Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Klone Virus


  • Please log in to reply
14 replies to this topic

#1 byonic

byonic

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:51 PM

Posted 16 October 2006 - 08:11 AM

Hello,

I am having various problems with my PC, which I think is due to a Klone virus infection. I followed the instructions on your page called 'Preparation Guide For Use Before Posting A Hijackthis log', which was some help, but i am still having trouble.

The Klone virus was detected and 'removed' by Ad-Aware, but was then rediscovered by Trend's online Housecall programme. I attempted to clean my computer with every software that was available to me, which included PC Tool's Spyware Doctor, Ad-Aware, Trend's Housecall, the Stinger program recommended in your Guide, Panda Anti-virus, Bit Defender and Spybot Search & Destroy.

I have just carried out another search but no viruses were found, although some suspect cookies were. I removed these with the software.

My main problem now is that my internet connection is flaky- it keeps losing a connection and i get the Internet connection error page when i use an internet browser. It is the same for all the computers that are on my small peer-to-peer network. It seems as though our router is being bombarded with information and so the connection gets swamped.

When I am internet browsing, Spyware S&D tells me often that attempts are being made to alter my registry, usually by a dodgy/unscrupulous search engine. I have denied these changes.

Please help.

Regards,

Byron

My HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 13:44:24, on 16/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\VideoraiPodConverter\VideoraiPodConverter.exe
C:\PROGRA~1\Hardware\Mouse\Amoumain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TrustCast\trustcast.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigyellowfeet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {1D4BAA16-BEEA-45E2-8E97-0E09FA0E8C5C} - C:\WINDOWS\system32\mljjk.dll (file missing)
O2 - BHO: (no name) - {4C81BF94-0858-0F84-AC1E-08C044FA0FEF} - C:\WINDOWS\system32\qmcxqye.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6359BC9E-0877-B686-FEAC-09B4E130EBEF} - C:\WINDOWS\system32\szksohh.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\yihsanjy.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [OLP-Tray] C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VideoraiPodConverter] C:\Program Files\VideoraiPodConverter\VideoraiPodConverter.exe -t
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\Hardware\Mouse\Amoumain.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TrustCast] "C:\Program Files\TrustCast\trustcast.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A3E4C89A-9FF7-48A1-9029-7E41706A47BC} - http://secure.trustcast.com/winstall/TrustCast_Installer.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Unknown owner - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe" -k runservice (file missing)
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - rundll32.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
Big Yellow Feet
The production company

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 October 2006 - 04:46 AM

Hi byonic and Welcome to the Bleeping Computer!


Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

#3 byonic

byonic
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK

Posted 17 October 2006 - 12:35 PM

Hello Cretemonster,

and thanks for the post. I have done as you ask, and the logs follow.

Another thing; as i am interested in what is going on with my machine and the fixes that you are instructing me with- would you be able to explain what I am fixing?
It's just that the logs look like gobbledegook to me, I just wondered what it was in there that alerted you to a particular thing! Don't worry if it is too time consuming to explain, I'm just interested in things i don't understand!

Many thanks in advance.

VundoFix.txt -


VundoFix V6.2.5

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.6

Scan started at 18:11:53 17/10/2006

Listing files found while scanning....

C:\WINDOWS\system32\qmcxqye.dll
C:\WINDOWS\system32\szksohh.dll
C:\WINDOWS\system32\vqainitk.dll
C:\WINDOWS\system32\yihsanjy.dll
C:\WINDOWS\system32\ulopfwgh.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\qmcxqye.dll
C:\WINDOWS\system32\qmcxqye.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\szksohh.dll
C:\WINDOWS\system32\szksohh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vqainitk.dll
C:\WINDOWS\system32\vqainitk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yihsanjy.dll
C:\WINDOWS\system32\yihsanjy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ulopfwgh.exe
C:\WINDOWS\system32\ulopfwgh.exe Has been deleted!

Performing Repairs to the registry.
Done!





