Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Loss Of Icons And Taskbar When Using Internet


  • Please log in to reply
14 replies to this topic

#1 themass

themass

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 14 January 2008 - 07:43 PM

Hi,

I've been having problems using the internet with Firefox. More often than not, the icons and taskbar disappear and I have to restart ( which seems to be taking longer and longer every day). I've been using ad-aware, spybot, and housecall every few days, and they are consistently finding new problems. In the past I've had a lot of problems with home search assistant, and ie explorer opening up while using firefox. but lately it's just been the icons and taskbar vanishing . any suggestions? thanks very much.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:04 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr .exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant .exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
C:\Program Files\Apoint2K\Apoint .exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
F3 - REG:win.ini: load=C:\WINDOWS\system32\vtsqn.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [7941cc0b] rundll32.exe "C:\WINDOWS\system32\rbepmohh.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA6639] command /c del "C:\WINDOWS\system32\vtsqn.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC335] cmd /c del "C:\WINDOWS\system32\vtsqn.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3735] command /c del "C:\WINDOWS\system32\mljji.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3963] cmd /c del "C:\WINDOWS\system32\mljji.dll_old"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O15 - Trusted Zone: http://ww1.acehardware-acenet.com
O15 - Trusted Zone: *.acehardware-aceonline.com
O15 - Trusted Zone: *.acehardware-eaglevision.com
O15 - Trusted Zone: *.acehardware-vendors.com
O15 - Trusted Zone: *.aceservices.com
O15 - Trusted Zone: *.acehardware-acenet.com (HKLM)
O15 - Trusted Zone: *.acehardware-aceonline.com (HKLM)
O15 - Trusted Zone: *.acehardware-eaglevision.com (HKLM)
O15 - Trusted Zone: *.acehardware-vendors.com (HKLM)
O15 - Trusted Zone: *.aceservices.com (HKLM)
O16 - DPF: AceIESecuritySettings - http://ww1.acehardware-acenet.com/Controls...itySettings.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {24B8CB65-C0D2-11D0-A523-444553540000} (AceExplorer Control) - http://ww1.acehardware-acenet.com/ACENET/C...xpl/AceExpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {8BF1A503-001F-11D0-A296-00A0246497B9} (ACENET Control) - http://ww1.acehardware-acenet.com/ACENET/C...ENET/ACECTL.CAB
O16 - DPF: {C903C000-9C6E-419D-A0AC-2E760BBA3764} (MCSiMenuCtl Class) - http://ww1.acehardware-acenet.com/ACENET/C...Si/McsiMenu.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7911 bytes

BC AdBot (Login to Remove)

 


#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 22 January 2008 - 02:38 PM

themass

Sorry for the delay.

Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Microsoft MVP - Windows Security

#3 themass

themass
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 22 January 2008 - 07:43 PM

ComboFix 08-01-23.1 - Anny 2008-01-22 19:24:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.170 [GMT -5:00]
Running from: C:\Documents and Settings\Anny\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\hp\drivers\hplsbwatcher\lsburnwatcher .exe
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Apoint2K\Apoint .exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr .exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder .exe
C:\Program Files\HPQ\Default Settings\cpqset .exe
C:\Program Files\HPQ\Default Settings\cpqset.exe
C:\Program Files\InterVideo\WinDVR3\WinRemote .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SVRemote\USB20Remote .exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\awtsr.exe
C:\WINDOWS\system32\caaecjpm.dll
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ijjlm.ini
C:\WINDOWS\system32\ijjlm.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\NeroCheck .exe
C:\WINDOWS\system32\nxtmwprk.dll
C:\WINDOWS\system32\ohkxeemj.dll
C:\WINDOWS\system32\piwcyffx.ini
C:\WINDOWS\system32\RCX44.tmp
C:\WINDOWS\system32\rqrrqoo.dll
C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\rstwa.ini2
C:\WINDOWS\system32\viheqxvy.dll
C:\WINDOWS\system32\vtsqn.exe
C:\WINDOWS\system32\xffycwip.dll
C:\WINDOWS\system32\yaaqbhqy.dll
C:\WINDOWS\system32\yiocewba.dll
C:\WINDOWS\system32\yqhbqaay.ini
C:\WINDOWS\system32\yrlotsqb.dll

