Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Trojans


  • This topic is locked This topic is locked
10 replies to this topic

#1 chieftess

chieftess

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 05 February 2008 - 08:26 PM

A few days ago, I noticed that my computer slowed down considerably and these malware and spyware pop ups appeared. I ran my anti virus (Defender Pro 5 in 1 2007) as well as the Anti Spy program that came with it and did a full scan. Both showed nothing. Spybot S&D, Trojan Hunter and Spyware Terminator came up empty as well. Webroot Spysweeper only came up with advertisement cookies. So I used Ad-Aware which said I have:


Ad-Aware Memory scan result:

New critical objects: 0
Objects found so far: 0


Started registry scan


Win32.Trojandownloader.Zlob Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1577566960-2649521505-990879219-1006\software\microsoft\windows\currentversion\ext\stats\{a95b2816-1d7e-4561-a202-68c0de02353a}

And SUPERantispyware said:


SUPERAntiSpyware Scan Log

Generated 02/04/2008 at 07:37 PM

Application Version : 3.6.1000

Core Rules Database Version : 3394
Trace Rules Database Version: 1386

Scan type : Complete Scan
Total Scan Time : 01:22:13

Memory items scanned : 379
Memory threats detected : 1
Registry items scanned : 5411
Registry threats detected : 8
File items scanned : 67534
File threats detected : 66

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\PMNLK.DLL
C:\WINDOWS\SYSTEM32\PMNLK.DLL
HKLM\Software\Classes\CLSID\{41210F7D-BBA7-4687-B10A-E23C68CB883A}
HKCR\CLSID\{41210F7D-BBA7-4687-B10A-E23C68CB883A}
HKCR\CLSID\{41210F7D-BBA7-4687-B10A-E23C68CB883A}\InprocServer32
HKCR\CLSID\{41210F7D-BBA7-4687-B10A-E23C68CB883A}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{41210F7D-BBA7-4687-B10A-E23C68CB883A}

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}

After both quarantined and removed them, I restared my computer and they are still lurking around in here. I ran Hijack This:


Logfile of HijackThis v2.0.2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:52 PM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\vphc700.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Works\WkDStore.exe
C:\Program Files\Microsoft Works\wkgdcach.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Works\wkswp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Owner\My Documents\Programs\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=61006
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=61006
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W3503
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {41210F7D-BBA7-4687-B10A-E23C68CB883A} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [phc700] C:\WINDOWS\vphc700.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] "C:\My Backup -- 08-01-23 1232PM\Program Files\Defender Pro\Defender Pro PC Tune-up and Repair\PopUpKiller.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Defender Pro Firewall.lnk = C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/down...llerControl.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201125678203
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://upload.mediamax.com/Upload/XUpload.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 7397 bytes


If anyone can help me get rid of this once and for all, I would be ever so grateful. :thumbsup:

Thank You
- Becky

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:44 AM

Posted 06 February 2008 - 03:29 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 chieftess

chieftess
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 06 February 2008 - 11:20 AM

All right. I just ran ComboFix and here it is:

ComboFix 08-02.05.3 - Owner 2008-02-06 10:08:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1425 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\My Documents\Programs\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\klnmp.ini
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-05 21:47 . 2008-02-05 21:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-05 21:47 . 2008-02-05 21:47 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-05 17:26 . 2008-02-05 21:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Amazon
2008-02-05 15:35 . 2008-02-05 15:35 <DIR> d-------- C:\VundoFix Backups
2008-02-04 21:14 . 2008-02-04 21:23 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-04 16:21 . 2008-02-05 21:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-04 16:21 . 2008-02-04 16:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-04 16:21 . 2008-02-04 16:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-04 15:10 . 2008-02-05 21:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-02-04 15:02 . 2008-02-04 18:18 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2008-02-04 14:52 . 2008-02-05 21:13 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-02-04 14:49 . 2008-02-04 15:23 <DIR> d-------- C:\Program Files\RogueRemover
2008-02-04 02:37 . 2008-02-04 02:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-02-04 02:36 . 2008-02-04 02:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-04 02:26 . 2008-02-04 02:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-02-04 02:06 . 2008-02-04 02:06 2,048 --a------ C:\WINDOWS\system32\drivers\kgpfr.cfg
2008-02-04 02:04 . 2008-02-04 02:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-02-04 02:01 . 2008-02-04 02:01 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-02-04 02:01 . 2008-02-04 02:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-02-04 01:35 . 2008-02-04 02:10 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-03 23:30 . 2008-02-05 21:21 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-03 23:30 . 2008-02-04 15:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-03 21:31 . 2008-02-03 21:30 163,904 --a------ C:\WINDOWS\system32\reygszfg.dll.ren
2008-02-03 00:57 . 2008-02-03 01:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-02-02 23:41 . 2008-02-04 15:23 <DIR> d-------- C:\Program Files\RegVac
2008-02-02 23:41 . 1999-07-17 02:21 4,608 --a------ C:\WINDOWS\system32\W95Inf32.DLL
2008-02-02 23:41 . 1999-07-17 02:21 2,272 --a------ C:\WINDOWS\system32\W95Inf16.DLL
2008-02-02 23:33 . 2008-02-04 15:20 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-02-02 10:25 . 2008-02-02 22:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-02 10:25 . 2008-02-02 22:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-31 16:51 . 2008-01-31 16:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-01-31 16:50 . 2008-01-31 16:50 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-01-27 14:32 . 2008-01-27 14:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\CyberLink
2008-01-27 14:32 . 2008-01-27 14:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-01-26 14:40 . 2008-02-05 18:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-01-26 02:36 . 2008-01-26 02:36 <DIR> d-------- C:\Program Files\Common Files\Bcgsoft
2008-01-26 02:36 . 2008-01-26 02:39 1 --a------ C:\WINDOWS\system32\dxl.dat
2008-01-25 22:13 . 2008-02-05 21:21 <DIR> d-------- C:\Program Files\Amazon
2008-01-25 22:13 . 2008-01-25 22:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Amazon
2008-01-25 16:13 . 2006-06-03 23:29 48,640 --a------ C:\WINDOWS\system32\hpzll4pi.dll
2008-01-25 15:41 . 2008-01-25 15:42 <DIR> d-------- C:\Program Files\Any Video Converter
2008-01-25 01:02 . 2008-02-05 22:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-01-24 17:54 . 2008-01-24 17:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Template
2008-01-24 17:54 . 2008-02-05 15:31 1,496 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-01-24 16:04 . 2008-01-24 16:04 24 --a------ C:\WINDOWS\cdplayer.ini
2008-01-24 16:03 . 2008-01-24 16:03 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-01-24 15:40 . 2008-01-24 15:40 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-01-24 15:40 . 2008-01-31 15:19 46,195 --a------ C:\toolbar7.sty
2008-01-24 15:39 . 2008-01-24 15:39 <DIR> d-------- C:\Program Files\Audio Edit Magic
2008-01-24 03:24 . 2008-01-24 03:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\proDAD
2008-01-24 03:21 . 2008-01-24 03:21 <DIR> d-------- C:\Program Files\AdorageI-SAL
2008-01-24 03:21 . 2008-01-24 03:21 <DIR> d-------- C:\Program Files\AdorageI-GfxDatas
2008-01-24 02:09 . 2008-01-24 02:09 <DIR> d-------- C:\WINDOWS\Sun
2008-01-24 00:41 . 2008-02-03 23:46 24,321 --a------ C:\logfile
2008-01-24 00:36 . 2008-02-06 10:12 3,120 --a------ C:\WINDOWS\system32\HAF9SE8J.ocx
2008-01-24 00:36 . 2008-02-06 10:12 3,120 --a------ C:\WINDOWS\D9H7ADHB.ocx
