Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Cryp-tap-2 Virus


  • This topic is locked This topic is locked
13 replies to this topic

#1 timoscar

timoscar

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 02 April 2008 - 09:37 AM

I started getting notification of a virus that my AVS (Trend Micro PC-Cillin) could not remove on Sunday. This was possibly due to a corrupt Limewire download. I have followed all of the instructions to load and run each of the programs listed here designed to wipe out all spyware, malware, etc. They seem to be getting identified but when I attempted to Fix Selected in SpyBot, I would get a Windows error that would shut down the PC.

I ran the VundoFix and VirtumundoBeGone programs to no avail.

The file in question is tuvsPHAp.dll (System32) and it will not allow me to manually delete as it is in use. This particular virus notification keeps appearing and the performance is extremely slow. I also am getting inundated with pop-ups.

I've exhausted all of my (elementary) know-how and I'm hoping you can help! Here is my HJT log. Please let me know if there's anything I've done wrong up to this point so I can get this taken care of ASAP! I work from home and this is not helping... Thanks!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:12 AM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PostSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\atgban.dll" DllStart
O4 - HKLM\..\Run: [Host Process] C:\Documents and Settings\Tim Baker\svchost.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [c817e2d7] rundll32.exe "C:\WINDOWS\system32\trxgntis.dll",b
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 10424 bytes

BC AdBot (Login to Remove)

 


#2 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:24 PM

Posted 07 April 2008 - 07:57 PM

Sorry for the extended delay in getting to your log. The forums have just been swamped.
If you still need help do the following:

Download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

REBOOT

Next download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close any open browsers.
  • If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Leave all the setting to the default except as noted below
  • Under Additional Scans sections, check the following
    • Reg - BotCheck
    • File - Additional Folder Scan
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
If the log is too large to post, use the ADDREPLY button, scroll down to the attachments section and attach the notepad file here.

Please post
  • MBAM log
  • OTScanIt log (attached)
in your reply here

Edited by jwbirdsong, 07 April 2008 - 07:58 PM.


#3 timoscar

timoscar
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 08 April 2008 - 07:45 PM

Thanks for your help so far. It appears to be running a little bit better already.

As promised, I have attached the OTScanIt Log and the MBAM Log. Please let me know what my next steps are. Thanks!

Malwarebytes' Anti-Malware 1.11
Database version: 601

Scan type: Quick Scan
Objects scanned: 318643
Time elapsed: 2 hour(s), 1 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 19
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 5
Files Infected: 39

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\iifdbCVp.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\tuvsPHAp.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{08a8068e-53d1-42b2-b197-6d568843721f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{08a8068e-53d1-42b2-b197-6d568843721f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5026ae88-be7e-4306-916d-a82844046372} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5026ae88-be7e-4306-916d-a82844046372} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wintouch (Adware.WinPop) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\WinTouch (Adware.WinPop) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{08a8068e-53d1-42b2-b197-6d568843721f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\POSTSETUPCHECK (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMcb24d14b (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Host Process (Worm.IRCBot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\tuvsphap -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\tuvsphap -> Delete on reboot.