HijackThis log -

Logfile of HijackThis v1.99.1
Scan saved at 18:23:46, on 17/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\VideoraiPodConverter\VideoraiPodConverter.exe
C:\PROGRA~1\Hardware\Mouse\Amoumain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TrustCast\trustcast.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigyellowfeet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {1D4BAA16-BEEA-45E2-8E97-0E09FA0E8C5C} - C:\WINDOWS\system32\mljjk.dll (file missing)
O2 - BHO: (no name) - {4C81BF94-0858-0F84-AC1E-08C044FA0FEF} - C:\WINDOWS\system32\qmcxqye.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6359BC9E-0877-B686-FEAC-09B4E130EBEF} - C:\WINDOWS\system32\szksohh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\yihsanjy.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VideoraiPodConverter] C:\Program Files\VideoraiPodConverter\VideoraiPodConverter.exe -t
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\Hardware\Mouse\Amoumain.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TrustCast] "C:\Program Files\TrustCast\trustcast.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A3E4C89A-9FF7-48A1-9029-7E41706A47BC} - http://secure.trustcast.com/winstall/TrustCast_Installer.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Unknown owner - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe" -k runservice (file missing)
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - rundll32.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
Big Yellow Feet
The production company

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 October 2006 - 02:54 PM

I am having various problems with my PC, which I think is due to a Klone virus infection.


O2 - BHO: (no name) - {1D4BAA16-BEEA-45E2-8E97-0E09FA0E8C5C} - C:\WINDOWS\system32\mljjk.dll (file missing)

O2 - BHO: (no name) - {4C81BF94-0858-0F84-AC1E-08C044FA0FEF} - C:\WINDOWS\system32\qmcxqye.dll

O2 - BHO: (no name) - {6359BC9E-0877-B686-FEAC-09B4E130EBEF} - C:\WINDOWS\system32\szksohh.dll

O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\yihsanjy.dll


KLONES :thumbsup:


About as best I can explain it. :flowers:


I need you to disable Tea Timer please.
http://www.russelltexas.com/malware/teatimer.htm

After Tea Timer is Disabled and you have rebooted.


Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {1D4BAA16-BEEA-45E2-8E97-0E09FA0E8C5C} - C:\WINDOWS\system32\mljjk.dll (file missing)

O2 - BHO: (no name) - {4C81BF94-0858-0F84-AC1E-08C044FA0FEF} - C:\WINDOWS\system32\qmcxqye.dll (file missing)

O2 - BHO: (no name) - {6359BC9E-0877-B686-FEAC-09B4E130EBEF} - C:\WINDOWS\system32\szksohh.dll (file missing)

O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\yihsanjy.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button



Please download Combofix to your desktop.
http://download.bleepingcomputer.com/sUBs/combofix.exe

Doubleclick combo.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt

Please post that log in the next reply.



Something you may want to seriously consider for the PC.


Free Antivirus Software Programs

AntiVirŪ PersonalEdition Classic

AVG Free for Windows

BitDefender 8 Free Edition

avast! 4 Home Edition


You really should install one of these free firewalls as well since Microsofts Firewall leaves alot to be desired.

Sunbelt Kerio Personal Firewall

ZoneAlarm Free

Outpost Firewall FREE

#5 byonic

byonic
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:51 PM

Posted 18 October 2006 - 04:37 AM

Thanks Cretemonster. Simple description of looking for the problem! :thumbsup:

I was wondering how one becomes as well-versed as yourself in this virus stuff. Years of dedication?

On the list of anti virus and firewall programs you gave, are there ones you would personally recommend?


ComboFix.txt:


Byron - 06-10-18 10:20:14.04 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\Documents and Settings\Byron\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{204DCFE4-0AE9-1033-0917-04040713002c}


((((((((((((((((((((((((((((((( Files Created from 2006-09-18 to 2006-10-18 ))))))))))))))))))))))))))))))))))


