3c4.dat Object is locked skipped
C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner.YOUR-99DDF15D27\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner.YOUR-99DDF15D27\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\QBPOSDBSrvUser\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\QBPOSDBSrvUser\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\QBPOSDBSrvUser\Local Settings\Temp\asat0000.tmp Object is locked skipped
C:\Documents and Settings\QBPOSDBSrvUser\Local Settings\Temp\asat0001.tmp Object is locked skipped
C:\Documents and Settings\QBPOSDBSrvUser\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\QBPOSDBSrvUser\ntuser.dat.LOG Object is locked skipped
C:\qoobox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\jutubeag.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\natctegr.dll.vir Infected: Trojan.Win32.BHO.zo skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ngqkqxeq.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\oirdndsb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\pnqbnfwc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\xfqocrrn.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\catchme2007-11-28_ 74136.79.zip/gebya.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ayv skipped
C:\qoobox\Quarantine\catchme2007-11-28_ 74136.79.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP2\A0000012.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP2\A0000021.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ayv skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP3\A0000078.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP3\A0000080.dll Infected: Trojan.Win32.BHO.zo skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP3\A0000081.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP3\A0000082.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP3\A0000083.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP3\A0000087.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP3\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_PCI Soft Data Fax Modem with SmartCP.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{4052D1AC-C9E7-45A2-90C6-E43F9A4BA936}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hggfcyx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_kcPx1fqWHYF7hrw Object is locked skipped
C:\WINDOWS\Temp\mcmsc_c731futurBHWo2M Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\ltlbjosj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\ntdjhkbo.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\vsjpwcww.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
H:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP3\change.log Object is locked skipped

Scan process completed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users