Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Newbie infected with Trojan


  • This topic is locked This topic is locked
25 replies to this topic

#1 Whatthetechfan

Whatthetechfan

    New Member

  • New Member
  • Pip
  • 13 posts

Posted 15 April 2008 - 10:00 AM

Hello:

Thank you in advance for your help. I believe I am infected with some sort of Virus. I was using the free version of AVAST to protech my computer but apparently something got through. All of a sudden, my browser started to get hijacted and redirected to web pages that were advertising various products. I'd also constantly get popup dialog boxes saying that I needed to protect my computer and protect my privacy and that I needed to buy this particular brand of virus protection. Also my internet was slow and I couldn't do any searches from Google. It would just be paused forever when I typed in a search term.

I then uninstalled AVAST and installed Kaspersky. Kaspersky found a number of viruses including "Trojan.Win32.KillAV.rf" and "Packed.Win32.Monder.gen" and "Trojan-downloader.win32.homles.bb". It said it could not disinfect them so it deleted the files.

The problem has still not gone away. Despite what browser I use (opera, IE, firefox), the internet is incredibly slow (can't even get to Yahoo mail), search engines don't work, and my browser is constantly hijacked and redirect to various web sites selling products.

I then downloaded HijackThis 2.0.2 and generated a log file which is below. I couldn't post my "uninstall file log" because HiJack this wouldn't let me save the file for some weird reason Thus I took screenshots which I've put in a powerpoint deck.

The problem is so bad that I am now in Safe Mode for my Windows XP Pro SP1 computer because I couldn't even post this message when I was not in safe mode. I'd appreciate your help.

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:34 AM, on 4/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\ESPN VPN\ESPN VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://email.secureserver.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ESPN MIS Security IE6
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,c:\Program Files\Passlogix\v-GO SSO\ssoshell.exe /background,C:\WINDOWS\System32\ntos.exe,
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera 301PLH
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [BM07e436a1] Rundll32.exe "C:\WINDOWS\System32\eugnxyjp.dll",s
O4 - HKLM\..\Run: [04d7053d] rundll32.exe "C:\WINDOWS\System32\ayqmxaqj.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: scratchpad.txt
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.espn.pvt
O17 - HKLM\Software\..\Telephony: DomainName = corp.espn.pvt
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.espn.pvt
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.espn.pvt
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: ESPN MIS Technology Support VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\ESPN VPN\ESPN VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: Radia Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe

--
End of file - 7915 bytes

Attached Files


    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 18 April 2008 - 03:58 PM

Posted Image

Sorry about the delay in responding :(

If you still need help, Scan again with HijackThis, and copy/paste" a new log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 Whatthetechfan

Whatthetechfan

    New Member

  • New Member
  • Pip
  • 13 posts

Posted 18 April 2008 - 05:37 PM

Thanks for your reply! I am actually out of town for the weekend (on a friends computer) and don't have access to my computer but I can reply to you on Monday with the information you requested. Can you check this thread again on Monday or is there another way to get in touch with you. Thanks

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 18 April 2008 - 05:39 PM

:thumbup:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 Whatthetechfan

Whatthetechfan

    New Member

  • New Member
  • Pip
  • 13 posts

Posted 21 April 2008 - 08:01 AM

Thank you for your response. My computer is seriously hosed. I can only browse the web without issues while I'm in Safe Mode as I am now. When I try to operate in normal mode on XP SP1, my internet experience is extremely slow. It take a few minutes when I click on a link and even then the browser gets redirected to a web site selling something like www.go211.com. Also, I keep getting pop up dialog boxes that say things like, "Winanonymous may find dangerous traces that need to be cleaned. Don't let your privacy and reputation to be ruined by them. Click "ok" to start WinAnonymous scanner to remove compromising traces and set up controls to protect your privacy by cleaning or removing dangerous information". I never hit "ok" , instead I hit the X to close the dialog boxes and it takes me to the Winanonymous web site. I also am on a trial version of Kaspersky. I had AVAST but I unstalled it because I was disappointed it didn't prevent this virus. Kaspersky has found a number of viruses like Packed.win32.monder.gen, Trojan-Downloader.win32.homless.bb, and most recently Virtumonde.pil. When I start the computer in normal mode, Kaspersky keeps finding viruses, deletes them, but I still have problems with the browser running slow and being redirected.

Below is the Hijack this log. After that is the Kaspersky log. Both were run when the computer was in Normal mode. Thank you very much for your help!

----------------------




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:28 AM, on 4/21/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\ESPN VPN\ESPN VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://email.secureserver.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,c:\Program Files\Passlogix\v-GO SSO\ssoshell.exe /background,C:\WINDOWS\System32\ntos.exe,
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera 301PLH
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [BM07e436a1] Rundll32.exe "C:\WINDOWS\System32\ocbybcfd.dll",s
O4 - HKLM\..\Run: [04d7053d] rundll32.exe "C:\WINDOWS\System32\ikbfsgnc.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: scratchpad.txt
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\Parameters:
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: Radia Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe

--
End of file - 7690 bytes

Protection : running
--------------------
Total scanned: 7333
Detected: 26
Untreated: 0
Start time: 4/21/2008 9:09:43 AM
Duration: 00:07:49


Detected
--------
Status Object
------ ------
deleted: virus Packed.Win32.Monder.gen File: C:\WINDOWS\system32\urqRKCsp.dll//PE_Patch
deleted: virus Packed.Win32.Monder.gen File: C:\WINDOWS\system32\awtsTLCv.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Homles.bb File: C:\WINDOWS\mrofinu572.exe//PE_Patch.Upolyx//PE_Patch.UPX//UPX
deleted: virus Packed.Win32.Monder.gen File: C:\WINDOWS\system32\khfDwwxU.dll//PE_Patch
deleted: virus Packed.Win32.Monder.gen File: C:\WINDOWS\system32\xxyawvSm.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Homles.bb File: C:\WINDOWS\mrofinu572.exe.tmp//PE_Patch.Upolyx//PE_Patch.UPX//UPX
detected: virus Heur.Invader (modification) URL: http://downloads.and...Fix/catchme.exe
deleted: Trojan program Trojan.Win32.KillAV.rf File: C:\Documents and Settings\knopfm\Local Settings\Temporary Internet Files\Content.IE5\J8R1WCJ2\zrt20080408[1]
detected: Trojan program Trojan.Win32.KillAV.rf URL: http://82.98.235.78/...u...E4&rid=wen5
deleted: Trojan program Trojan.Win32.KillAV.rf File: C:\DOCUME~1\knopfm\LOCALS~1\Temp\gqdlitrs.dll
deleted: Trojan program Trojan.Win32.KillAV.rf File: C:\Documents and Settings\knopfm\Local Settings\Temporary Internet Files\Content.IE5\05QRWLQZ\zrt20080408[1]
deleted: Trojan program Trojan.Win32.KillAV.rf File: C:\WINDOWS\system32\oegdwdtv.dll
deleted: Trojan program Trojan.Win32.KillAV.rf File: C:\WINDOWS\system32\yqtrbcnu.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.nvf File: C:\Documents and Settings\knopfm\Local Settings\Temporary Internet Files\Content.IE5\J8R1WCJ2\kriv[1]//PE_Patch
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.nvf File: C:\WINDOWS\SYSTEM32\NXIDUARP.DLL//PE_Patch
deleted: Trojan program Trojan.Win32.KillAV.rf File: C:\DOCUME~1\knopfm\LOCALS~1\Temp\cvxqstxw.dll
deleted: Trojan program Trojan.Win32.KillAV.rf File: C:\Documents and Settings\knopfm\Local Settings\Temporary Internet Files\Content.IE5\O167GTYF\zrt20080408[1]
deleted: riskware not-a-virus:Downloader.Win32.WinFixer.au File: C:\Documents and Settings\knopfm\Local Settings\Temp\ICD1.tmp\UGA6P_0001_N122M2802NetInstaller.exe
deleted: Trojan program Trojan.Win32.KillAV.rf File: C:\Documents and Settings\knopfm\Local Settings\Temporary Internet Files\Content.IE5\IGTRJTU7\zrt20080408[1]
deleted: riskware not-a-virus:Downloader.Win32.WinFixer.au File: C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2802NetInstaller.exe
deleted: Trojan program Trojan.Win32.KillAV.rf File: C:\WINDOWS\system32\liccltrq.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.okj File: C:\WINDOWS\SYSTEM32\EUGNXYJP.DLL
detected: riskware Invader (loader) Running process: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
detected: riskware Invader (loader) Running process: C:\WINDOWS\system32\rundll32.exe
detected: riskware Invader (loader) Running process: C:\WINDOWS\explorer.exe
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.pil File: C:\WINDOWS\SYSTEM32\UMNUCCLC.DLL