2006-10-17 11:29 76,560 --a------ C:\windows\system32\drivers\tmcomm.sys
2006-10-09 14:47 512,000 -ra------ C:\windows\system32\KCINST32.DLL
2006-09-29 17:13 51,072 --a------ C:\windows\system32\drivers\ikhlayer.sys
2006-09-29 17:13 30,592 --a------ C:\windows\system32\drivers\ikhfile.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-18 10:20 -------- d-------- C:\Program Files\Common Files
2006-10-18 10:17 -------- d-------- C:\Program Files\HijackThis
2006-10-18 10:05 -------- d-------- C:\Documents and Settings\Byron\Application Data\TrustCast
2006-10-17 13:11 -------- d-------- C:\Documents and Settings\Byron\Application Data\SmartFTP
2006-10-16 16:52 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-16 12:34 -------- d-------- C:\Program Files\Lavasoft
2006-10-16 12:34 -------- d-------- C:\Documents and Settings\Byron\Application Data\Lavasoft
2006-10-16 10:38 -------- d-------- C:\Program Files\Google
2006-10-13 09:21 -------- d-------- C:\Program Files\Internet Explorer
2006-10-12 17:28 -------- d-------- C:\Program Files\Common Files\System
2006-10-12 16:29 -------- d-------- C:\Program Files\Common Files\Softwin
2006-10-12 10:25 -------- d-------- C:\Program Files\Softwin
2006-10-12 09:33 -------- d-------- C:\Program Files\WinZip
2006-10-12 09:33 -------- d-------- C:\Program Files\VideoraiPodConverter
2006-10-12 09:33 -------- d-------- C:\Program Files\TrustCast
2006-10-12 09:33 -------- d-------- C:\Program Files\Spyware Doctor
2006-10-12 09:32 -------- d-------- C:\Program Files\QuickTime
2006-10-12 09:30 -------- d-------- C:\Program Files\iTunes
2006-10-12 09:30 -------- d-------- C:\Program Files\HP Web Jetadmin
2006-10-11 14:01 -------- d-------- C:\Program Files\VSToolbar
2006-10-09 20:39 -------- d-------- C:\Program Files\Microsoft Office
2006-10-09 20:39 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-10-09 20:39 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-09 20:38 -------- d-------- C:\Program Files\Microsoft.NET
2006-10-09 14:48 -------- d-------- C:\Program Files\Kyocera
2006-10-03 14:12 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-09-29 17:13 -------- d-------- C:\Documents and Settings\Byron\Application Data\PC Tools
2006-09-29 16:20 -------- d-------- C:\Program Files\Trend Micro
2006-09-27 12:21 -------- d-------- C:\Program Files\Hardware
2006-09-14 12:20 -------- d-------- C:\Program Files\Radmin
2006-09-13 06:01 1084416 --a------ C:\windows\system32\msxml3.dll
2006-09-12 14:27 -------- d-------- C:\Documents and Settings\Byron\Application Data\Google
2006-08-25 16:45 617472 --a------ C:\windows\system32\comctl32.dll
2006-08-22 15:20 -------- d-------- C:\Program Files\Insurance Information Institute
2006-08-21 13:21 16896 --a------ C:\windows\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\windows\system32\fltmc.exe
2006-08-21 10:14 128896 --------- C:\windows\system32\drivers\fltmgr.sys
2006-08-16 12:58 100352 --a------ C:\windows\system32\6to4svc.dll
2006-07-27 14:24 679424 --a------ C:\windows\system32\inetcomm.dll
2006-07-21 09:24 72704 --a------ C:\windows\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"TrustCast"="\"C:\\Program Files\\TrustCast\\trustcast.exe\""
"RealPlayer"="\"C:\\Program Files\\Real\\RealPlayer\\realplay.exe\" /RunUPGToolCommandReBoot"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"Net-It Launcher"="C:\\WINDOWS\\System32\\NILaunch.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"VideoraiPodConverter"="C:\\Program Files\\VideoraiPodConverter\\VideoraiPodConverter.exe -t"
"WheelMouse"="C:\\PROGRA~1\\Hardware\\Mouse\\Amoumain.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,4e,00,00,00,00,00,00,00,b2,03,00,00,e4,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,4e,00,00,00,00,00,00,00,b2,03,00,00,e4,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-18 10:21:26.68
C:\ComboFix.txt ... 06-10-18 10:21
Big Yellow Feet
The production company

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 18 October 2006 - 04:46 AM

Im in a rush to get to work but if you look around the forum,you will see there is a school to learn how to read HijackThis logs.


As for your first question:

After you look at logs day after day and listen to what the users symptoms,you get a pretty good idea of whats going on.

Sometimes but not always! :thumbsup:

Choice of products listed,simply for ease of use and delendability.

AVG and Zone Alarm are about as good a free AV and Firewall as you will find.

Both take some getting use to but they are worth it. :flowers:


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#7 byonic

byonic
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK

Posted 18 October 2006 - 06:27 AM

I'll have to spend a few hours looking through the forums to learn a little i think. :thumbsup:

Hope replying to me didn't make you late for work!

Would the approach we have followed for this particular problem work with other infections? I.E. worms?



I have done the scan and the report follows.