2008-01-23 20:40 . 2006-08-21 03:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-23 20:40 . 2006-08-21 03:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-23 20:40 . 2006-08-21 06:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-23 20:37 . 2008-01-23 20:37 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-23 20:29 . 2007-07-09 07:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-23 20:27 . 2006-03-20 21:23 23,040 --------- C:\WINDOWS\kb913800.exe
2008-01-23 20:24 . 2006-12-06 22:14 2,330,624 -----c--- C:\WINDOWS\system32\dllcache\wmvcore.dll
2008-01-23 20:20 . 2007-07-30 21:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-23 20:20 . 2007-07-30 21:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-23 20:20 . 2007-07-30 21:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-23 19:05 . 2008-01-23 19:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-01-23 19:04 . 2008-01-23 19:04 <DIR> d-------- C:\Program Files\QuickTime
2008-01-23 19:04 . 2008-01-23 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-23 19:03 . 2008-01-23 19:03 <DIR> d-------- C:\Program Files\Common Files\Kodak
2008-01-23 19:03 . 2004-08-04 02:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-01-23 19:03 . 2004-08-04 00:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-23 19:03 . 2004-08-04 00:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-23 19:03 . 2001-08-18 00:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-01-23 18:59 . 2008-01-23 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2008-01-23 18:57 . 2008-01-23 19:01 <DIR> d-------- C:\Program Files\Kodak
2008-01-23 18:15 . 2008-01-23 18:15 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ArcSoft
2008-01-23 17:35 . 2008-01-23 17:35 <DIR> d-------- C:\Program Files\LimeWire
2008-01-23 17:34 . 2008-02-05 16:49 <DIR> d-------- C:\Documents and Settings\Owner\.limewire
2008-01-23 17:33 . 2008-01-24 00:41 <DIR> d-------- C:\Program Files\DefenderPro AntiSpy
2008-01-23 17:33 . 2008-01-26 02:34 720,896 --a------ C:\WINDOWS\iun6002.exe
2008-01-23 17:33 . 2008-01-23 17:33 64 --a------ C:\WINDOWS\tsiwinfile.dat
2008-01-23 17:32 . 2008-01-23 17:32 <DIR> d-------- C:\Program Files\Common Files\Defender Pro Firewall
2008-01-23 17:30 . 2008-01-23 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus
2008-01-23 17:29 . 2008-01-23 17:33 <DIR> d-------- C:\Program Files\Defender Pro
2008-01-23 17:22 . 2008-01-23 17:22 <DIR> d-------- C:\Program Files\Common Files\HP
2008-01-23 17:21 . 2008-01-23 17:21 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-01-23 17:17 . 2006-03-03 23:03 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-01-23 17:17 . 2006-03-03 23:02 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-01-23 17:17 . 2006-03-03 23:02 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-01-23 17:17 . 2007-08-09 01:27 73,728 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-01-23 17:17 . 2006-03-03 23:03 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-01-23 17:17 . 2006-03-03 23:02 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-01-23 17:16 . 2008-01-23 17:21 <DIR> d-------- C:\Program Files\HP
2008-01-23 17:13 . 2008-01-23 17:23 123,926 --a------ C:\WINDOWS\HPHins12.dat
2008-01-23 17:13 . 2006-06-12 16:21 14,916 --------- C:\WINDOWS\hphmdl12.dat
2008-01-23 17:10 . 2008-01-23 17:10 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-01-23 17:10 . 1995-08-01 06:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-01-23 17:09 . 2008-01-23 17:09 <DIR> d-------- C:\Program Files\Philips
2008-01-23 17:09 . 2005-06-07 16:21 541,568 --a------ C:\WINDOWS\system32\drivers\phc700.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 19:34 --------- d-----w C:\Program Files\Windows Plus
2008-01-23 19:34 --------- d-----w C:\Program Files\microsoft frontpage
.
<pre>
----a-w		   980,409 2006-08-29 00:28:39  C:\Documents and Settings\Owner\My Documents\Programs\AudioEditMagic.7.7\Computer Utilites\RemoveITPro XTSE14-6-2006\RemoveIT Pro XT - SE 14.6.2006 .exe
----a-w		   980,409 2006-08-29 00:28:39  C:\My Backup -- 08-01-23 1232PM\Documents and Settings\Owner\My Documents\Computer Utilites\RemoveITPro XTSE14-6-2006\RemoveIT Pro XT - SE 14.6.2006 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{41210F7D-BBA7-4687-B10A-E23C68CB883A}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 13:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-24 15:35 171448]
"Ashampoo PopUpBlocker"="C:\My Backup -- 08-01-23 1232PM\Program Files\Defender Pro\Defender Pro PC Tune-up and Repair\PopUpKiller.exe" [2004-02-03 13:13 1216000]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 22:56 64512]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 20:44 139264]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 19:44 16120832 C:\WINDOWS\RTHDCPL.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"phc700"="C:\WINDOWS\vphc700.exe" [2005-07-20 21:56 339968]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 01:11 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-23 19:04 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-24 16:02 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Amazon Unbox.lnk]
backup=C:\WINDOWS\pss\Amazon Unbox.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