<pre>
C:\hp\drivers\hplsbwatcher\lsburnwatcher .exe ---> QooBox
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe ---> QooBox
C:\Program Files\Analog Devices\SoundMAX\Smax4		  .exe ---> QooBox
C:\Program Files\Analog Devices\SoundMAX\Smax4		 .exe ---> Smax4.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4		.exe ---> Smax4.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4	   .exe ---> Smax4.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4	  .exe ---> Smax4.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4	 .exe ---> Smax4.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4	.exe ---> Smax4.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4   .exe ---> Smax4.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4  .exe ---> Smax4.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe ---> Smax4.exe
C:\Program Files\Apoint2K\Apoint .exe ---> QooBox
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr .exe ---> QooBox
C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe ---> QooBox
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder .exe ---> QooBox
C:\Program Files\HPQ\Default Settings\cpqset .exe ---> QooBox
C:\Program Files\InterVideo\WinDVR3\WinRemote .exe ---> QooBox
C:\Program Files\iTunes\iTunesHelper .exe ---> QooBox
C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe ---> QooBox
C:\Program Files\QuickTime\qttask		 .exe ---> QooBox
C:\Program Files\QuickTime\qttask		.exe ---> qttask.exe
C:\Program Files\QuickTime\qttask	   .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask	  .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask	 .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask	.exe ---> qttask.exe
C:\Program Files\QuickTime\qttask   .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask  .exe ---> qttask.exe
C:\Program Files\QuickTime\qttask .exe ---> qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe ---> QooBox
C:\Program Files\SVRemote\USB20Remote .exe ---> QooBox
C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe ---> QooBox
C:\WINDOWS\system32\hkcmd .exe ---> QooBox
C:\WINDOWS\system32\NeroCheck .exe ---> QooBox
</pre>
.
----- BITS: Possible infected sites -----

hxxp://javadl.sun.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-22 19:20 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-21 22:06 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-21 22:06 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-21 22:06 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-21 22:06 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-21 22:06 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-21 22:06 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-21 22:06 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-21 22:05 . 2008-01-21 22:05 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-15 18:49 . 2008-01-21 19:47 <DIR> d-------- C:\Program Files\Orb Networks
2008-01-14 20:33 . 2008-01-14 20:33 1,058,555 --ahs---- C:\WINDOWS\system32\lqmcylxj.ini
2008-01-13 00:03 . 2008-01-13 00:03 294 --ahs---- C:\WINDOWS\system32\xrsdjapm.ini
2008-01-10 22:59 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-10 22:43 . 2008-01-21 21:28 697 --a------ C:\WINDOWS\wininit.ini
2008-01-10 21:13 . 2008-01-22 19:36 1,415,200 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-10 21:13 . 2008-01-22 19:36 12,092 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-10 21:09 . 2008-01-10 21:11 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-01-10 21:08 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-10 21:08 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-01-10 21:07 . 2008-01-10 21:09 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-01-10 21:07 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-01-10 21:07 . 2008-01-22 19:38 353,366 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-01-10 21:06 . 2008-01-22 19:35 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-01-10 18:54 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-09 08:43 . 2008-01-14 08:18 1,058,495 --ahs---- C:\WINDOWS\system32\hhompebr.ini
2008-01-09 08:41 . 2008-01-09 08:41 1,045,509 --ahs---- C:\WINDOWS\system32\kxjnilpw.ini
2008-01-09 08:17 . 2008-01-09 08:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-07 22:12 . 2008-01-12 11:06 155,648 --a------ C:\WINDOWS\system32\igfxtray .exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 00:37 --------- d-----w C:\Program Files\QuickTime
2008-01-23 00:31 --------- d-----w C:\Program Files\SVRemote
2008-01-23 00:31 --------- d-----w C:\Program Files\iTunes
2008-01-23 00:31 --------- d-----w C:\Program Files\Apoint2K
2008-01-11 03:59 --------- d-----w C:\Program Files\Java
2008-01-11 02:13 --------- d-----w C:\Program Files\Symantec
2008-01-11 02:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2006-06-07 01:21 604 ---ha-w C:\Program Files\STLL Notifier
.
<pre>
----a-w		 1,388,544 2008-01-08 04:18:26  C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe
----a-w			58,488 2008-01-10 23:46:25  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w			49,152 2008-01-22 03:51:55  C:\Program Files\Hp\HP Software Update\HPWuSchd2 .exe
----a-w		   794,624 2008-01-22 03:51:57  C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant .exe
----a-w		   290,816 2008-01-22 03:51:58  C:\Program Files\HPQ\Quick Launch Buttons\EabServr .exe
----a-w		   132,496 2008-01-22 03:51:58  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w		   155,648 2008-01-12 16:06:59  C:\WINDOWS\system32\igfxtray .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14F4F69A-16BF-4310-B1A4-B492C8F8E05C}]
C:\WINDOWS\system32\mljji.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 06:20 88363 C:\WINDOWS\AGRSMMSG.exe]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [ ]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [ ]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [ ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [ ]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [ ]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [ ]
"7941cc0b"="C:\WINDOWS\system32\rbepmohh.dll" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2006-06-04 12:58:29 1757]
HP Digital Imaging Monitor.lnk.disabled [2006-04-03 17:47:05 1808]
InterVideo WinCinema Manager.lnk.disabled [2006-10-26 17:10:00 1783]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinRemote"="C:\Program Files\InterVideo\WinDVR3\WinRemote.exe"
"WinDVR SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
"SVRemote"=c:\Program Files\SVRemote\USB20Remote.exe
"SoundMAXPnP"=C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" -atboottime
"OrderReminder"=C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