Below is Kaspersky report


Events
------
Time Event
---- -----
4/11/2008 10:21:26 AM Kaspersky Anti-Virus is not activated. You are advised to activate the application as soon as possible.
4/11/2008 10:21:27 AM You are advised to perform a full computer scan as soon as possible.
4/11/2008 10:21:38 AM Database is out of date, leaving your computer at risk of infection. Please update your database.
4/11/2008 10:21:39 AM Protection of your computer is enabled.
4/11/2008 10:27:21 AM File C:\WINDOWS\system32\urqRKCsp.dll//PE_Patch: detected: virus 'Packed.Win32.Monder.gen'. User: CORP\NY6MOB905403L$, computer: localhost.
4/11/2008 10:27:21 AM Security threats have been detected. You are advised to neutralize them immediately.
4/11/2008 10:27:22 AM Update completed successfully
4/11/2008 10:27:42 AM File C:\WINDOWS\system32\awtsTLCv.dll//PE_Patch: detected: virus 'Packed.Win32.Monder.gen'.
4/11/2008 10:28:28 AM File C:\WINDOWS\system32\urqRKCsp.dll//PE_Patch: detected: virus 'Packed.Win32.Monder.gen'.
4/11/2008 10:28:28 AM File C:\WINDOWS\system32\urqRKCsp.dll//PE_Patch: is still infected, cannot be disinfected.
4/11/2008 10:28:30 AM File C:\WINDOWS\system32\urqRKCsp.dll//PE_Patch: detected: virus 'Packed.Win32.Monder.gen'.
4/11/2008 10:28:30 AM File C:\WINDOWS\system32\urqRKCsp.dll will be deleted on system restart.
4/11/2008 10:28:30 AM Startup object HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqRKCsp\urqRKCsp: deleted.
4/11/2008 10:28:31 AM Startup object HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{24E9519B-3F70-429B-99BC-4B2B49B96F66}\{24E9519B-3F70-429B-99BC-4B2B49B96F66}: deleted.
4/11/2008 10:28:37 AM File C:\WINDOWS\system32\urqRKCsp.dll//PE_Patch: detected: virus 'Packed.Win32.Monder.gen'.
4/11/2008 10:28:57 AM File C:\WINDOWS\system32\awtsTLCv.dll//PE_Patch: is still infected, cannot be disinfected.
4/11/2008 10:28:59 AM File C:\WINDOWS\System32\urqRKCsp.dll//PE_Patch: detected: virus 'Packed.Win32.Monder.gen'.
4/11/2008 10:29:07 AM File C:\WINDOWS\system32\urqRKCsp.dll will be deleted on system restart.
4/11/2008 10:29:07 AM File C:\WINDOWS\System32\urqRKCsp.dll//PE_Patch: detected: virus 'Packed.Win32.Monder.gen'. User: CORP\KnopfM, computer: localhost.
4/11/2008 10:29:10 AM File C:\WINDOWS\system32\awtsTLCv.dll: deleted.
4/11/2008 10:29:20 AM File C:\WINDOWS\mrofinu572.exe//PE_Patch.Upolyx//PE_Patch.UPX//UPX: detected: Trojan program 'Trojan-Downloader.Win32.Homles.bb'.
4/11/2008 10:29:20 AM Security threats have been detected. You are advised to neutralize them immediately.
4/11/2008 10:29:20 AM File C:\WINDOWS\mrofinu572.exe will be deleted on system restart.
4/11/2008 10:29:29 AM File C:\WINDOWS\system32\khfDwwxU.dll//PE_Patch: detected: virus 'Packed.Win32.Monder.gen'.
4/11/2008 10:29:29 AM Security threats have been detected. You are advised to neutralize them immediately.
4/11/2008 10:30:21 AM File c:\windows\system32\urqrkcsp.dll//PE_Patch: detected: virus 'Packed.Win32.Monder.gen'.
4/11/2008 10:31:06 AM File C:\WINDOWS\system32\khfDwwxU.dll//PE_Patch: is still infected, skipped by user.
4/11/2008 10:31:37 AM File C:\WINDOWS\system32\urqRKCsp.dll//PE_Patch: detected: virus 'Packed.Win32.Monder.gen'.
4/11/2008 10:31:37 AM File C:\WINDOWS\system32\urqRKCsp.dll//PE_Patch: detected: virus 'Packed.Win32.Monder.gen'. User: CORP\NY6MOB905403L$, computer: localhost.
4/11/2008 10:31:53 AM File C:\WINDOWS\system32\xxyawvSm.dll//PE_Patch: detected: virus 'Packed.Win32.Monder.gen'.
4/11/2008 10:31:53 AM File C:\WINDOWS\system32\xxyawvSm.dll//PE_Patch: is still infected, skipped by user.
4/11/2008 10:32:01 AM Protection of your computer is not running. You are advised to resume protection.
4/11/2008 10:33:36 AM Kaspersky Anti-Virus is not activated. You are advised to activate the application as soon as possible.
4/11/2008 10:33:37 AM You are advised to perform a full computer scan as soon as possible.
4/11/2008 10:33:50 AM Security threats have been detected. You are advised to neutralize them immediately.
4/11/2008 10:33:50 AM Protection of your computer is enabled.
4/11/2008 10:36:09 AM The application C:\Program Files\Network Associates\Common Framework\FrameworkService.exe cannot establish connection with server 172.22.232.176. Please check your internet connection settings. If you have a firewall installed, check that the application avp.exe is allowed internet access.
4/11/2008 11:11:54 AM Process (PID 1120) tried to access Kaspersky Anti-Virus process (PID 1756), but the action has been blocked by the Self-Defense component. No action on your part is required.
4/11/2008 12:08:25 PM File C:\WINDOWS\mrofinu572.exe.tmp//PE_Patch.Upolyx//PE_Patch.UPX//UPX: detected: Trojan program 'Trojan-Downloader.Win32.Homles.bb'.
4/11/2008 12:08:25 PM Security threats have been detected. You are advised to neutralize them immediately.
4/11/2008 12:08:25 PM File C:\WINDOWS\mrofinu572.exe.tmp//PE_Patch.Upolyx//PE_Patch.UPX//UPX: is still infected, postponed.
4/11/2008 12:42:52 PM Update cannot be started because of an error: no license key
4/11/2008 12:52:28 PM Process (PID 2804) tried to access Kaspersky Anti-Virus process (PID 1756), but the action has been blocked by the Self-Defense component. No action on your part is required.
4/11/2008 12:52:28 PM Process (PID 2804) tried to access Kaspersky Anti-Virus process (PID 4056), but the action has been blocked by the Self-Defense component. No action on your part is required.
4/11/2008 1:03:33 PM Update completed successfully
4/11/2008 3:04:58 PM Update completed successfully
4/11/2008 3:28:00 PM Process (PID 3548) tried to access Kaspersky Anti-Virus process (PID 4056), but the action has been blocked by the Self-Defense component. No action on your part is required.
4/11/2008 3:28:00 PM Process (PID 3548) tried to access Kaspersky Anti-Virus process (PID 1756), but the action has been blocked by the Self-Defense component. No action on your part is required.
4/11/2008 3:42:11 PM Protection of your computer is enabled.
4/11/2008 3:42:25 PM Process (PID 452) tried to access Kaspersky Anti-Virus process (PID 1912), but the action has been blocked by the Self-Defense component. No action on your part is required.
4/11/2008 3:45:04 PM The application C:\Program Files\Network Associates\Common Framework\FrameworkService.exe cannot establish connection with server 172.22.232.176. Please check your internet connection settings. If you have a firewall installed, check that the application avp.exe is allowed internet access.
4/11/2008 4:45:33 PM Process (PID 2684) tried to access Kaspersky Anti-Virus process (PID 3000), but the action has been blocked by the Self-Defense component. No action on your part is required.
4/11/2008 4:45:34 PM Process (PID 2684) tried to access Kaspersky Anti-Virus process (PID 1912), but the action has been blocked by the Self-Defense component. No action on your part is required.
4/11/2008 5:13:33 PM Protection of your computer is enabled.
4/11/2008 5:14:37 PM Update completed successfully
4/11/2008 5:26:35 PM Malicious HTTP object <http://downloads.and...x/catchme.exe>: detected new variant of virus 'Heur.Invader'.
4/11/2008 5:26:35 PM Malicious HTTP object <http://downloads.and...x/catchme.exe>: access denied.
4/11/2008 5:58:56 PM Protection of your computer is not running. You are advised to resume protection.
4/14/2008 9:16:38 AM Database is out of date, leaving your computer at risk of infection. Please update your database.
4/14/2008 9:16:38 AM Protection of your computer is enabled.
4/14/2008 9:17:55 AM Update completed successfully
4/14/2008 9:19:33 AM Databases are up to date
4/14/2008 9:20:04 AM File C:\Documents and Settings\knopfm\Local Settings\Temporary Internet Files\Content.IE5\J8R1WCJ2\zrt20080408[1]: detected: Trojan program 'Trojan.Win32.KillAV.rf'. User: CORP\KnopfM, computer: localhost.
4/14/2008 9:20:04 AM Security threats have been detected. You are advised to neutralize them immediately.
4/14/2008 9:20:32 AM File C:\Documents and Settings\knopfm\Local Settings\Temporary Internet Files\Content.IE5\J8R1WCJ2\zrt20080408[1]: deleted.
4/14/2008 9:20:48 AM Malicious HTTP object <http://82.98.235.78/...7AE4&rid=wen5>: detected: Trojan program 'Trojan.Win32.KillAV.rf'.
