Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cpu Constantly At 49%-53%


  • Please log in to reply
6 replies to this topic

#1 Carpy

Carpy

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 28 January 2008 - 03:06 AM

Hey guys,
I recently reinstalled XP SP2 and upon rebooting I somehow caught Trojan.Vundo. I finally got it removed using VundoBeGone.exe. I've ran pointless scans of Ad-Aware 2007 & Spybot S&D (I've always hated these programs because they never found anything, even before I was able to remove Vundo). I have Trend Micro Antivirus + Antispyware installed and it finds nothing. McAfee's RootKit scanner came up empty as well as Stinger. When checking the Processes Tab of my Task Manager and sort it by CPU, nothing appears to be taking up more than 2 or 3 at a time.

I need some help. Hopefully my log will reveal something that I'm not seeing.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:02:18 AM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\itunes\itunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Documents and Settings\Carp\Local Settings\Temporary Internet Files\Content.IE5\SOOH1QWS\stinger[1].exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SBRegRebootCleaner] C:\Program Files\Sunbelt Software\CounterSpy\SBRC.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201506440093
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5084 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 01 February 2008 - 03:35 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Carpy
My name is Richie and i'll be helping you to fix your problems.

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
Read this article:
http://www.clickz.com/news/article.php/3561546
You are well advised to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present,then restart your pc:
Viewpoint
Viewpoint Manager
Viewpoint Media Player



Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 4'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation jre-6u4-windows-i586-p.exe' [15.12 MB] and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,NOT for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 Carpy

Carpy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 02 February 2008 - 01:11 AM