S3 TridDev;Trident Device;C:\WINDOWS\system32\DRIVERS\Triddev.sys [2005-04-26 14:01]
S3 TridVid;USB TV Tuner Analog Video;C:\WINDOWS\system32\DRIVERS\TridVid.sys [2006-02-13 20:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f56b53e-e2f7-11db-b2a0-0014a52cbab0}]
\Shell\AutoRun\command - E:\wd_windows_tools\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-23 00:41:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 19:38:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-22 19:42:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-23 00:42:09
.
2008-01-09 13:21:08 --- E O F ---

#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 23 January 2008 - 08:23 AM

themass

1. Open NotePad (not wordpad). Copy and paste the following into Notepad (not the word code)
File::
C:\WINDOWS\system32\lqmcylxj.ini
C:\WINDOWS\system32\xrsdjapm.ini
C:\WINDOWS\system32\hhompebr.ini
C:\WINDOWS\system32\kxjnilpw.ini
C:\WINDOWS\system32\mljji.dll

RENV::
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2 .exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant .exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\WINDOWS\system32\igfxtray .exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14F4F69A-16BF-4310-B1A4-B492C8F8E05C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"7941cc0b"=-
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply

Posted Image
Microsoft MVP - Windows Security

#5 themass

themass
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 23 January 2008 - 09:39 AM