4/14/2008 9:20:48 AM !NOLOC! StatusId(0) EventID(7)
4/14/2008 9:20:48 AM File C:\DOCUME~1\knopfm\LOCALS~1\Temp\gqdlitrs.dll: detected: Trojan program 'Trojan.Win32.KillAV.rf'.
4/14/2008 9:20:48 AM Security threats have been detected. You are advised to neutralize them immediately.
4/14/2008 9:20:58 AM File C:\DOCUME~1\knopfm\LOCALS~1\Temp\gqdlitrs.dll: deleted.
4/14/2008 9:21:05 AM File C:\Documents and Settings\knopfm\Local Settings\Temporary Internet Files\Content.IE5\05QRWLQZ\zrt20080408[1]: detected: Trojan program 'Trojan.Win32.KillAV.rf'.
4/14/2008 9:21:05 AM Security threats have been detected. You are advised to neutralize them immediately.
4/14/2008 9:21:05 AM File C:\Documents and Settings\knopfm\Local Settings\Temporary Internet Files\Content.IE5\05QRWLQZ\zrt20080408[1]: deleted.
4/14/2008 11:37:19 AM Update completed successfully
4/14/2008 1:44:15 PM File C:\WINDOWS\system32\oegdwdtv.dll: detected: Trojan program 'Trojan.Win32.KillAV.rf'. User: NT AUTHORITY\NETWORK SERVICE, computer: localhost.
4/14/2008 1:44:15 PM Security threats have been detected. You are advised to neutralize them immediately.
4/14/2008 1:44:15 PM File C:\WINDOWS\system32\oegdwdtv.dll: deleted.
4/14/2008 1:44:40 PM File C:\WINDOWS\system32\yqtrbcnu.dll: detected: Trojan program 'Trojan.Win32.KillAV.rf'. User: NT AUTHORITY\NETWORK SERVICE, computer: localhost.
4/14/2008 1:44:40 PM Security threats have been detected. You are advised to neutralize them immediately.
4/14/2008 1:44:40 PM File C:\WINDOWS\system32\yqtrbcnu.dll: deleted.
4/14/2008 1:57:19 PM Update completed successfully
4/14/2008 4:17:22 PM Update completed successfully
4/14/2008 6:38:14 PM Update completed successfully
4/14/2008 6:45:34 PM File C:\Documents and Settings\knopfm\Local Settings\Temporary Internet Files\Content.IE5\J8R1WCJ2\kriv[1]//PE_Patch: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.nvf'.
4/14/2008 6:45:34 PM Security threats have been detected. You are advised to neutralize them immediately.
4/14/2008 6:45:34 PM File C:\Documents and Settings\knopfm\Local Settings\Temporary Internet Files\Content.IE5\J8R1WCJ2\kriv[1]//PE_Patch: is still infected, postponed.
4/14/2008 7:14:45 PM File C:\WINDOWS\SYSTEM32\NXIDUARP.DLL//PE_Patch: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.nvf'. User: CORP\KnopfM, computer: localhost.
4/14/2008 7:15:06 PM File C:\WINDOWS\SYSTEM32\NXIDUARP.DLL//PE_Patch: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.nvf'.
4/14/2008 8:01:48 PM Your evaluation period will end in 26 days. To ensure uninterrupted protection, please <a v(buy)>click here to purchase</a>.
4/14/2008 8:59:46 PM Update completed successfully
4/14/2008 9:02:19 PM File C:\WINDOWS\system32\nxiduarp.dll//PE_Patch: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.nvf'.
4/14/2008 9:02:19 PM File C:\WINDOWS\system32\nxiduarp.dll//PE_Patch: is still infected, postponed.
4/14/2008 9:07:33 PM File c:\documents and settings\knopfm\local settings\temporary internet files\content.ie5\j8r1wcj2\kriv[1]//PE_Patch: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.nvf'.
4/14/2008 11:18:26 PM Update completed successfully
4/15/2008 1:37:26 AM Update completed successfully
4/15/2008 3:57:41 AM Update completed successfully
4/15/2008 6:17:28 AM Update completed successfully
4/15/2008 8:37:56 AM Update completed successfully
4/15/2008 9:16:37 AM File C:\WINDOWS\SYSTEM32\NXIDUARP.DLL//PE_Patch: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.nvf'.
4/15/2008 9:16:37 AM File C:\WINDOWS\SYSTEM32\NXIDUARP.DLL will be deleted on system restart.
4/15/2008 9:17:13 AM File C:\WINDOWS\System32\nxiduarp.dll//PE_Patch: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.nvf'.
4/15/2008 9:17:41 AM File c:\documents and settings\knopfm\local settings\temporary internet files\content.ie5\j8r1wcj2\kriv[1]: deleted.
4/15/2008 9:17:41 AM File c:\windows\system32\nxiduarp.dll//PE_Patch: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.nvf'.
4/15/2008 9:19:54 AM Protection of your computer is not running. You are advised to resume protection.
4/15/2008 9:21:29 AM Your evaluation period will end in 26 days. To ensure uninterrupted protection, please <a v(buy)>click here to purchase</a>.
4/15/2008 9:21:29 AM Protection of your computer is enabled.
4/15/2008 9:22:57 AM Malicious HTTP object <http://82.98.235.78/...7AE4&rid=wen5>: detected: Trojan program 'Trojan.Win32.KillAV.rf'.
4/15/2008 9:22:57 AM !NOLOC! StatusId(0) EventID(7)
4/15/2008 9:23:01 AM File C:\DOCUME~1\knopfm\LOCALS~1\Temp\cvxqstxw.dll: detected: Trojan program 'Trojan.Win32.KillAV.rf'.
4/15/2008 9:23:01 AM Security threats have been detected. You are advised to neutralize them immediately.
4/15/2008 9:23:07 AM File C:\DOCUME~1\knopfm\LOCALS~1\Temp\cvxqstxw.dll: deleted.
4/15/2008 9:23:17 AM File C:\Documents and Settings\knopfm\Local Settings\Temporary Internet Files\Content.IE5\O167GTYF\zrt20080408[1]: detected: Trojan program 'Trojan.Win32.KillAV.rf'.
4/15/2008 9:23:17 AM Security threats have been detected. You are advised to neutralize them immediately.
4/15/2008 9:23:19 AM File C:\Documents and Settings\knopfm\Local Settings\Temporary Internet Files\Content.IE5\O167GTYF\zrt20080408[1]: deleted.
4/15/2008 9:52:41 AM Protection of your computer is not running. You are advised to resume protection.
4/15/2008 9:54:22 AM Your evaluation period will end in 26 days. To ensure uninterrupted protection, please <a v(buy)>click here to purchase</a>.
4/15/2008 9:54:23 AM Protection of your computer is enabled.
4/15/2008 9:58:02 AM The application C:\Program Files\Network Associates\Common Framework\FrameworkService.exe cannot establish connection with server 172.22.232.176. Please check your internet connection settings. If you have a firewall installed, check that the application avp.exe is allowed internet access.
4/15/2008 10:55:25 AM Protection of your computer is not running. You are advised to resume protection.
4/15/2008 10:56:43 AM Your evaluation period will end in 26 days. To ensure uninterrupted protection, please <a v(buy)>click here to purchase</a>.
4/15/2008 10:56:43 AM Protection of your computer is enabled.
4/15/2008 11:16:43 AM Update completed successfully
4/15/2008 11:30:30 AM Protection of your computer is not running. You are advised to resume protection.
4/15/2008 11:31:56 AM Your evaluation period will end in 26 days. To ensure uninterrupted protection, please <a v(buy)>click here to purchase</a>.
4/15/2008 11:31:56 AM Protection of your computer is enabled.
4/15/2008 3:53:55 PM Your evaluation period will end in 26 days. To ensure uninterrupted protection, please <a v(buy)>click here to purchase</a>.
4/15/2008 3:53:55 PM System is running in safe mode. Some protection components are disabled.
4/15/2008 3:53:56 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 3:56:00 PM Scan startup objects cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 4:14:01 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 4:34:01 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 4:54:01 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 5:14:01 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 5:34:01 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 5:54:01 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 6:14:01 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 6:34:01 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 6:54:02 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 7:14:02 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 7:34:01 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 7:54:02 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 8:14:02 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 8:34:05 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 8:54:32 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 9:14:02 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 9:34:05 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 9:54:02 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 10:14:02 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 10:34:02 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 10:54:02 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 11:14:02 