ComboFix 08-02.02.2 - Carp 2008-02-01 23:06:20.1 - NTFSx86
Running from: C:\Documents and Settings\Carp\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-01 23:03 . 2008-02-01 23:03 <DIR> d-------- C:\Documents and Settings\Carp\Application Data\Yahoo!
2008-02-01 23:03 . 2008-02-01 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-01 23:00 . 2008-02-01 23:00 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-02-01 23:00 . 2008-02-01 23:13 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-02-01 22:59 . 2008-02-01 23:02 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-01 22:59 . 2008-02-01 23:02 60,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-01 22:59 . 2008-02-01 23:02 10,652 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-01 22:59 . 2008-02-01 23:02 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-01 22:58 . 2008-02-01 23:03 <DIR> d-------- C:\Program Files\Symantec
2008-02-01 22:58 . 2008-02-01 23:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-01 22:57 . 2008-02-01 22:57 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-01 22:47 . 2008-02-01 23:14 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-01 22:39 . 2008-02-01 22:39 <DIR> d-------- C:\Documents and Settings\Carp\Application Data\Symantec
2008-02-01 22:32 . 2008-02-01 22:33 192,512 --a------ C:\WINDOWS\system32\kdfvmgr.exe
2008-02-01 22:25 . 2008-02-01 22:25 <DIR> d-------- C:\VundoFix Backups
2008-02-01 22:13 . 2008-02-01 22:13 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-02-01 22:13 . 2008-02-01 22:13 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-02-01 22:10 . 2008-02-01 22:10 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-02-01 22:08 . 2008-02-01 22:08 <DIR> d-------- C:\Documents and Settings\Carp\Application Data\Sunbelt Software
2008-02-01 22:08 . 2008-02-01 22:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-02-01 22:07 . 2008-02-01 22:07 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-02-01 22:03 . 2008-02-01 22:03 <DIR> d-------- C:\Documents and Settings\Carp\Application Data\Grisoft
2008-02-01 22:03 . 2008-02-01 22:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-01 22:03 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-01 21:57 . 2008-02-01 23:01 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-01 21:33 . 2008-02-01 21:33 846,336 --a------ C:\WINDOWS\system32\kdfinj.dll
2008-02-01 21:33 . 2008-02-01 22:33 722,472 --a------ C:\WINDOWS\system32\kdfmgr.exe
2008-02-01 21:33 . 2008-02-01 22:33 77,824 --a------ C:\WINDOWS\system32\kdfapi.dll
2008-02-01 21:33 . 2008-02-01 21:57 53,248 --a------ C:\WINDOWS\system32\Kdfhok.dll
2008-02-01 21:15 . 2008-02-01 21:49 <DIR> d-------- C:\MDT
2008-02-01 21:13 . 2008-02-01 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-01 21:10 . 2008-02-01 21:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-02-01 21:07 . 2008-02-01 22:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 16:43 . 2003-01-17 09:23 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-02-01 16:43 . 2008-02-01 16:43 376 --a------ C:\WINDOWS\ODBC.INI
2008-02-01 16:41 . 2008-02-01 16:41 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-02-01 16:40 . 2008-02-01 16:40 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-01 16:37 . 2008-02-01 16:37 <DIR> d-------- C:\Program Files\Microsoft Works
2008-02-01 16:35 . 2008-02-01 16:40 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-02-01 16:35 . 2008-02-01 16:35 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-01 16:34 . 2008-02-01 16:34 <DIR> d-------- C:\Program Files\DivX
2008-02-01 16:33 . 2008-02-01 21:29 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-02-01 16:27 . 2008-02-01 16:27 25 --a------ C:\WINDOWS\cdplayer.ini
2008-02-01 16:25 . 2008-02-01 16:25 <DIR> d-------- C:\Documents and Settings\Carp\Application Data\Nero
2008-02-01 16:24 . 2008-02-01 16:24 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-02-01 16:23 . 2008-02-01 16:23 <DIR> d-------- C:\Program Files\Real
2008-02-01 16:23 . 2008-02-01 16:23 <DIR> d-------- C:\Program Files\Common Files\Real
2008-02-01 16:20 . 2008-02-01 16:20 <DIR> d-------- C:\Documents and Settings\Carp\Application Data\CyberLink
2008-02-01 16:17 . 2008-02-01 16:17 <DIR> d-------- C:\Program Files\Nero
2008-02-01 16:17 . 2008-02-01 16:23 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-02-01 16:17 . 2008-02-01 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-02-01 16:17 . 2008-02-01 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-02-01 16:15 . 2008-02-01 16:15 <DIR> d-------- C:\Program Files\CyberLink
2008-02-01 16:15 . 2007-03-02 14:33 1,047,552 --a------ C:\WINDOWS\system32\MFC71u.dll
2008-02-01 16:14 . 2008-02-01 16:14 <DIR> d-------- C:\WINDOWS\WinAVI Video Converter 9.0
2008-02-01 16:14 . 2008-02-01 16:14 <DIR> d-------- C:\Program Files\WinAVI Video Converter 9.0
2008-02-01 16:14 . 2004-08-11 01:45 141,312 --a------ C:\WINDOWS\system32\setb3.tmp
2008-02-01 16:11 . 2008-02-01 16:11 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-01 15:11 . 2007-12-01 00:26 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-01 15:05 . 2008-02-01 15:05 <DIR> d-------- C:\WINDOWS\system32\en
2008-02-01 15:05 . 2008-02-01 15:05 <DIR> d-------- C:\WINDOWS\system32\bits
2008-02-01 15:05 . 2008-02-01 15:05 <DIR> d-------- C:\WINDOWS\l2schemas
2008-02-01 15:03 . 2008-02-01 15:03 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-02-01 15:03 . 2007-12-01 00:26 294,912 -----c--- C:\WINDOWS\system32\dllcache\dlimport.exe
2008-02-01 15:00 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\002948_.tmp
2008-02-01 14:34 . 2004-09-23 20:08 1,192,266 --a--c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-02-01 14:34 . 2004-09-23 20:06 245,248 --a--c--- C:\WINDOWS\system32\dllcache\acspecfc.dll