ComboFix 08-01-23.1 - Anny 2008-01-23 9:33:20.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.213 [GMT -5:00]
Running from: C:\Documents and Settings\Anny\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Anny\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\hhompebr.ini
C:\WINDOWS\system32\kxjnilpw.ini
C:\WINDOWS\system32\lqmcylxj.ini
C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\system32\xrsdjapm.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\hhompebr.ini
C:\WINDOWS\system32\kxjnilpw.ini
C:\WINDOWS\system32\lqmcylxj.ini
C:\WINDOWS\system32\xrsdjapm.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-22 19:20 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-21 22:06 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-21 22:06 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-21 22:06 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-21 22:06 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-21 22:06 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-21 22:06 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-21 22:06 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-21 22:05 . 2008-01-21 22:05 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-15 18:49 . 2008-01-21 19:47 <DIR> d-------- C:\Program Files\Orb Networks
2008-01-10 22:59 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-10 22:43 . 2008-01-21 21:28 697 --a------ C:\WINDOWS\wininit.ini
2008-01-10 21:13 . 2008-01-22 19:36 1,415,200 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-10 21:13 . 2008-01-22 19:36 12,092 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-10 21:09 . 2008-01-10 21:11 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-01-10 21:08 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-10 21:08 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-01-10 21:07 . 2008-01-10 21:09 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-01-10 21:07 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-01-10 21:07 . 2008-01-22 19:38 353,366 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-01-10 21:06 . 2008-01-23 09:34 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-01-10 18:54 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-09 08:17 . 2008-01-09 08:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-07 22:12 . 2008-01-12 11:06 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 14:33 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-23 00:37 --------- d-----w C:\Program Files\QuickTime
2008-01-23 00:31 --------- d-----w C:\Program Files\SVRemote
2008-01-23 00:31 --------- d-----w C:\Program Files\iTunes
2008-01-23 00:31 --------- d-----w C:\Program Files\Apoint2K
2008-01-21 13:00 119,808 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-01-13 20:53 1,324,544 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-01-13 13:49 77,312 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-01-12 16:06 489,984 ----a-w C:\WINDOWS\system32\NeroCheck.exe
2008-01-11 03:59 --------- d-----w C:\Program Files\Java
2008-01-11 02:13 --------- d-----w C:\Program Files\Symantec
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 17:20 360,064 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 10:16 3,058,688 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:36 8,454,656 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2006-06-07 01:21 604 ---ha-w C:\Program Files\STLL Notifier
.

((((((((((((((((((((((((((((( snapshot@2008-01-22_19.41.41.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-23 00:21:11 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-23 14:32:54 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-23 00:21:11 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-23 14:32:54 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-23 00:21:11 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-23 14:32:54 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-23 00:21:11 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-23 14:32:54 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-23 00:21:11 5,419,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-23 14:32:55 5,419,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-23 00:21:12 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-23 14:32:55 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 06:20 88363 C:\WINDOWS\AGRSMMSG.exe]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [ ]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [ ]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [ ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [ ]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [ ]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-12 11:06 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2006-06-04 12:58:29 1757]
HP Digital Imaging Monitor.lnk.disabled [2006-04-03 17:47:05 1808]
InterVideo WinCinema Manager.lnk.disabled [2006-10-26 17:10:00 1783]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinRemote"="C:\Program Files\InterVideo\WinDVR3\WinRemote.exe"
"WinDVR SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
"SVRemote"=c:\Program Files\SVRemote\USB20Remote.exe
"SoundMAXPnP"=C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" -atboottime
"OrderReminder"=C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

S3 TridDev;Trident Device;C:\WINDOWS\system32\DRIVERS\Triddev.sys [2005-04-26 14:01]
S3 TridVid;USB TV Tuner Analog Video;C:\WINDOWS\system32\DRIVERS\TridVid.sys [2006-02-13 20:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f56b53e-e2f7-11db-b2a0-0014a52cbab0}]
\Shell\AutoRun\command - E:\wd_windows_tools\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-23 14:36:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 09:38:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-23 9:39:37
ComboFix-quarantined-files.txt 2008-01-23 14:39:27
ComboFix2.txt 2008-01-23 00:42:14
.
2008-01-09 13:21:08 --- E O F ---

#6 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 23 January 2008 - 10:11 AM

themass

Nice work

Run an online virus scan called Kaspersky from HERE.1. Click on "Kaspersky Online Scanner"
2. A new smaller window will pop up. Press on "Accept". After reading the contents.
3. Now Kaspersky will update the anti-virus database. Let it run.
4. Click on "Next"->>"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
5. Then click on "My Computer". And the scan will start.
6. When the scan is complete Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan
Posted Image
Microsoft MVP - Windows Security

#7 themass

themass
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 23 January 2008 - 02:23 PM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 23, 2008 2:23:51 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/01/2008
Kaspersky Anti-Virus database records: 528083
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 58424
Number of viruses found: 7
Number of infected objects: 79
Number of suspicious objects: 2
Duration of the scan process: 01:28:17