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 11:34:02 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/15/2008 11:54:02 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 12:14:02 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 12:34:03 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 12:54:03 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 1:14:03 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 1:34:03 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 1:54:06 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 2:14:03 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 2:34:03 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 2:54:03 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 3:14:03 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 3:34:03 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 3:54:03 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 4:14:03 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 4:34:04 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 4:54:03 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 5:14:04 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 5:34:03 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 5:54:04 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 6:14:04 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 6:34:04 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 6:54:04 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 7:14:04 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 7:34:04 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 7:54:04 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 8:14:04 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 8:34:04 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 8:54:04 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 9:14:04 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 3:08:09 PM System is running in safe mode. Some protection components are disabled.
4/16/2008 3:08:13 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 3:10:14 PM Scan startup objects cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 3:30:44 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 3:50:45 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 4:10:45 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 4:30:44 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 4:50:44 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 5:10:45 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 5:18:30 PM File C:\Documents and Settings\knopfm\Local Settings\Temp\ICD1.tmp\UGA6P_0001_N122M2802NetInstaller.exe: detected: riskware 'not-a-virus:Downloader.Win32.WinFixer.au'.
4/16/2008 5:18:30 PM Security threats have been detected. You are advised to neutralize them immediately.
4/16/2008 5:18:30 PM File C:\Documents and Settings\knopfm\Local Settings\Temp\ICD1.tmp\UGA6P_0001_N122M2802NetInstaller.exe: is still infected, postponed.
4/16/2008 5:29:54 PM File C:\Documents and Settings\knopfm\Local Settings\Temporary Internet Files\Content.IE5\IGTRJTU7\zrt20080408[1]: detected: Trojan program 'Trojan.Win32.KillAV.rf'.
4/16/2008 5:29:54 PM File C:\Documents and Settings\knopfm\Local Settings\Temporary Internet Files\Content.IE5\IGTRJTU7\zrt20080408[1]: is still infected, postponed.
4/16/2008 5:30:45 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 5:50:44 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 6:10:45 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 6:30:45 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 6:50:45 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 7:10:45 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 7:21:42 PM File C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2802NetInstaller.exe: detected: riskware 'not-a-virus:Downloader.Win32.WinFixer.au'.
4/16/2008 7:21:42 PM Security threats have been detected. You are advised to neutralize them immediately.
4/16/2008 7:21:42 PM File C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2802NetInstaller.exe: is still infected, postponed.
4/16/2008 7:28:56 PM File C:\WINDOWS\system32\liccltrq.dll: detected: Trojan program 'Trojan.Win32.KillAV.rf'.
4/16/2008 7:28:56 PM File C:\WINDOWS\system32\liccltrq.dll: is still infected, postponed.
4/16/2008 7:30:45 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 7:50:15 PM File c:\windows\downloaded program files\uga6p_0001_n122m2802netinstaller.exe: detected: riskware 'not-a-virus:Downloader.Win32.WinFixer.au'.
4/16/2008 7:50:45 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 8:10:45 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 8:30:45 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 8:50:45 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 9:10:45 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 9:30:45 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 9:50:45 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 10:10:45 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 10:30:45 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 10:50:45 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 11:10:46 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 11:30:46 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/16/2008 11:50:46 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 12:10:46 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 12:30:46 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 12:50:46 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 1:10:46 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 1:30:46 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 1:50:46 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 2:10:46 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 2:30:46 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 2:50:46 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 3:10:46 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 3:30:47 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 3:50:47 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 4:10:47 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 4:30:47 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 4:50:47 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 5:10:47 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 5:30:48 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 5:50:47 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 6:10:47 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 6:30:47 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 6:50:47 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 7:10:47 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 7:30:47 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 7:50:47 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 8:10:47 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 8:30:48 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 8:51:09 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 9:09:18 AM Database is out of date, leaving your computer at risk of infection. Please update your database.
4/17/2008 9:11:11 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 9:18:16 AM File c:\windows\downloaded program files\uga6p_0001_n122m2802netinstaller.exe: deleted.
4/17/2008 9:18:16 AM File c:\windows\system32\liccltrq.dll: detected: Trojan program 'Trojan.Win32.KillAV.rf'.
4/17/2008 9:18:16 AM File c:\windows\system32\liccltrq.dll: deleted.