Folders Infected:
C:\Program Files\WinPop (Adware.WinPop) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim Baker\Application Data\WinAntiSpyware 2006 (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim Baker\Application Data\WinAntiSpyware 2006\Logs (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim Baker\Application Data\WinTouch (Adware.WinPop) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\iifdbCVp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\anihqoxm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mxoqhina.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hqbqpkfo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ofkpqbqh.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mwvydrkk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kkrdyvwm.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ocoypusr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rsupyoco.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuvsPHAp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\pAHPsvut.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pAHPsvut.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jnxuuytl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\uninstall_nmon.vbs (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim Baker\Local Settings\Temp\nsw5F1.tmp\System.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim Baker\Application Data\WinAntiSpyware 2006\Logs\update.log (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim Baker\Application Data\WinTouch\config.cfg.09bc65a4e93f648ee7666092e25af251 (Adware.WinPop) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim Baker\Application Data\WinTouch\config.cfg.0f0fbbed1c41cba83ea3e6b8fa53bb93 (Adware.WinPop) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim Baker\Application Data\WinTouch\config.cfg.43b6a6ca9d422ffc5b834d4444f1e4b2 (Adware.WinPop) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim Baker\Application Data\WinTouch\config.cfg.50359cb2ebfe9fe9c02a85a72af05c6f (Adware.WinPop) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim Baker\Application Data\WinTouch\config.cfg.59d7c9630967f3618c47bc7a1d7c07b7 (Adware.WinPop) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim Baker\Application Data\WinTouch\config.cfg.aa956dd2dedf9a82ad502c32d3222460 (Adware.WinPop) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim Baker\Application Data\WinTouch\config.cfg.c2ed69e9a0882d265d96930723e45f92 (Adware.WinPop) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim Baker\Application Data\WinTouch\config.cfg.c6720ef2a066b0213a2f7cf016ff9c83 (Adware.WinPop) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim Baker\Application Data\WinTouch\config.cfg.db91cbcd4c1dc8e15ffa65ac60469610 (Adware.WinPop) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim Baker\Application Data\WinTouch\config.cfg.e5f5e296b20d3619ad91bc36678668fc (Adware.WinPop) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim Baker\Application Data\WinTouch\config.cfg.eee7611ca3dfb3faf60af3c494c17c30 (Adware.WinPop) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim Baker\Application Data\WinTouch\config.cfg.f62bafa43ab82f6ce54b4c4b6b359bfb (Adware.WinPop) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim Baker\Application Data\WinTouch\wintouch.cfg (Adware.WinPop) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim Baker\Application Data\WinTouch\WTUninstaller.exe (Adware.WinPop) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\atgban.dll (Adware.Agent) -> Delete on reboot.
C:\WINDOWS\system32\jgfurcxc.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\wr.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim Baker\g2mdlhlpx.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim Baker\Local Settings\Temp\WinAntiSpyware2006Setup.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Attached Files