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0310\values Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1552OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Anny\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\cert8.db Object is locked skipped
C:\Documents and Settings\Anny\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\history.dat Object is locked skipped
C:\Documents and Settings\Anny\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\key3.db Object is locked skipped
C:\Documents and Settings\Anny\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\parent.lock Object is locked skipped
C:\Documents and Settings\Anny\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Anny\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Anny\Application Data\Sun\Java\Deployment\cache\6.0\32\7836d960-36837acc/BnnnnBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\Anny\Application Data\Sun\Java\Deployment\cache\6.0\32\7836d960-36837acc/VaannnaaBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\Anny\Application Data\Sun\Java\Deployment\cache\6.0\32\7836d960-36837acc/Bnnnnn.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\Anny\Application Data\Sun\Java\Deployment\cache\6.0\32\7836d960-36837acc ZIP: infected - 3 skipped
C:\Documents and Settings\Anny\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ehp2_stdneh.jar-42e05065-6a6e1c96.zip/BnnnnBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\Anny\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ehp2_stdneh.jar-42e05065-6a6e1c96.zip/VaannnaaBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\Anny\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ehp2_stdneh.jar-42e05065-6a6e1c96.zip/Bnnnnn.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\Anny\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ehp2_stdneh.jar-42e05065-6a6e1c96.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Anny\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Anny\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Anny\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Anny\Local Settings\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Anny\Local Settings\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Anny\Local Settings\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Anny\Local Settings\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Anny\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Anny\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Anny\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Anny\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\Temp\RCX12.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Kenny\Local Settings\Temp\RCX15.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Kenny\Local Settings\Temp\RCX18.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Kenny\Local Settings\Temp\RCX1B.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Kenny\Local Settings\Temp\RCX1E.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Kenny\Local Settings\Temp\RCX3.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Kenny\Local Settings\Temp\RCX6.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Kenny\Local Settings\Temp\RCX9.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Kenny\Local Settings\Temp\RCXC.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Kenny\Local Settings\Temp\RCXF.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\InterVideo\WinDVR3\WinRemote.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\iTunes\iTunesHelper.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\QuickTime\qttask.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\SVRemote\USB20Remote.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\hp\drivers\hplsbwatcher\lsburnwatcher.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Apoint2K\Apoint.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Google\Google Desktop Search\GoogleDesktop.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\HPQ\Default Settings\cpqset.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Spybot - Search & Destroy\TeaTimer.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000080.exe.vir/stream/data0001 Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000080.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000080.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\awtsr.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\caaecjpm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnl skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hkcmd.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nxtmwprk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnl skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX44.tmp.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vtsqn.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xffycwip.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\catchme2008-01-22_193838.79.zip/rqrrqoo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clz skipped
C:\QooBox\Quarantine\catchme2008-01-22_193838.79.zip/zlclient.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\catchme2008-01-22_193838.79.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000006.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000006.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000006.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000007.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000008.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000009.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnl skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000010.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnl skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000013.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000038.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000039.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000040.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000041.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000042.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000043.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000044.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000048.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clz skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000056.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000057.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000058.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000059.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000060.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000061.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000062.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000063.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000064.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000065.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000066.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000067.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000068.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000069.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000070.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000071.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000072.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP3\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\YOUR-4105E587B6.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\NeroCheck.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6a8.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT04b9b.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT04b9e.TMP Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP3\change.log Object is locked skipped

Scan process completed.

#8 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 24 January 2008 - 09:09 AM

themass

A little clean up

1. Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.

2. Using Windows Explorer(Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate and empty everything in this folder, but not the folder itselfC:\Documents and Settings\Anny\Application Data\Sun\Java\Deployment\cache
Do the same for this folderC:\QooBox\Quarantine
close windows explorer.