4/17/2008 9:30:48 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 9:50:48 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 10:10:48 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 10:30:48 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 10:50:48 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 11:10:48 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 11:30:48 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 11:50:48 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 12:10:48 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 12:30:48 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 12:50:48 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 1:10:48 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 1:30:48 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 1:50:49 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 2:10:49 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 2:30:49 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 2:50:49 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 3:10:49 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 3:30:49 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 3:50:49 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 4:10:49 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 4:30:49 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 4:50:49 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 5:10:49 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 5:30:49 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/17/2008 5:47:50 PM Database is out of date, leaving your computer at risk of infection. Please update your database.
4/17/2008 5:47:51 PM Protection of your computer is enabled.
4/17/2008 5:48:23 PM Process (PID 332) tried to access Kaspersky Anti-Virus process (PID 1888), but the action has been blocked by the Self-Defense component. No action on your part is required.
4/17/2008 5:48:23 PM Process (PID 332) tried to access Kaspersky Anti-Virus process (PID 312), but the action has been blocked by the Self-Defense component. No action on your part is required.
4/17/2008 5:48:37 PM Please restart your computer to complete the installation of new or updated protection components.
4/17/2008 5:48:39 PM Update completed successfully
4/17/2008 5:50:02 PM File C:\WINDOWS\SYSTEM32\EUGNXYJP.DLL: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.okj'.
4/17/2008 5:50:02 PM Security threats have been detected. You are advised to neutralize them immediately.
4/17/2008 5:50:02 PM File C:\WINDOWS\SYSTEM32\EUGNXYJP.DLL: is still infected, skipped by user.
4/17/2008 6:07:56 PM File C:\WINDOWS\SYSTEM32\EUGNXYJP.DLL: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.okj'.
4/17/2008 6:07:56 PM File C:\WINDOWS\SYSTEM32\EUGNXYJP.DLL: is still infected, skipped by user.
4/17/2008 6:10:16 PM File C:\WINDOWS\system32\eugnxyjp.dll: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.okj'.
4/17/2008 6:10:16 PM File C:\WINDOWS\system32\eugnxyjp.dll: is still infected, skipped by user.
4/17/2008 6:11:27 PM File C:\WINDOWS\SYSTEM32\EUGNXYJP.DLL: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.okj'.
4/17/2008 6:11:27 PM File C:\WINDOWS\SYSTEM32\EUGNXYJP.DLL: is still infected, skipped by user.
4/17/2008 8:02:58 PM Your evaluation period will end in 23 days. To ensure uninterrupted protection, please <a v(buy)>click here to purchase</a>.
4/17/2008 8:08:23 PM Process (PID 332) tried to access Kaspersky Anti-Virus process (PID 1696), but the action has been blocked by the Self-Defense component. No action on your part is required.
4/17/2008 8:08:34 PM Update completed successfully
4/17/2008 10:28:24 PM Process (PID 332) tried to access Kaspersky Anti-Virus process (PID 3700), but the action has been blocked by the Self-Defense component. No action on your part is required.
4/17/2008 10:28:45 PM Update completed successfully
4/18/2008 12:48:25 AM Process (PID 332) tried to access Kaspersky Anti-Virus process (PID 460), but the action has been blocked by the Self-Defense component. No action on your part is required.
4/18/2008 12:48:34 AM Update completed successfully
4/18/2008 3:08:26 AM Process (PID 332) tried to access Kaspersky Anti-Virus process (PID 1040), but the action has been blocked by the Self-Defense component. No action on your part is required.
4/18/2008 3:08:33 AM Update completed successfully
4/18/2008 5:28:27 AM Process (PID 332) tried to access Kaspersky Anti-Virus process (PID 3604), but the action has been blocked by the Self-Defense component. No action on your part is required.
4/18/2008 5:28:39 AM Update completed successfully
4/18/2008 7:48:28 AM Process (PID 332) tried to access Kaspersky Anti-Virus process (PID 2716), but the action has been blocked by the Self-Defense component. No action on your part is required.
4/18/2008 7:48:38 AM Update completed successfully
4/18/2008 9:16:12 AM File C:\WINDOWS\SYSTEM32\EUGNXYJP.DLL: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.okj'. User: CORP\KnopfM, computer: localhost.
4/18/2008 9:16:12 AM File C:\WINDOWS\SYSTEM32\EUGNXYJP.DLL: is still infected, skipped by user.
4/18/2008 9:16:38 AM File C:\WINDOWS\SYSTEM32\EUGNXYJP.DLL: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.okj'.
4/18/2008 9:17:01 AM File C:\WINDOWS\SYSTEM32\EUGNXYJP.DLL cannot be deleted.
4/18/2008 9:18:17 AM Update completed successfully
4/18/2008 9:19:47 AM Protection of your computer is not running. You are advised to resume protection.
4/18/2008 9:21:17 AM Your evaluation period will end in 23 days. To ensure uninterrupted protection, please <a v(buy)>click here to purchase</a>.
4/18/2008 9:21:18 AM Protection of your computer is enabled.
4/18/2008 9:22:00 AM Process (PID 1032) tried to access Kaspersky Anti-Virus process (PID 1112), but the action has been blocked by the Self-Defense component. No action on your part is required.
4/18/2008 9:22:33 AM The application C:\Program Files\Network Associates\Common Framework\FrameworkService.exe cannot establish connection with server 172.22.232.176. Please check your internet connection settings. If you have a firewall installed, check that the application avp.exe is allowed internet access.
4/18/2008 9:27:47 AM Protection of your computer is not running. You are advised to resume protection.
4/18/2008 9:30:24 AM Your evaluation period will end in 23 days. To ensure uninterrupted protection, please <a v(buy)>click here to purchase</a>.
4/18/2008 9:30:25 AM System is running in safe mode. Some protection components are disabled.
4/18/2008 9:32:29 AM Scan startup objects cannot be started because of an error: task cannot be started in the safe mode
4/18/2008 9:32:55 AM File Anti-Virus cannot be started because of an error: task cannot be started in the safe mode
4/18/2008 11:33:01 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/18/2008 11:53:00 AM Update cannot be started because of an error: task cannot be started in the safe mode
4/18/2008 12:13:01 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/18/2008 12:33:00 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/18/2008 12:53:00 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/18/2008 1:13:01 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/18/2008 1:33:01 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/18/2008 1:53:01 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/18/2008 2:13:01 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/18/2008 2:33:01 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/18/2008 2:53:01 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/18/2008 3:13:01 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/18/2008 3:33:01 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/18/2008 3:53:01 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/18/2008 4:13:01 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/18/2008 4:33:01 PM Update cannot be started because of an error: task cannot be started in the safe mode
4/21/2008 9:09:43 AM Database is out of date, leaving your computer at risk of infection. Please update your database.
4/21/2008 9:09:43 AM Protection of your computer is enabled.
4/21/2008 9:10:09 AM Process C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (PID: 2164): attempt to perform suspicious actions allowed.
4/21/2008 9:10:19 AM Process C:\WINDOWS\system32\rundll32.exe (PID: 2740): attempt to perform suspicious actions allowed.
4/21/2008 9:10:20 AM Process C:\WINDOWS\explorer.exe (PID: 1888): attempt to perform suspicious actions allowed.
4/21/2008 9:10:52 AM Update completed successfully
4/21/2008 9:12:35 AM Databases are up to date
4/21/2008 9:15:15 AM File C:\WINDOWS\SYSTEM32\UMNUCCLC.DLL: detected: adware 'not-a-virus:AdWare.Win32.Virtumonde.pil'. User: CORP\KnopfM, computer: localhost.
4/21/2008 9:15:15 AM Security threats have been detected. You are advised to neutralize them immediately.
4/21/2008 9:15:32 AM File C:\WINDOWS\SYSTEM32\UMNUCCLC.DLL: deleted.