#4 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:24 PM

Posted 10 April 2008 - 07:36 AM

Start OtScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> c817e2d7 -> %SystemRoot%\system32\trxgntis.DLL [rundll32.exe "C:\WINDOWS\system32\trxgntis.dll",b]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {16B435F6-B6CE-4F24-A568-944B27ED919C} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\atgban.dll [targettedbanner.biz browser enhancer]
YN -> {5026AE88-BE7E-4306-916D-A82844046372} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {7F291ADB-F243-4228-824F-94EAE2EB3881} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YY -> {ee7ebc75-1551-40e5-a865-165a457a8840} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\yorbigyf.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {EEB2E169-C761-45B4-B92F-CBC61CC675E9} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab[Java Plug-in 1.4.2_03]
YN -> {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab[Java Plug-in 1.5.0_08]
YN -> {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab[Java Plug-in 1.5.0_09]
YN -> {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab[Java Plug-in 1.5.0_10]
YN -> {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab[Java Plug-in 1.5.0_11]
YN -> {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab[Java Plug-in 1.6.0_02]
YN -> {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab[Java Plug-in 1.6.0_03]
YN -> {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab[Java Plug-in 1.6.0_05]
YN -> {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab[Java Plug-in 1.6.0_05]
[Files/Folders - Created Within 30 days]
NY -> 1 C:\*.tmp files -> C:\*.tmp
NY -> VundoFix Backups -> %SystemDrive%\VundoFix Backups
NY -> aqVreo05 -> %SystemRoot%\System32\aqVreo05
NY -> 4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> atgban.dll -> %SystemRoot%\System32\atgban.dll
NY -> axrjywdh.dll -> %SystemRoot%\System32\axrjywdh.dll
NY -> dihtkmvy.dll -> %SystemRoot%\System32\dihtkmvy.dll
NY -> etqykrhb.dll -> %SystemRoot%\System32\etqykrhb.dll
NY -> iifdbCVp.dll -> %SystemRoot%\System32\iifdbCVp.dll
NY -> jgfurcxc.dll -> %SystemRoot%\System32\jgfurcxc.dll
NY -> kxonrbuq.dll -> %SystemRoot%\System32\kxonrbuq.dll
NY -> mhfyoawx.dll -> %SystemRoot%\System32\mhfyoawx.dll
NY -> ndaoqlhc.dll -> %SystemRoot%\System32\ndaoqlhc.dll
NY -> pAHPsvut.ini -> %SystemRoot%\System32\pAHPsvut.ini
NY -> pAHPsvut.ini2 -> %SystemRoot%\System32\pAHPsvut.ini2
NY -> qhjctqrs.ini -> %SystemRoot%\System32\qhjctqrs.ini
NY -> rwihxplx.dll -> %SystemRoot%\System32\rwihxplx.dll
NY -> sitngxrt.ini -> %SystemRoot%\System32\sitngxrt.ini
NY -> spkjmyln.ini -> %SystemRoot%\System32\spkjmyln.ini
NY -> targetedbanner-uninst.exe -> %SystemRoot%\System32\targetedbanner-uninst.exe
NY -> tuvsPHAp.dll -> %SystemRoot%\System32\tuvsPHAp.dll
NY -> @Alternate Data Stream - 88 bytes -> %SystemRoot%\System32\tuvsPHAp.dll:SummaryInformation
NY -> ugrkkoeo.ini -> %SystemRoot%\System32\ugrkkoeo.ini
NY -> winz1 -> %SystemRoot%\System32\winz1
NY -> wmrpwuvx.dll -> %SystemRoot%\System32\wmrpwuvx.dll
NY -> xTmp -> %SystemRoot%\System32\xTmp
NY -> yorbigyf.dll -> %SystemRoot%\System32\yorbigyf.dll
NY -> BMcb24d14b.xml -> %SystemRoot%\BMcb24d14b.xml
NY -> pskt.ini -> %SystemRoot%\pskt.ini
[Files/Folders - Modified Within 30 days]
NY -> 1 C:\*.tmp files -> C:\*.tmp
NY -> sqmdata07.sqm -> %SystemDrive%\sqmdata07.sqm
NY -> sqmdata08.sqm -> %SystemDrive%\sqmdata08.sqm
NY -> sqmdata09.sqm -> %SystemDrive%\sqmdata09.sqm
NY -> sqmnoopt07.sqm -> %SystemDrive%\sqmnoopt07.sqm
NY -> sqmnoopt08.sqm -> %SystemDrive%\sqmnoopt08.sqm
NY -> sqmnoopt09.sqm -> %SystemDrive%\sqmnoopt09.sqm
NY -> VundoFix Backups -> %SystemDrive%\VundoFix Backups
NY -> aqVreo05 -> %SystemRoot%\System32\aqVreo05
NY -> 4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> atgban.dll -> %SystemRoot%\System32\atgban.dll
NY -> axrjywdh.dll -> %SystemRoot%\System32\axrjywdh.dll
NY -> dihtkmvy.dll -> %SystemRoot%\System32\dihtkmvy.dll
NY -> etqykrhb.dll -> %SystemRoot%\System32\etqykrhb.dll
NY -> iifdbCVp.dll -> %SystemRoot%\System32\iifdbCVp.dll
NY -> jgfurcxc.dll -> %SystemRoot%\System32\jgfurcxc.dll
NY -> kxonrbuq.dll -> %SystemRoot%\System32\kxonrbuq.dll
NY -> mhfyoawx.dll -> %SystemRoot%\System32\mhfyoawx.dll
NY -> ndaoqlhc.dll -> %SystemRoot%\System32\ndaoqlhc.dll
NY -> pAHPsvut.ini -> %SystemRoot%\System32\pAHPsvut.ini
NY -> pAHPsvut.ini2 -> %SystemRoot%\System32\pAHPsvut.ini2
NY -> qhjctqrs.ini -> %SystemRoot%\System32\qhjctqrs.ini
NY -> rwihxplx.dll -> %SystemRoot%\System32\rwihxplx.dll
NY -> sitngxrt.ini -> %SystemRoot%\System32\sitngxrt.ini
NY -> spkjmyln.ini -> %SystemRoot%\System32\spkjmyln.ini
NY -> tuvsPHAp.dll -> %SystemRoot%\System32\tuvsPHAp.dll
NY -> ugrkkoeo.ini -> %SystemRoot%\System32\ugrkkoeo.ini
NY -> winz1 -> %SystemRoot%\System32\winz1
NY -> xTmp -> %SystemRoot%\System32\xTmp
NY -> yorbigyf.dll -> %SystemRoot%\System32\yorbigyf.dll
NY -> BMcb24d14b.xml -> %SystemRoot%\BMcb24d14b.xml
NY -> pskt.ini -> %SystemRoot%\pskt.ini
NY -> 65626 C:\Documents and Settings\Tim Baker\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Tim Baker\Local Settings\Temp\*.tmp
NY -> 65626 C:\Documents and Settings\Tim Baker\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Tim Baker\Local Settings\Temp\*.tmp
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> VirtumundoBeGone.exe -> %UserProfile%\Desktop\VirtumundoBeGone.exe
NY -> VundoFix.exe -> %UserProfile%\Desktop\VundoFix.exe
[Empty Temp Folders]
[Start Explorer]
[ZipFiles]
[Reboot]