3. Go HERE and download RenV.exe by sUBsSave it to your Desktop
Double click it to run it
When it has finished, it will produce a log for you
Copy and paste that log (Log.txt) as a reply to this thread

Posted Image
Microsoft MVP - Windows Security

#9 themass

themass
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 24 January 2008 - 07:40 PM

Here's the RenV log. I'm assuming all those zeros are good! Thanks bamajim

Ran on Thu 01/24/2008 - 19:37:56.34

 Entries:				0  (0)
 Directories:			0  Files:			 0
 Bytes:				  0  Blocks:			0


#10 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 25 January 2008 - 10:00 AM

themass

Yes those zero's are good news. But I'm concerned with these entries
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\InterVideo\WinDVR3\WinRemote.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\iTunes\iTunesHelper.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\QuickTime\qttask.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\SVRemote\USB20Remote.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
They are legit file names, yet the Kaspersky log shows them to be infected. There is a fairly new infection that has been hiding under the guise of legit file names, and one of the signs of this is the legit name with a space in it. These files do not show that. They may be in fact infected and have to be removed in which case the applications they are connected to will have to be reinstalled.
That is why I had you run the last tool. And I would like to run another and compare the results before we remove them.

Please perform an Ewido Online Malware Scan
  • When a dialog box appears asking you if you would like to download and install the ewido anti-spyware online scanner please click Yes to allow the download.
  • Click on Start Scan.
  • after the scan completes i twill produce a log for you, copy and paste the results of that scan as a reply to this thread
  • If any infections are found, (After you save the logfile), Click on Remove Infections.

Posted Image
Microsoft MVP - Windows Security

#11 themass

themass
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 25 January 2008 - 11:18 PM

__________________________________________________
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________


Name: TrackingCookie.Netflame
Path: C:\Documents and Settings\Anny\Cookies\anny@ssl-hints.netflame[2].txt
Risk: Medium

Name: TrackingCookie.Pointroll
Path: :mozilla.6:C:\Documents and Settings\Anny\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\cookies.txt
Risk: Medium

Name: TrackingCookie.2o7
Path: :mozilla.7:C:\Documents and Settings\Anny\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\cookies.txt
Risk: Medium

Name: TrackingCookie.2o7
Path: :mozilla.8:C:\Documents and Settings\Anny\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\cookies.txt
Risk: Medium

Name: TrackingCookie.2o7
Path: :mozilla.9:C:\Documents and Settings\Anny\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Yieldmanager
Path: :mozilla.10:C:\Documents and Settings\Anny\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Imrworldwide
Path: :mozilla.14:C:\Documents and Settings\Anny\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Ru4
Path: :mozilla.17:C:\Documents and Settings\Anny\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\cookies.txt
Risk: Medium

Name: TrackingCookie.247realmedia
Path: :mozilla.18:C:\Documents and Settings\Anny\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\cookies.txt
Risk: Medium

Name: TrackingCookie.2o7
Path: :mozilla.21:C:\Documents and Settings\Anny\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Esomniture
Path: :mozilla.23:C:\Documents and Settings\Anny\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Esomniture
Path: :mozilla.24:C:\Documents and Settings\Anny\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Esomniture
Path: :mozilla.25:C:\Documents and Settings\Anny\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Esomniture
Path: :mozilla.26:C:\Documents and Settings\Anny\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Esomniture
Path: :mozilla.27:C:\Documents and Settings\Anny\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Esomniture
Path: :mozilla.28:C:\Documents and Settings\Anny\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Esomniture
Path: :mozilla.29:C:\Documents and Settings\Anny\Application Data\Mozilla\Firefox\Profiles\260ag71c.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Adbrite
Path: :mozilla.15:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Adbrite
Path: :mozilla.16:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Adbrite
Path: :mozilla.18:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Adbrite
Path: :mozilla.19:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Casalemedia
Path: :mozilla.20:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Atdmt
Path: :mozilla.21:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Casalemedia
Path: :mozilla.22:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Casalemedia
Path: :mozilla.23:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Casalemedia
Path: :mozilla.24:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Casalemedia
Path: :mozilla.25:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Casalemedia
Path: :mozilla.26:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Casalemedia
Path: :mozilla.27:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Casalemedia
Path: :mozilla.28:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Casalemedia
Path: :mozilla.29:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Statcounter
Path: :mozilla.30:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Doubleclick
Path: :mozilla.58:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Euroclick
Path: :mozilla.68:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Euroclick
Path: :mozilla.69:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Euroclick
Path: :mozilla.70:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Euroclick
Path: :mozilla.71:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Euroclick
Path: :mozilla.72:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Mediaplex
Path: :mozilla.73:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Mediaplex
Path: :mozilla.74:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Pointroll
Path: :mozilla.81:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Pointroll
Path: :mozilla.83:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Pointroll
Path: :mozilla.84:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Pointroll
Path: :mozilla.85:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Pointroll
Path: :mozilla.86:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Pointroll
Path: :mozilla.87:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Pointroll
Path: :mozilla.88:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Pointroll
Path: :mozilla.89:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Pointroll
Path: :mozilla.90:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.2o7
Path: :mozilla.107:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.2o7
Path: :mozilla.108:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.2o7
Path: :mozilla.109:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.2o7
Path: :mozilla.110:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.2o7
Path: :mozilla.111:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.2o7
Path: :mozilla.112:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Advertising
Path: :mozilla.113:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Advertising
Path: :mozilla.114:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Advertising
Path: :mozilla.115:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Advertising
Path: :mozilla.116:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Liveperson
Path: :mozilla.118:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Liveperson
Path: :mozilla.119:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Liveperson
Path: :mozilla.120:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Tribalfusion
Path: :mozilla.156:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Coremetrics
Path: :mozilla.161:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Ru4
Path: :mozilla.170:C:\Documents and Settings\Kenny\Application Data\Mozilla\Firefox\Profiles\py37feg9.default\cookies.txt
Risk: Medium