Reports
-------
Component Status Start Finish Size
--------- ------ ----- ------ ----
Proactive Defense running 4/21/2008 9:09:43 AM 21.3 KB
Mail Anti-Virus running 4/21/2008 9:09:43 AM 0 bytes
Web Anti-Virus running 4/21/2008 9:09:43 AM 23.7 KB
File Anti-Virus running 4/21/2008 9:09:43 AM 928.4 KB
Update completed 4/21/2008 9:09:45 AM 4/21/2008 9:10:51 AM 0 bytes
Update completed 4/21/2008 9:11:36 AM 4/21/2008 9:12:35 AM 0 bytes
Scan startup objects completed 4/21/2008 9:11:46 AM 4/21/2008 9:15:45 AM 389.6 KB
Update stopped 4/21/2008 9:12:41 AM 4/21/2008 9:13:35 AM 10.2 KB


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----
Infected: Trojan program Trojan-Downloader.Win32.Homles.bb C:\WINDOWS\mrofinu572.exe 37.5 KB
Infected: Trojan program Trojan.Win32.KillAV.rf c:\windows\system32\liccltrq.dll 3.6 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.pil C:\WINDOWS\SYSTEM32\UMNUCCLC.DLL 94 KB
Infected: riskware not-a-virus:Downloader.Win32.WinFixer.au c:\documents and settings\knopfm\local settings\temp\icd1.tmp\uga6p_0001_n122m2802netinstaller.exe 181 KB
Infected: virus Packed.Win32.Monder.gen C:\WINDOWS\system32\urqRKCsp.dll 36 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.nvf c:\documents and settings\knopfm\local settings\temporary internet files\content.ie5\j8r1wcj2\kriv[1] 83 KB
Infected: Trojan program Trojan.Win32.KillAV.rf C:\Documents and Settings\knopfm\Local Settings\Temporary Internet Files\Content.IE5\05QRWLQZ\zrt20080408[1] 3.5 KB
Infected: Trojan program Trojan.Win32.KillAV.rf C:\DOCUME~1\knopfm\LOCALS~1\Temp\gqdlitrs.dll 3.6 KB
Infected: Trojan program Trojan-Downloader.Win32.Homles.bb c:\windows\mrofinu572.exe.tmp 37.5 KB
Infected: virus Packed.Win32.Monder.gen C:\WINDOWS\system32\awtsTLCv.dll 36 KB
Infected: Trojan program Trojan.Win32.KillAV.rf C:\WINDOWS\system32\yqtrbcnu.dll 3.6 KB
Infected: virus Packed.Win32.Monder.gen c:\windows\system32\khfdwwxu.dll 36 KB
Infected: virus Packed.Win32.Monder.gen c:\windows\system32\xxyawvsm.dll 36 KB
Infected: Trojan program Trojan.Win32.KillAV.rf C:\Documents and Settings\knopfm\Local Settings\Temporary Internet Files\Content.IE5\O167GTYF\zrt20080408[1] 3.5 KB
Infected: Trojan program Trojan.Win32.KillAV.rf C:\DOCUME~1\knopfm\LOCALS~1\Temp\cvxqstxw.dll 3.6 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.nvf C:\WINDOWS\SYSTEM32\NXIDUARP.DLL 83 KB
Infected: Trojan program Trojan.Win32.KillAV.rf c:\documents and settings\knopfm\local settings\temporary internet files\content.ie5\igtrjtu7\zrt20080408[1] 3.5 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.okj c:\windows\system32\eugnxyjp.dll 94 KB
Infected: Trojan program Trojan.Win32.KillAV.rf C:\WINDOWS\system32\oegdwdtv.dll 3.6 KB
Infected: Trojan program Trojan.Win32.KillAV.rf C:\Documents and Settings\knopfm\Local Settings\Temporary Internet Files\Content.IE5\J8R1WCJ2\zrt20080408[1] 3.5 KB
Infected: riskware not-a-virus:Downloader.Win32.WinFixer.au c:\windows\downloaded program files\uga6p_0001_n122m2802netinstaller.exe 181 KB
b

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 21 April 2008 - 09:11 AM

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.


Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Also "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 Whatthetechfan

Whatthetechfan

    New Member

  • New Member
  • Pip
  • 13 posts

Posted 21 April 2008 - 09:21 AM

Ok, I will do then but can I do it in Safe Mode? Or do I need to reboot and do both of these in Normal mode? Thanks!

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 21 April 2008 - 10:41 AM

Normal mode would be best.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 Whatthetechfan

Whatthetechfan

    New Member

  • New Member
  • Pip
  • 13 posts

Posted 21 April 2008 - 02:18 PM

My computer seems much better! I am able to surf the internet without being redirected to web sites. Below is the log for both Malwarebytes and HijackThis.