R0 Klpf;Klpf;C:\WINDOWS\system32\drivers\Klpf.sys [2005-08-04 09:19]
R0 Klpid;Klpid;C:\WINDOWS\system32\drivers\Klpid.sys [2005-08-04 09:19]
R1 Klmc;Klmc;C:\WINDOWS\system32\drivers\klmc.sys [2005-10-03 08:59]
R3 phc700;USB PC Camera (phc700);C:\WINDOWS\system32\DRIVERS\phc700.sys [2005-06-07 16:21]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-23 21:28:43 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 10:12:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 2544

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-02-06 10:16:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-06 16:16:25
.
2008-01-24 10:50:15 --- E O F ---



And here is the log file for Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:24 AM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\vphc700.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\My Documents\Programs\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=61006
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=61006
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W3503
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {41210F7D-BBA7-4687-B10A-E23C68CB883A} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [phc700] C:\WINDOWS\vphc700.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] "C:\My Backup -- 08-01-23 1232PM\Program Files\Defender Pro\Defender Pro PC Tune-up and Repair\PopUpKiller.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Defender Pro Firewall.lnk = C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/down...llerControl.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201125678203
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://upload.mediamax.com/Upload/XUpload.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 6664 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:44 AM

Posted 06 February 2008 - 12:19 PM

Hi,

Navigate to and delete next file and folder:

C:\WINDOWS\system32\reygszfg.dll.ren <== file
C:\VundoFix Backups <== folder

This is a false positive:

<pre>
----a-w 980,409 2006-08-29 00:28:39 C:\Documents and Settings\Owner\My Documents\Programs\AudioEditMagic.7.7\Computer Utilites\RemoveITPro XTSE14-6-2006\RemoveIT Pro XT - SE 14.6.2006 .exe
----a-w 980,409 2006-08-29 00:28:39 C:\My Backup -- 08-01-23 1232PM\Documents and Settings\Owner\My Documents\Computer Utilites\RemoveITPro XTSE14-6-2006\RemoveIT Pro XT - SE 14.6.2006 .exe
</pre>

Because I guess these files have a space before the exe extension by default.


* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=61006
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=61006
O2 - BHO: (no name) - {41210F7D-BBA7-4687-B10A-E23C68CB883A} - (no file)
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/down...llerControl.cab


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, * Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log in your next reply and also let me know how things are now.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 chieftess

chieftess
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 06 February 2008 - 06:56 PM

I did everything up until the Eset Scan. It installed and when I pressed start, I got: Error: Update Failed (200)

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:44 AM

Posted 07 February 2008 - 01:04 AM

Yes, it's an error with Eset and the Update server. Don't worry.
Let's use another scan instead..

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 chieftess

chieftess
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 07 February 2008 - 03:54 PM

Ok, the scan just finished and here are the results:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 07, 2008 2:53:15 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/02/2008
Kaspersky Anti-Virus database records: 553461
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 171019
Number of viruses found: 3
Number of infected objects: 17
Number of suspicious objects: 0
Duration of the scan process: 03:24:14