2008-02-01 14:13 . 2008-02-01 16:14 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-01 14:13 . 2007-08-10 20:46 26,488 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-02-01 14:11 . 2008-02-01 14:11 <DIR> d--hs---- C:\Documents and Settings\Carp\UserData
2008-02-01 14:08 . 2008-02-01 14:08 <DIR> d-------- C:\Program Files\Windows Defender
2008-02-01 13:38 . 2008-02-01 13:38 <DIR> d-------- C:\Program Files\SigmaTel
2008-02-01 13:38 . 2007-05-10 10:24 1,222,840 --a------ C:\WINDOWS\system32\drivers\sthda.sys
2008-02-01 13:38 . 2007-05-10 10:23 270,336 --a------ C:\WINDOWS\system32\stacapi.dll
2008-02-01 13:38 . 2007-08-21 09:58 146,944 --a------ C:\WINDOWS\system32\st325602.dll
2008-02-01 13:26 . 2008-02-01 13:26 <DIR> d-------- C:\Program Files\QuickTime
2008-02-01 13:26 . 2008-02-01 13:26 <DIR> d-------- C:\Program Files\iTunes
2008-02-01 13:26 . 2008-02-01 13:26 <DIR> d-------- C:\Program Files\iPod
2008-02-01 13:26 . 2008-02-01 13:26 <DIR> d-------- C:\Program Files\Bonjour
2008-02-01 13:26 . 2008-02-01 22:35 <DIR> d-------- C:\Documents and Settings\Carp\Application Data\Azureus
2008-02-01 13:26 . 2008-02-01 13:26 <DIR> d-------- C:\Documents and Settings\Carp\Application Data\Apple Computer
2008-02-01 13:26 . 2008-02-01 13:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-02-01 13:26 . 2008-02-01 21:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-01 13:26 . 2008-02-01 13:27 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-01 13:25 . 2008-02-01 13:25 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-02-01 13:25 . 2008-02-01 13:25 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-01 13:25 . 2008-02-01 13:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-01 13:25 . 2008-02-01 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-01 13:24 . 2008-02-01 13:24 <DIR> d-------- C:\Program Files\AOL Search
2008-02-01 13:24 . 2008-02-01 13:24 <DIR> d-------- C:\Documents and Settings\Carp\Application Data\acccore
2008-02-01 13:24 . 2008-02-01 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-01 13:24 . 2008-02-01 13:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-02-01 13:24 . 2008-02-01 13:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-02-01 13:23 . 2008-02-01 13:23 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-02-01 13:23 . 2008-02-01 13:23 <DIR> d-------- C:\Program Files\Azureus
2008-02-01 13:23 . 2008-02-01 13:24 <DIR> d-------- C:\Program Files\AIM6
2008-02-01 13:23 . 2008-02-01 13:24 484 --ah----- C:\IPH.PH
2008-02-01 13:14 . 2008-02-01 13:14 <DIR> d-------- C:\Documents and Settings\Carp\Application Data\ATI
2008-02-01 13:08 . 2008-02-01 13:08 <DIR> d-------- C:\Program Files\AMD
2008-02-01 13:08 . 2006-07-01 22:39 36,864 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 22:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-01 19:12 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-01 19:12 --------- d-----w C:\Program Files\ATI Technologies
2008-02-01 19:07 --------- d-----w C:\Program Files\Dell
2008-02-01 18:59 --------- d-----w C:\Program Files\Java
2008-02-01 18:59 --------- d-----w C:\Program Files\Common Files\Java
2008-02-01 18:53 --------- d-----w C:\Program Files\Broadcom
2008-02-01 18:52 --------- d-----w C:\Program Files\DIFX
2008-02-01 18:51 --------- d-----w C:\Program Files\Intel
2008-02-01 18:45 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-01 06:26 769,024 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
2007-12-01 06:26 744,448 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
2007-12-01 06:26 69,120 ----a-w C:\WINDOWS\notepad.exe
2007-12-01 06:26 50,688 ----a-w C:\WINDOWS\twain_32.dll
2007-12-01 06:26 33,280 ----a-w C:\WINDOWS\Help\sstub.dll
2007-12-01 06:26 32,866 ------w C:\WINDOWS\slrundll.exe
2007-12-01 06:26 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2007-12-01 06:26 279,040 ----a-w C:\WINDOWS\Help\tshoot.dll
2007-12-01 06:26 18,432 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\hscupd.exe
2007-12-01 06:26 169,984 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
2007-12-01 06:26 150,528 ----a-w C:\WINDOWS\pchealth\UploadLB\Binaries\uploadm.exe
2007-12-01 06:26 146,432 ----a-w C:\WINDOWS\regedit.exe
2007-12-01 06:26 10,752 ----a-w C:\WINDOWS\hh.exe
2007-12-01 06:26 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2007-12-01 06:25 450,048 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2007-12-01 06:25 39,424 ------w C:\WINDOWS\AppPatch\acadproc.dll
2007-12-01 06:25 38,400 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll
2007-12-01 06:25 376,832 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msinfo.dll
2007-12-01 06:25 34,816 ----a-w C:\WINDOWS\Help\sniffpol.dll
2007-12-01 06:25 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2007-12-01 06:25 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2007-12-01 06:25 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2007-12-01 06:25 102,912 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\pchshell.dll
2007-12-01 06:25 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-01 23:08 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 10:15 50528]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35 202024]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-01 00:26 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 18:10 1392640]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 10:22 405504]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 11:56 124200]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-01 16:23 185896]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51 1836328]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-11-28 12:57 698864]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2007-12-01 00:26 169984]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-24 23:07 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 22:53 714608]
"isCfgWiz"="C:\Program Files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe" [2007-08-24 03:49 607624]