The fix should only take a very short time.( Actually this run may take a while... LOTS of files to remove) When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.

If it reboots this may not happen. If you need to manually find the file it is at Desktop\OTScanIt\MovedFiles\04082008_163441.log or what ever yours is named(Date/Time you ran the fix)

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

Click "I accept"

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save report button.
  • Call it Kaspersky.txt
  • Expand the arrow beside "file types" and save as .txt file.
  • Save the file to your desktop.
*Note
If you have Internet Explorer 7 installed:
If you have trouble getting past the initial download you may need to use the "zoom" tool at bottom right of the scanner window and increase it to 125% to see and press the "accept" button.
Page will reload and you should be able to carry on scan.

If the KAV log has your email all over it -- please attach it rather than copy/paste.


Please post
  • OTscan it "results" log (described above)
  • KAV log
  • Fresh OtScanIt log made after KAV
in your next reply here

PS in your Desktop/OtScanit/Moved Files folder there will now be a 04082008_163441.zip file (your name will vary). would you please upload that to HERE

Edited by jwbirdsong, 10 April 2008 - 07:55 AM.


#5 timoscar

timoscar
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 10 April 2008 - 04:04 PM

OK, I ran OTScanIt with the fix you included and it didn't tell me it was finished or create a log and all I got was a bunch of Trend Micro PC-Cillin messages popping up that I had infected Cryp-Tap-2 viruses in that Moved Files folder. I looked for the "results" log and found nothing. I tried to run it again with that fix and it just froze up. I restarted and ran the other fixes you proposed and they are below:

KAV Log

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, April 10, 2008 1:27:46 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/04/2008
Kaspersky Anti-Virus database records: 696078
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 81182
Number of viruses found: 9
Number of infected objects: 29
Number of suspicious objects: 0
Duration of the scan process: 01:39:35