F-secure Online Scanner 3.0.19 report:

Scanning Report
Wednesday, October 18, 2006 11:14:51 - 12:05:48
Computer name: MACHINE03
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 5 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 34145
System: 4338
Not scanned: 6
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 4
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\MMF.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\DOCUMENTS AND SETTINGS\BYRON\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\OUTLOOK\ARCHIVE1.PST
C:\DOCUMENTS AND SETTINGS\BYRON\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\OUTLOOK\OUTLOOK1.PST

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-10-18
F-Secure Libra: 2.4.1, 2006-10-17
F-Secure Orion: 1.2.37, 2006-10-16
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-08-29
F-Secure Draco: 1.0.35, 0259-24-212
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics
Big Yellow Feet
The production company

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 18 October 2006 - 03:16 PM

Make sure you go through Outlook and clean up all your un needed mail.


Please run the Bit Defender Online Scan
http://www.bitdefender.com/scan8/ie.html

You must use Internet Explorer for this scanner.

Install the ActiveX and Click on "Click here to Scan"

Allow it to update and Scan the Machine.

It should disinfect or delete whatever it finds that is infected.

Save the report in generates in a text format please and post it back here

#9 byonic

byonic
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:51 PM

Posted 19 October 2006 - 08:40 AM

I went through my Outlook folders and deleted un-necessary messages before running the scan.


BitDefender Online Scanner

Scan report generated at: Thu, Oct 19, 2006 - 14:30:01

Scan path: A:\;C:\;D:\;

Statistics

Time
01:21:59

Files
670309

Folders
5674

Boot Sectors
3

Archives
4362

Packed Files
99354


Results

Identified Viruses
1

Infected Files
1

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
2



Engines Info

Virus Definitions
477458

Engine build
AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)

Scan plugins
13

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\Byron\.housecall6.6\Quarantine\mst97.tmp.bac_a03632=>(Quarantine-4)
Infected with: Trojan.Klone.I

C:\Documents and Settings\Byron\.housecall6.6\Quarantine\mst97.tmp.bac_a03632=>(Quarantine-4)
Disinfection failed

C:\Documents and Settings\Byron\.housecall6.6\Quarantine\mst97.tmp.bac_a03632=>(Quarantine-4)
Deleted
Big Yellow Feet
The production company

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 19 October 2006 - 03:29 PM

You can delete this entire folder---> C:\Documents and Settings\Byron\.housecall6.6

Please Install these 2 to add to the Security of the PC

SpywareBlaster:
http://www.javacoolsoftware.com/downloads.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/winhelp2002/hosts2.htm


How is the PC running today?

Did you find the HijackThis school yet?

#11 byonic

byonic
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK

Posted 23 October 2006 - 06:22 AM

Hi Cretemonster,

Sorry for the delay in replying- I have been away for the weekend. Back now though- and have deleted the folder and I am currently downloading the suggested programs.

I haven't looked at the Hijack this school yet, although I intend to. My friend is having a similar problem with his PC and has asked me how I was dealing with mine. Perhaps i will be able to help him out...

... if not, I guess i will add to my post score!

So regarding my computer: is it now clean?

If so, many thanks for your fix advice. :thumbsup:

Regards,

Byron
Big Yellow Feet
The production company

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 October 2006 - 03:26 AM

No worries about the delays,Im up to my ears in work right now. :thumbsup:


Im pretty sure the machine is clean but I would like to see one more scan.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#13 byonic

byonic
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:51 PM

Posted 24 October 2006 - 06:20 AM

oh dear- it reported 3 viruses were found. Where have they been hiding?


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, October 24, 2006 12:10:15 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 24/10/2006
Kaspersky Anti-Virus database records: 234372
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
U:\
V:\
W:\
X:\
Y:\
Z:\

Scan Statistics:
Total number of scanned objects: 73745
Number of viruses found: 3
Number of infected objects: 13 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:49:37