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\gangsta.rappa.ho@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\gangsta.rappa.ho@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\gangsta.rappa.ho@hotmail.com\SharingMetadata\Working\database_12FC_DF18_FCDE_F4C7\dfsr.db Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\gangsta.rappa.ho@hotmail.com\SharingMetadata\Working\database_12FC_DF18_FCDE_F4C7\fsr.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\gangsta.rappa.ho@hotmail.com\SharingMetadata\Working\database_12FC_DF18_FCDE_F4C7\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\gangsta.rappa.ho@hotmail.com\SharingMetadata\Working\database_12FC_DF18_FCDE_F4C7\tmp.edb Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Live Contacts\gangsta.rappa.ho@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Live Contacts\gangsta.rappa.ho@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008020720080208\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\BCGB.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF1856.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF1867.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF487F.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF4890.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\62964W3H\in[1].htm Infected: Trojan-Downloader.JS.Psyme.wi skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0SBLM5FP\df34[1].htm Infected: not-a-virus:AdWare.Win32.BHO.vm skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0SBLM5FP\df34[2].htm Infected: not-a-virus:AdWare.Win32.BHO.vm skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0SBLM5FP\df34[3].htm Infected: not-a-virus:AdWare.Win32.BHO.vm skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0SBLM5FP\df34[4].htm Infected: not-a-virus:AdWare.Win32.BHO.vm skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9084TX84\df34[1].htm Infected: not-a-virus:AdWare.Win32.BHO.vm skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9084TX84\df34[2].htm Infected: not-a-virus:AdWare.Win32.BHO.vm skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9084TX84\df34[3].htm Infected: not-a-virus:AdWare.Win32.BHO.vm skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9084TX84\df34[4].htm Infected: not-a-virus:AdWare.Win32.BHO.vm skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9084TX84\df34[5].htm Infected: not-a-virus:AdWare.Win32.BHO.vm skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\HR1KCDWF\df34[1].htm Infected: not-a-virus:AdWare.Win32.BHO.vm skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\HR1KCDWF\df34[2].htm Infected: not-a-virus:AdWare.Win32.BHO.vm skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\HR1KCDWF\df34[3].htm Infected: not-a-virus:AdWare.Win32.BHO.vm skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\HR1KCDWF\df34[4].htm Infected: not-a-virus:AdWare.Win32.BHO.vm skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\HR1KCDWF\df34[5].htm Infected: not-a-virus:AdWare.Win32.BHO.vm skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\HR1KCDWF\df34[6].htm Infected: not-a-virus:AdWare.Win32.BHO.vm skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\Owner\Application Data\Spyware Terminator\info.htm Object is locked skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\Owner\Application Data\Spyware Terminator\Reports\scan_0000.dat.xml Object is locked skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\Owner\Application Data\Spyware Terminator\Reports\scan_0001.dat.xml Object is locked skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\Owner\Application Data\Spyware Terminator\Reports\scan_0002.dat.xml Object is locked skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\Owner\My Documents\aawsepro.exe Object is locked skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\Owner\My Documents\Liberals are hypocrites.wps Object is locked skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\Owner\My Documents\Liberals are hypocrites1.wps Object is locked skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\Owner\My Documents\My Pictures\XXX\Thumbs.db Object is locked skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\Owner\My Documents\My Sharing Folders.lnk Object is locked skipped
C:\My Backup -- 08-01-23 1232PM\Documents and Settings\Owner\My Documents\wm3video.wps Object is locked skipped
C:\My Backup -- 08-01-23 1232PM\Program Files\Spyware Terminator\unins000.exe Object is locked skipped
C:\My Backup -- 08-01-23 1232PM\WINDOWS\system32\sha1hsh.dll Infected: Trojan-Proxy.Win32.Agent.yj skipped
C:\Program Files\Defender Pro\Defender Pro Firewall\applog.log Object is locked skipped
C:\Program Files\Defender Pro\Defender Pro Firewall\pktlog.log Object is locked skipped
C:\Program Files\Defender Pro\Defender Pro Firewall\seclog.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP66\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_PCI Soft Data Fax Modem with SmartCP.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2603A740-6A07-4D5E-8CBA-5B8FBF4282B8}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SLEvtLog.evt Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Amazon Digital Video\Servicelog.adv Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:44 AM

Posted 07 February 2008 - 04:15 PM

Hi,

Just some leftovers in your temporary Internet files and in your backups folder.

To deal with them..

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
For the ones being found in your backups folder.. There are actually backups of the Temporary Internet files that were created..
In these folders:

C:\My Backup -- 08-01-23 1232PM\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
C:\My Backup -- 08-01-23 1232PM\WINDOWS\system32\sha1hsh.dll Infected: Trojan-Proxy.Win32.Agent.yj skipped

Basically, what I suggest here is... why not delete the entire C:\My Backup -- 08-01-23 1232PM directory?
It's a backup from last week.
Not sure what program you are using to create these backups, but you can create a new backup anyway again, now a clean one. No need to keep the one when you were infected.

How are things running now?

Edited by miekiemoes, 07 February 2008 - 04:16 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 chieftess

chieftess
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 07 February 2008 - 05:40 PM

It's running alot better now, but when I tried to delete the back up folder I got:

Cannot Delete Access Denied
Make sure disk is not full or write-protected
and that the file is not currently in use

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:44 AM

Posted 07 February 2008 - 05:59 PM

Hi,

What program are you using for these backups? Because it does make sense that you cannot delete them as I see in the Kaspersky log, because many files in there are locked. (Wonder what is locking them).
In anyway, the files that are infected in your backup folder there can be deleted though, since they are not locked.

So, delete next folder and file:

C:\My Backup -- 08-01-23 1232PM\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
C:\My Backup -- 08-01-23 1232PM\WINDOWS\system32\sha1hsh.dll

Then you should be OK as well :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:44 AM

Posted 10 February 2008 - 01:48 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users