Here is the Hijack This log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:21 PM, on 4/21/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\ESPN VPN\ESPN VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://email.secureserver.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ESPN MIS Security IE6
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,c:\Program Files\Passlogix\v-GO SSO\ssoshell.exe /background,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: {c4fa9a39-d5cf-7358-6f44-8fd3d12888b5} - {5b88821d-3df8-44f6-8537-fc5d93a9af4c} - C:\WINDOWS\System32\siahehiy.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A954A20A-219A-406D-B82A-72313EFAF1F3} - C:\WINDOWS\System32\geBsrRjJ.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera 301PLH
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [04d7053d] rundll32.exe "C:\WINDOWS\System32\ikbfsgnc.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: scratchpad.txt
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.espn.pvt
O17 - HKLM\Software\..\Telephony: DomainName = corp.espn.pvt
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.espn.pvt
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.espn.pvt
O20 - Winlogon Notify: urqRKCsp - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: ESPN MIS Technology Support VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\ESPN VPN\ESPN VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: Radia Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe

--
End of file - 8561 bytes


Here is the Malwarebytes log

Malwarebytes' Anti-Malware 1.11
Database version: 666

Scan type: Quick Scan
Objects scanned: 49412
Time elapsed: 17 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 17
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ikbfsgnc.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{24e9519b-3f70-429b-99bc-4b2b49b96f66} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{24e9519b-3f70-429b-99bc-4b2b49b96f66} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{f710fa10-2031-3106-8872-93a2b5c5c620} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{24e9519b-3f70-429b-99bc-4b2b49b96f66} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{6780a29e-6a18-0c70-1dff-1610dde00108} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM07e436a1 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ayqmxaqj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jqaxmqya.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ikbfsgnc.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\cngsfbki.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iwlsicng.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gncislwi.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\towivjue.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eujviwot.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mhennonf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\A6F.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\A71.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\knopfm\Local Settings\Temp\winvsnet.exe (Rogue.AntiSpyMaster) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ocbybcfd.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\knopfm\g2mdlhlpx.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\knopfm\Local Settings\Temp\xrun.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 21 April 2008 - 05:54 PM

Lets dig deeper.

Download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
  • Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
  • Please do not re-connect your machine back to the Internet until Combofix has completely finished.
--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Give it atleast 20-30 minutes to finish

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove


#11 Whatthetechfan

Whatthetechfan

    New Member

  • New Member
  • Pip
  • 13 posts

Posted 22 April 2008 - 09:19 AM

Hello:

I ran Combo Fix. During the scan, Kaspersky gave me a warning that it found Eicar.test-file. I skipped it. Also during the scan Kaspersky found Packed.win32.Monder.gen. It rebooted before I had a chance to delete it. After it rebooted I got a Kaspersky warning that said "Invader" for the file type combofix\catchme.tmp. I figured since it was part of combo fix, I allowed the file to go through without Kaspersky deleting it.

Below is my ComboFix, HijackThis and Kaspersky logs

Here is ComboFix
ComboFix 08-04-20.5 - KopfN 2008-04-22 9:29:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.600 [GMT -4:00]
Running from: C:\Documents and Settings\kopfN\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\JjRrsBeg.ini
C:\WINDOWS\system32\JjRrsBeg.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ofeyohxk.ini
C:\WINDOWS\system32\pawdgspn.dll
C:\WINDOWS\system32\praudixn.ini
C:\WINDOWS\system32\qtquhhgp.dll
C:\WINDOWS\system32\siahehiy.dll
C:\WINDOWS\system32\sldhvrlh.ini
C:\WINDOWS\system32\tninyxkp.dll
C:\WINDOWS\system32\wstfwlxq.dll
.
((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.
2008-04-22 10:18 . 2008-04-22 10:19 <DIR> d-------- C:\Documents and Settings\TEMP
2008-04-21 13:22 . 2008-04-21 13:22 <DIR> d-------- C:\Documents and Settings\kopfn\Application Data\Malwarebytes
2008-04-21 13:20 . 2008-04-21 13:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-21 13:20 . 2008-04-21 13:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-17 09:27 . 2008-04-18 09:27 1,522,222 ---hs---- C:\WINDOWS\system32\gkqgfegr.ini
2008-04-15 09:38 . 2008-04-15 09:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-15 09:27 . 2008-04-22 10:16 91,712 --a------ C:\WINDOWS\system32\rpaqdlud.dll
2008-04-14 09:26 . 2008-04-22 10:16 92,224 --a------ C:\WINDOWS\system32\kuyadjai.dll
2008-04-11 17:23 . 2008-04-11 17:23 <DIR> d-------- C:\Program Files\Opera
2008-04-11 10:13 . 2008-04-17 17:48 96,645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-04-11 10:13 . 2008-04-17 17:48 87,941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-04-11 10:12 . 2008-04-11 10:12 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-04-11 10:12 . 2008-04-22 10:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-11 10:12 . 2008-04-22 10:21 3,954,976 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-11 10:12 . 2008-04-22 10:18 54,560 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-11 10:12 . 2008-04-22 10:17 53,732 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-11 10:12 . 2008-04-22 10:17 5,996 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-11 10:10 . 2008-04-11 10:10 <DIR> d-------- C:\kav
2008-04-10 02:30 . 2008-04-21 09:37 109,087 --a------ C:\WINDOWS\BM07e436a1.xml
2008-04-09 14:21 . 2008-04-09 15:22 <DIR> d-------- C:\WINDOWS\system32\bharebio01
2008-04-09 14:21 . 2008-04-09 14:21 <DIR> d-------- C:\temp\wdlw14
2008-03-24 17:25 . 2008-04-11 13:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-24 17:25 . 2008-03-24 17:25 1,409 --a------ C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 13:20 --------- d-----w C:\Program Files\Trillian
2008-04-08 16:21 --------- d-----w C:\Documents and Settings\kopfn\Application Data\U3
2008-02-22 17:58 --------- d-----w C:\Documents and Settings\kopfn\Application Data\webex
2008-02-22 17:57 --------- d-----w C:\Program Files\WebEx
2008-02-08 22:37 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
2007-08-13 17:31 722,176 ----a-w C:\Documents and Settings\kopfn\gotomypc_428.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A954A20A-219A-406D-B82A-72313EFAF1F3}]
C:\WINDOWS\System32\geBsrRjJ.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-30 12:01 88267 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 15:09 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 15:08 618496]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [ ]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-25 04:50 139320]
"NeroFilterCheck"="C:\WINDOWS\System32\NeroCheck.exe" [2006-03-13 15:38 155648]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2002-08-29 08:00 135680]
"BigDog303"="C:\WINDOWS\VM303_STI.exe" [2005-03-10 11:32 53248]
"OdTray.exe"="C:\Program Files\Funk Software\Odyssey Client\OdTray.exe" [2006-04-17 11:16 1024063]
"eFax 4.1"="C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" [2005-12-16 19:59 107008]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07 49263]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 19:14 576320]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 19:15 600896]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]
"04d7053d"="C:\WINDOWS\System32\ikbfsgnc.dll" [ ]
C:\Documents and Settings\kopfn\Start Menu\Programs\Startup\
scratchpad.txt [2008-04-14 17:45:14 26015]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
odyEvent.dll 2006-04-17 11:16 106496 C:\WINDOWS\system32\odyEvent.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqRKCsp]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.H261"= h261_32.dll
"VIDC.VXTR"= vxtr.dll
"VIDC.SM4V"= SorensonMPEG4Dec.dll
"vidc.3IV2"= 3ivxVfWCodec_dec.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax 4.1.lnk
backup=C:\WINDOWS\pss\eFax 4.1.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Shortcut to OutlookRemindersSend.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Shortcut to OutlookRemindersSend.exe.lnk
backup=C:\WINDOWS\pss\Shortcut to OutlookRemindersSend.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
--a------ 2005-05-18 15:49 282624 C:\Program Files\DIGStream\digstream.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 17:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-11-15 16:18 1670144 C:\Program Files\Messenger\MSMSGS.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SportsPort]
C:\Program Files\SportsPort\SportsPort.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-24 10:48 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
R2 radexecd;Radia Notify Daemon;"C:\Program Files\Novadigm\radexecd.exe" [2005-05-04 17:35]
R2 radsched;Radia Scheduler Daemon;"C:\Program Files\Novadigm\radsched.exe" [2004-08-25 14:05]
R2 Radstgms;Radia MSI Redirector;"C:\Program Files\Novadigm\Radstgms.exe" [2004-10-22 17:53]
R3 CONAN;CONAN;C:\WINDOWS\System32\drivers\o2mmb.sys [2003-07-28 20:49]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\System32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM4.sys [2006-04-17 11:16]
R3 RadiaMsi;RadiaMsi;C:\WINDOWS\System32\DRIVERS\radiamsi.sys [2004-09-10 16:45]
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\System32\DRIVERS\RimSerial.sys [2005-08-16 13:02]
R3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;C:\WINDOWS\System32\DRIVERS\ar5211.sys [2003-08-04 22:00]
R4 black;black;C:\WINDOWS\System32\drivers\BlackDrv.sys [2005-03-29 18:04]
S3 MbxStby;MbxStby;C:\WINDOWS\System32\drivers\MbxStby.sys [2003-07-24 10:50]
S3 RapFile;RapFile;C:\WINDOWS\System32\drivers\RapFile.sys [2003-06-19 18:40]
S3 RapNet;RapNet;C:\WINDOWS\System32\drivers\RapNet.sys [2003-06-19 18:40]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\iTunesPrefs]
C:\patches\iTunes\Prefs\prefs.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ItunesPrefs2]
C:\patches\iTunes\Prefs\prefs.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\JavaSettings]
C:\patches\JAVA\JAVASET.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmactedp.inf,PerUserStub
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 10:20:00
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\CSGina.dll
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
.
**************************************************************************
.
Completion time: 2008-04-22 10:36:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-22 14:36:29
Pre-Run: 35,619,418,112 bytes free
Post-Run: 36,077,211,648 bytes free
173