Name: Dropper.Agent.dgo
Path: C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\Program Files\InterVideo\WinDVR3\WinRemote.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\Program Files\iTunes\iTunesHelper.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\Program Files\QuickTime\qttask.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\Program Files\SVRemote\USB20Remote.exe
Risk: High

Name: Not-A-Virus.Adware.Virtumonde
Path: C:\RECYCLER\S-1-5-21-2116092089-2538489743-2432603308-1006\Dc4.zip/rqrrqoo.dll
Risk: Low

Name: Dropper.Agent.dgo
Path: C:\RECYCLER\S-1-5-21-2116092089-2538489743-2432603308-1006\Dc4.zip/zlclient.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\RECYCLER\S-1-5-21-2116092089-2538489743-2432603308-1006\Dc6\hp\drivers\hplsbwatcher\lsburnwatcher.exe.vir
Risk: High

Name: Dropper.Agent.dgo
Path: C:\RECYCLER\S-1-5-21-2116092089-2538489743-2432603308-1006\Dc6\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe.vir
Risk: High

Name: Dropper.Agent.dgo
Path: C:\RECYCLER\S-1-5-21-2116092089-2538489743-2432603308-1006\Dc6\Program Files\Apoint2K\Apoint.exe.vir
Risk: High

Name: Dropper.Agent.dgo
Path: C:\RECYCLER\S-1-5-21-2116092089-2538489743-2432603308-1006\Dc6\Program Files\Google\Google Desktop Search\GoogleDesktop.exe.vir
Risk: High

Name: Dropper.Agent.dgo
Path: C:\RECYCLER\S-1-5-21-2116092089-2538489743-2432603308-1006\Dc6\Program Files\HPQ\Default Settings\cpqset.exe.vir
Risk: High

Name: Dropper.Agent.dgo
Path: C:\RECYCLER\S-1-5-21-2116092089-2538489743-2432603308-1006\Dc6\Program Files\Spybot - Search & Destroy\TeaTimer.exe.vir
Risk: High

Name: Dropper.Agent.dgo
Path: C:\RECYCLER\S-1-5-21-2116092089-2538489743-2432603308-1006\Dc6\WINDOWS\system32\awtsr.exe.vir
Risk: High

Name: Dropper.Agent.dgo
Path: C:\RECYCLER\S-1-5-21-2116092089-2538489743-2432603308-1006\Dc6\WINDOWS\system32\hkcmd.exe.vir
Risk: High

Name: Dropper.Agent.dgo
Path: C:\RECYCLER\S-1-5-21-2116092089-2538489743-2432603308-1006\Dc6\WINDOWS\system32\RCX44.tmp.vir
Risk: High