*Newly Created Service* - AUTOMATIC_LIVEUPDATE_SCHEDULER
*Newly Created Service* - AVG_ANTI-SPYWARE_DRIVER
*Newly Created Service* - AVG_ANTI-SPYWARE_GUARD
*Newly Created Service* - CCEVTMGR
*Newly Created Service* - CCSETMGR
*Newly Created Service* - EECTRL
*Newly Created Service* - ERASERUTILDRV10741
*Newly Created Service* - LIVEUPDATE
*Newly Created Service* - NAVENG
*Newly Created Service* - NAVEX15
*Newly Created Service* - SBAPIFS
*Newly Created Service* - SBCSSVC
*Newly Created Service* - SBHR
*Newly Created Service* - SPBBCDRV
*Newly Created Service* - SRTSP
*Newly Created Service* - SRTSPX
*Newly Created Service* - SYMANTEC_CORE_LC
*Newly Created Service* - SYMEVENT
*Newly Created Service* - SYMREDRV
*Newly Created Service* - SYMTDI

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{036309A2-B046-F842-0406-040204020301}]
C:\DOCUME~1\Carp\LOCALS~1\Temp\nya.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 03:34:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-02 04:01:05 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 23:15:25
Windows 5.1.2600 Service Pack 3, v.3264 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-01 23:19:37


-----------------------------------------------------------------------------------------------------------------------
HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:57 AM, on 2/2/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [isCfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe" -G:{77CCBE0B-A541-49a9-883E-14F8337EC861} -T:Config -REBOOT
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6829 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 02 February 2008 - 04:58 AM

Copy and paste ALL the following text in the code box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.
File::
C:\WINDOWS\system32\setb3.tmp
C:\WINDOWS\002948_.tmp
C:\WINDOWS\hh.exe
C:\DOCUME~1\Carp\LOCALS~1\Temp\nya.exe
Folder::
C:\Documents and Settings\All Users\Application Data\Viewpoint
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{036309A2-B046-F842-0406-040204020301}]
Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.


Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will start the program and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.It does not provide an option to clean/disinfect,i need to see the scan results.
Now click on the Save as Text button.
Save the file to your desktop.
Copy and paste the contents of that file into your next reply.

If the above link doesn't work,try this:
http://www.kaspersky.com/kos/english/kavwebscan.html
Posted Image
Posted Image

#5 Carpy

Carpy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 02 February 2008 - 10:12 PM

I'm running the Kapersky scan now.

As for ComboFix, I get an error. "Cannot rename ComboFix as ComboFix, please use another name". This error comes after I drag CFScript on top of ComboFix.

#6 Carpy

Carpy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 02 February 2008 - 11:19 PM

KASPERSKY ONLINE SCANNER REPORT
Saturday, February 02, 2008 10:18:03 PM
Operating System: Microsoft Windows XP Professional, Service Pack 3, v.3264 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/02/2008
Kaspersky Anti-Virus database records: 546149


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\Carp\LOCALS~1\Temp\

Scan Statistics
Total number of scanned objects 17136
Number of viruses found 1
Number of infected objects 3
Number of suspicious objects 0
Duration of the scan process 00:29:20

Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Prefetch\layout.ini Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{3CFC1C41-0968-4845-9C04-9C64406EF2DB}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\JET8F9D.tmp Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\DOCUME~1\Carp\LOCALS~1\Temp\hsperfdata_Carp\3344 Object is locked skipped

C:\DOCUME~1\Carp\LOCALS~1\Temp\NVE93.tmp Object is locked skipped

C:\DOCUME~1\Carp\LOCALS~1\Temp\NVE94.tmp Object is locked skipped

C:\DOCUME~1\Carp\LOCALS~1\Temp\NVE95.tmp Object is locked skipped

C:\DOCUME~1\Carp\LOCALS~1\Temp\NVE96.tmp Object is locked skipped

C:\DOCUME~1\Carp\LOCALS~1\Temp\NVE97.tmp Object is locked skipped

C:\DOCUME~1\Carp\LOCALS~1\Temp\Perflib_Perfdata_408.dat Object is locked skipped

C:\DOCUME~1\Carp\LOCALS~1\Temp\Rar$EX00.344\Norton Internet Security 2008 Keygen And Serial.EXE/data0000.cab/nzm.exe Infected: Backdoor.Win32.Agobot.apc skipped

C:\DOCUME~1\Carp\LOCALS~1\Temp\Rar$EX00.344\Norton Internet Security 2008 Keygen And Serial.EXE/data0000.cab Infected: Backdoor.Win32.Agobot.apc skipped

C:\DOCUME~1\Carp\LOCALS~1\Temp\Rar$EX00.344\Norton Internet Security 2008 Keygen And Serial.EXE Rsrc-Package: infected - 2 skipped

C:\DOCUME~1\Carp\LOCALS~1\Temp\~DF34FA.tmp Object is locked skipped

C:\DOCUME~1\Carp\LOCALS~1\Temp\~DF3B87.tmp Object is locked skipped

C:\DOCUME~1\Carp\LOCALS~1\Temp\~DF3E74.tmp Object is locked skipped

Scan process completed.

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 03 February 2008 - 05:07 AM

First enable the viewing of hidden files and folders,reverse the process once you've done below:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Delete everything inside this Temp folder:
C:\Documents and Settings\Carp\Local Settings\Temp

Click on Start/Run,type cleanmgr into the 'Open:' space,then press Ok.
Let it scan your system for files to remove.
Make sure these 3 are checked and nothing else,then press Ok.
* Temporary Files
* Temporary Internet Files
* Recycle Bin


Restart normally.

Post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users