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tim Baker\.housecall6.6\Quarantine\spsrlbao.dll.bac_a03620 Infected: not-a-virus:AdWare.Win32.Virtumonde.lwv skipped
C:\Documents and Settings\Tim Baker\.housecall6.6\Quarantine\trxgntis.dll.bac_a03620 Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Tim Baker\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Tim Baker\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Tim Baker\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\Tim Baker\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Tim Baker\Application Data\Sun\Java\Deployment\cache\6.0\32\50c2ce60-4d3b8dbb/BnnnnBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\Tim Baker\Application Data\Sun\Java\Deployment\cache\6.0\32\50c2ce60-4d3b8dbb/VaannnaaBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\Tim Baker\Application Data\Sun\Java\Deployment\cache\6.0\32\50c2ce60-4d3b8dbb/Bnnnnn.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\Tim Baker\Application Data\Sun\Java\Deployment\cache\6.0\32\50c2ce60-4d3b8dbb ZIP: infected - 3 skipped
C:\Documents and Settings\Tim Baker\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Tim Baker\Desktop\OTScanIt\MovedFiles\04102008_084744\VundoFix Backups\iifdbCVp.dll.bad Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Tim Baker\Desktop\OTScanIt\MovedFiles\04102008_084744\WINDOWS\system32\axrjywdh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.msm skipped
C:\Documents and Settings\Tim Baker\Desktop\OTScanIt\MovedFiles\04102008_084744\WINDOWS\system32\dihtkmvy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mvn skipped
C:\Documents and Settings\Tim Baker\Desktop\OTScanIt\MovedFiles\04102008_084744\WINDOWS\system32\etqykrhb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.msm skipped
C:\Documents and Settings\Tim Baker\Desktop\OTScanIt\MovedFiles\04102008_084744\WINDOWS\system32\kxonrbuq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mvn skipped
C:\Documents and Settings\Tim Baker\Desktop\OTScanIt\MovedFiles\04102008_084744\WINDOWS\system32\mhfyoawx.dll Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Tim Baker\Desktop\OTScanIt\MovedFiles\04102008_084744\WINDOWS\system32\ndaoqlhc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.msm skipped
C:\Documents and Settings\Tim Baker\Desktop\OTScanIt\MovedFiles\04102008_084744\WINDOWS\system32\rwihxplx.dll Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Tim Baker\Desktop\OTScanIt\MovedFiles\04102008_084744\WINDOWS\system32\wmrpwuvx.dll Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Tim Baker\Desktop\OTScanIt\MovedFiles\04102008_084744.zip/VundoFix Backups/iifdbCVp.dll.bad Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Tim Baker\Desktop\OTScanIt\MovedFiles\04102008_084744.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Tim Baker\Local Settings\Application Data\ApplicationHistory\TransferAgent.exe.91f03f4d.ini.inuse Object is locked skipped
C:\Documents and Settings\Tim Baker\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Tim Baker\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tim Baker\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tim Baker\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tim Baker\Local Settings\History\History.IE5\MSHist012008041020080411\index.dat Object is locked skipped
C:\Documents and Settings\Tim Baker\Local Settings\Temp\Acr54.tmp Object is locked skipped
C:\Documents and Settings\Tim Baker\Local Settings\Temp\Acr66.tmp Object is locked skipped
C:\Documents and Settings\Tim Baker\Local Settings\Temp\Acr7C.tmp Object is locked skipped
C:\Documents and Settings\Tim Baker\Local Settings\Temp\~DF2A05.tmp Object is locked skipped
C:\Documents and Settings\Tim Baker\Local Settings\Temp\~DF2A12.tmp Object is locked skipped
C:\Documents and Settings\Tim Baker\Local Settings\Temp\~DF6F0E.tmp Object is locked skipped
C:\Documents and Settings\Tim Baker\Local Settings\Temp\~DF6F1B.tmp Object is locked skipped
C:\Documents and Settings\Tim Baker\Local Settings\Temp\~DFD41D.tmp Object is locked skipped
C:\Documents and Settings\Tim Baker\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Tim Baker\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tim Baker\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tim Baker\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\1008.tmp Infected: Trojan-Downloader.Win32.VB.dht skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\1957.tmp Infected: Trojan-Downloader.Win32.Homles.au skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\25.tmp Infected: Packed.Win32.Monder.gen skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\30.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.lxl skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\31.tmp Infected: Trojan-Downloader.Win32.Homles.au skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\33E5.tmp Infected: Trojan-Downloader.Win32.VB.dht skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\B169.tmp Infected: Packed.Win32.Monder.gen skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\F2D8.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.lxl skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP64\A0008576.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mvn skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP68\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{390E5149-8ECB-405F-B2B4-7E2F43D5DB85}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\IntelDH.evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\IDME\TGbn1dll.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\WINDOWS\system32\IDME\TGbn1dll.exe/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\WINDOWS\system32\IDME\TGbn1dll.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

OTScanIt log after Kav was run: attached

I apologize that I didn't seem to execute this correctly. Could you let me know what I did wrong and where I need to go next with it? Thanks!