Name: Dropper.Agent.dgo
Path: C:\RECYCLER\S-1-5-21-2116092089-2538489743-2432603308-1006\Dc6\WINDOWS\system32\vtsqn.exe.vir
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000007.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000008.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000038.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000039.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000040.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000041.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000042.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000043.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000044.exe
Risk: High

Name: Not-A-Virus.Adware.Virtumonde
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000048.dll
Risk: Low

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000056.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000057.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000058.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000059.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000060.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000061.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000062.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000063.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000064.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000065.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000066.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000067.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000068.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000069.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000070.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000071.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0000072.exe
Risk: High

Name: Dropper.Agent.dgo
Path: C:\WINDOWS\system32\NeroCheck.exe
Risk: High

#12 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 27 January 2008 - 07:47 PM

themass

Looks like AVG picked them up as well as being infected.

You did select "Remove infections" at the end of the scan?

Post one more fresh Hijackthis log for me to look at. And in your reply give me an update on how your PC is running now.
Posted Image
Microsoft MVP - Windows Security

#13 themass

themass
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 28 January 2008 - 08:10 AM

bamajim,
yes I did remove infections at the end of the avg scan. My computer is running much better now. only thing I've noticed is IEexplorer at times does not display a window even though it says it is running under processes. Restarting fixes it and I use firefox most of the time so I'm not sure when it's been happening. Overall my computer is running pretty smoothly. thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:51 AM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O15 - Trusted Zone: http://ww1.acehardware-acenet.com
O15 - Trusted Zone: *.acehardware-aceonline.com
O15 - Trusted Zone: *.acehardware-eaglevision.com
O15 - Trusted Zone: *.acehardware-vendors.com
O15 - Trusted Zone: *.aceservices.com
O15 - Trusted Zone: *.acehardware-acenet.com (HKLM)
O15 - Trusted Zone: *.acehardware-aceonline.com (HKLM)
O15 - Trusted Zone: *.acehardware-eaglevision.com (HKLM)
O15 - Trusted Zone: *.acehardware-vendors.com (HKLM)
O15 - Trusted Zone: *.aceservices.com (HKLM)
O16 - DPF: AceIESecuritySettings - http://ww1.acehardware-acenet.com/Controls...itySettings.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {24B8CB65-C0D2-11D0-A523-444553540000} (AceExplorer Control) - http://ww1.acehardware-acenet.com/ACENET/C...xpl/AceExpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {8BF1A503-001F-11D0-A296-00A0246497B9} (ACENET Control) - http://ww1.acehardware-acenet.com/ACENET/C...ENET/ACECTL.CAB
O16 - DPF: {C903C000-9C6E-419D-A0AC-2E760BBA3764} (MCSiMenuCtl Class) - http://ww1.acehardware-acenet.com/ACENET/C...Si/McsiMenu.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7596 bytes

#14 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 28 January 2008 - 10:51 AM

themass

It could be related to the 'trusted zones' you have listed.

You may now remove/delete/uninstall the tools we used to clean your PC

Now that your log is clean

There are some final notes:
Disable and Enable System RestoreLets create a clean System Restore point
the instructions are here
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:Download the latest version of
Java Runtime Environment (JRE) 6.u4.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u4-windowsi586-p.exe to install the newest version.
Make your Internet Explorer more secure
This can be done by following these simple instructions:Open Internet Explorer click Tools->> Options.
Click Security tab
Click once on the Internet icon so it becomes highlighted.
Click Custom Level.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click OK.
If it prompts you to save the settings, press Yes.
Next press Apply and then OK to exit the Internet Properties page
Update your Anti Virus Software

Use and maintain a Firewall

Download and install SiteHound by Firetrust for protection against malicious websites.

Pick the version that matches your browser

Visit Microsoft's Windows Update Site Frequently for critical updates

Backup your Important Documents and Files on a regular basisTo a disc or a USB key, not your Hardrive
You may want to read this article"So how did I get infected in the first place" by Tony Klein

surf safe
Posted Image
Microsoft MVP - Windows Security

#15 themass

themass
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 29 January 2008 - 08:25 AM

Followed all your suggestions. Thanks a lot.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users