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Byron\Application Data\Microsoft\Outlook\outcmd.dat Object is locked skipped
C:\Documents and Settings\Byron\Application Data\TrustCast\TMNClient.cerr Object is locked skipped
C:\Documents and Settings\Byron\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Byron\Local Settings\Application Data\ApplicationHistory\VideoraiPodConverter.exe.9515a3a.ini.inuse Object is locked skipped
C:\Documents and Settings\Byron\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Object is locked skipped
C:\Documents and Settings\Byron\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Byron\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Byron\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Byron\Local Settings\Temp\~DFBD4A.tmp Object is locked skipped
C:\Documents and Settings\Byron\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Byron\My Documents\Unzipped\radmin21\RADMIN21.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Documents and Settings\Byron\My Documents\Unzipped\radmin21\RADMIN21.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Documents and Settings\Byron\My Documents\Unzipped\radmin21\RADMIN21.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Documents and Settings\Byron\My Documents\Unzipped\radmin21\RADMIN21.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Documents and Settings\Byron\My Documents\Unzipped\radmin21\RADMIN21.EXE Gentee: infected - 4 skipped
C:\Documents and Settings\Byron\ntuser.dat Object is locked skipped
C:\Documents and Settings\Byron\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP Web Jetadmin\logs\access_log Object is locked skipped
C:\Program Files\HP Web Jetadmin\logs\error_log Object is locked skipped
C:\Program Files\HP Web Jetadmin\logs\ssl_request_log Object is locked skipped
C:\Program Files\Radmin\AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\Radmin\raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\Radmin\radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Program Files\Radmin\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\VundoFix Backups\vqainitk.dll.bad Infected: Packed.Win32.Klone.k skipped
C:\windows\Debug\passwd.log Object is locked skipped
C:\windows\SchedLgU.Txt Object is locked skipped
C:\windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\windows\Sti_Trace.log Object is locked skipped
C:\windows\system32\admdll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\windows\system32\CatRoot2\edb.log Object is locked skipped
C:\windows\system32\CatRoot2\tmp.edb Object is locked skipped
C:\windows\system32\config\AppEvent.Evt Object is locked skipped
C:\windows\system32\config\default Object is locked skipped
C:\windows\system32\config\default.log Object is locked skipped
C:\windows\system32\config\sam Object is locked skipped
C:\windows\system32\config\sam.log Object is locked skipped
C:\windows\system32\config\SecEvent.Evt Object is locked skipped
C:\windows\system32\config\security Object is locked skipped
C:\windows\system32\config\security.log Object is locked skipped
C:\windows\system32\config\software Object is locked skipped
C:\windows\system32\config\software.log Object is locked skipped
C:\windows\system32\config\SysEvent.Evt Object is locked skipped
C:\windows\system32\config\system Object is locked skipped
C:\windows\system32\config\system.log Object is locked skipped
C:\windows\system32\h323log.txt Object is locked skipped
C:\windows\system32\mmf.sys Object is locked skipped
C:\windows\system32\raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\windows\system32\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\windows\system32\wbem\Repository\fs\index.btr Object is locked skipped
C:\windows\system32\wbem\Repository\fs\INDEX.MAP Object is locked skipped
C:\windows\system32\wbem\Repository\fs\MAPPING.VER Object is locked skipped
C:\windows\system32\wbem\Repository\fs\MAPPING1.MAP Object is locked skipped
C:\windows\system32\wbem\Repository\fs\MAPPING2.MAP Object is locked skipped
C:\windows\system32\wbem\Repository\fs\OBJECTS.DATA Object is locked skipped
C:\windows\system32\wbem\Repository\fs\OBJECTS.MAP Object is locked skipped
C:\windows\wiadebug.log Object is locked skipped
C:\windows\wiaservc.log Object is locked skipped
C:\windows\WindowsUpdate.log Object is locked skipped

Scan process completed.
Big Yellow Feet
The production company

#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 26 October 2006 - 05:28 PM

Sorry for the delay,its been a busy week at work.

Remote Adminstrator application
http://www.liutilities.com/products/wintas...brary/r_server/

Did you install this on the computer?

Go ahead and delete this folder--> C:\VundoFix Backups

#15 byonic

byonic
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK

Posted 16 February 2007 - 06:40 AM

Just wanted to check back in with this thread as I didn't want to appear rude, and as though I wasn't greatful for the excellent help I received.

My computer seems back to normal now, it doesn't act weirdly anymore.

Many thanks for all your good advice Cretemonster, and apologies for the extremely late reply!

Regards,

Byron :thumbsup:


Note: The program that Cretemonster mentioned for remote access was installed by a legitimate source: i.e. me. I was attempting to link up to my network from a remote location but had trouble getting on with the router so I shelved that project, and didn't bother removing the program. I assume that this wouldn't cause major headaches?
Big Yellow Feet
The production company




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users