Attached Files



#6 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:24 PM

Posted 11 April 2008 - 06:55 AM

I apologize that I didn't seem to execute this correctly.

Wasn't you... I'm beginning to see a pattern emerge with TrendMirco and OtScanIt. It seem this happen when you "mix" the two.
The important part is that the Scan it fix DID work.

Let's clean out the Java cache:

Go into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Settings button.
  • Then click Delete Files...
  • There are two options in the window to clear the cache - Leave BOTH checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
Manually delete the C:\WINDOWS\SYSTEM32\IDME folder.

Please post a final(?) HijackThis log and let me know how the computer seems to be running.

#7 timoscar

timoscar
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 11 April 2008 - 08:52 AM

It does seem to be running better. I am still getting notification of Cryp-Tap-2 from Trend Micro. The infection appears to be in C:\System Volume Information\_restore. Is there anything I should be doing with this?

I really appreciate all your help. The computer is definitely more functional now but I am concerned that there are still some remnants of the virus hanging on.

Here's the HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:18 AM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC09.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [OTScanIt] C:\Documents and Settings\Tim Baker\Desktop\OTScanIt\OTScanIt.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 10622 bytes

#8 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:24 PM

Posted 11 April 2008 - 09:43 AM

The infection appears to be in C:\System Volume Information\_restore. Is there anything I should be doing with this?


That's our last step. It's part of System restore adn I don't like to clean it out till were all done. An infected restore point is better than none if we would have needed it. The only way that could have effected you is if you would have done a system restore. AV and Anti_Spyware programs cam NOT clean them in there. Some say they are sucessful but they really are not.


So then let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.
  • Make sure you have an Internet Connection.
  • Double-click OTScanIt.exe to run it. (Vista users, please right click on OTScanIt.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtScanIt to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at links in the following article by TonyKlein

Make SURE to read How Did I Get Infected in the First Place??

#9 timoscar

timoscar
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 11 April 2008 - 10:11 AM

I didn't see it when I restarted this last time but I have been getting SpyBot notification of registry changes and such. I don't always know whether to Allow or Deny. I just don't want to get rid of something that is critical or allow something in that's going to start this process again. Any words of advice on that particular program?

Thanks so much for your help. Everything appears to be running just fine now. Do you recommend cleaning Java frequently?

#10 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:24 PM

Posted 11 April 2008 - 12:04 PM

Do you recommend cleaning Java frequently?
Once a month of so should be fine.
As far as the Spybot pop up I should have had you disable TeaTimer before making some of the runs. My fault, but according to the log all has been changed/fix just fine.

#11 timoscar

timoscar
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 11 April 2008 - 12:09 PM

Should I continue to run TeaTimer even without these issues? I just get freaked out about not allowing something through that's SUPPOSED to go through.

#12 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:24 PM

Posted 11 April 2008 - 12:15 PM

Yes by all means keep it.
TeaTimer is a great program that can/will stop Malware from making changes to your registry with out you knowing it.

If YOU go to change say your default search engine..it will pop up and you can ACCEPT the change.
When it pops up for NO REASON is when you need to start looking deeper into what changed it to begin with.

The popup when we were running our fixes are normal.... I just neglected to advise you of them.

#13 timoscar

timoscar
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 11 April 2008 - 12:19 PM

OK thanks! It looks like everything is a go here. If you concur, we can close this thread and if anything else arises, I'll check the basics that you told me about and re-post a HJT Log in a new topic. But it seems like everything is fine now.

#14 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:24 PM

Posted 11 April 2008 - 12:28 PM

Glad we were able to help. As this appears to be solved, the topic will be closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users