Here is Hijack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54, on 2008-04-22
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://email.secureserver.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {A954A20A-219A-406D-B82A-72313EFAF1F3} - C:\WINDOWS\System32\geBsrRjJ.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera 301PLH
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [04d7053d] rundll32.exe "C:\WINDOWS\System32\ikbfsgnc.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: scratchpad.txt
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\Parameters
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters:
O17 - HKLM\System\CS2\Services\Tcpip\Parameters:
O20 - Winlogon Notify: urqRKCsp - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: MIS Technology Support VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\ESPN VPN\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: Radia Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe

--
End of file - 8380 bytes


Here is today's Kaspersky Log


2008-04-22 09:18 Malicious HTTP object <http://subs.geekstog...catchme.cfexe>: detected new variant of virus 'Heur.Invader'.
2008-04-22 09:18 Malicious HTTP object <http://subs.geekstog...catchme.cfexe>: access denied.
2008-04-22 09:30 File C:\DOCUME~1\kopfn\LOCALS~1\Temp\Av-test.txt: detected: virus 'EICAR-Test-File'.
2008-04-22 09:30 Security threats have been detected. You are advised to neutralize them immediately.
2008-04-22 09:39 File C:\DOCUME~1\kopfn\LOCALS~1\Temp\Av-test.txt: is still infected, skipped by user.
2008-04-22 09:59 File C:\WINDOWS\system32\kuyadjai.dll//PE_Patch: detected: Trojan program 'Packed.Win32.Monder.gen'. User: CORP\kopfn, computer: localhost.
2008-04-22 10:05 File C:\WINDOWS\system32\qtquhhgp.dll//PE_Patch: detected: Trojan program 'Packed.Win32.Monder.gen'.
2008-04-22 10:16 File C:\WINDOWS\system32\kuyadjai.dll//PE_Patch: is still infected, skipped by user.
2008-04-22 10:16 File C:\WINDOWS\system32\rpaqdlud.dll//PE_Patch: detected: Trojan program 'Packed.Win32.Monder.gen'. User: CORP\kopfn, computer: localhost.
2008-04-22 10:16 File C:\WINDOWS\system32\qtquhhgp.dll//PE_Patch: is still infected, skipped by user.
2008-04-22 10:16 File C:\WINDOWS\system32\qtquhhgp.dll//PE_Patch: detected: Trojan program 'Packed.Win32.Monder.gen'.
2008-04-22 10:16 File C:\WINDOWS\system32\qtquhhgp.dll//PE_Patch: is still infected, skipped by user.
2008-04-22 10:16 File C:\WINDOWS\system32\tninyxkp.dll//PE_Patch: detected: Trojan program 'Packed.Win32.Monder.gen'.
2008-04-22 10:16 File C:\WINDOWS\system32\tninyxkp.dll//PE_Patch: is still infected, skipped by user.
2008-04-22 10:16 File C:\WINDOWS\system32\rpaqdlud.dll//PE_Patch: is still infected, skipped by user.
2008-04-22 10:16 File C:\WINDOWS\system32\qtquhhgp.dll//PE_Patch: detected: Trojan program 'Packed.Win32.Monder.gen'.
2008-04-22 10:16 File C:\WINDOWS\system32\qtquhhgp.dll//PE_Patch: is still infected, skipped by user.
2008-04-22 10:16 File C:\WINDOWS\system32\tninyxkp.dll//PE_Patch: detected: Trojan program 'Packed.Win32.Monder.gen'.
2008-04-22 10:16 File C:\WINDOWS\system32\tninyxkp.dll//PE_Patch: is still infected, skipped by user.
2008-04-22 10:17 Protection of your computer is not running. You are advised to resume protection.
2008-04-22 10:18 Security threats have been detected. You are advised to neutralize them immediately.
2008-04-22 10:18 Protection of your computer is enabled.
2008-04-22 10:19 Process C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (PID: 2832): attempt to perform suspicious actions allowed.
2008-04-22 10:21 File C:\ComboFix\Catchme.tmp: detected modification of virus 'Heur.Invader'.
2008-04-22 10:22 The application C:\Program Files\Network Associates\Common Framework\FrameworkService.exe cannot establish connection with server 172.22.232.176. Please check your internet connection settings. If you have a firewall installed, check that the application avp.exe is allowed internet access.
2008-04-22 10:23 File c:\documents and settings\kopfn\desktop\combofix.exe//PE_Patch.UPX/327882R2FWJFW\catchme.cfexe: detected modification of virus 'Heur.Invader'.
2008-04-22 10:26 File C:\ComboFix\catchme.tmp: detected modification of virus 'Heur.Invader'.
2008-04-22 10:32 Process C:\ComboFix\catchme.tmp (PID: 4024): attempt to embed itself into another process allowed.
2008-04-22 10:33 Process C:\ComboFix\catchme.tmp (PID: 2152): attempt to perform suspicious actions allowed.
2008-04-22 10:33 Process C:\ComboFix\catchme.tmp (PID: 2192): attempt to perform suspicious actions allowed.
2008-04-22 10:33 Process C:\ComboFix\catchme.tmp (PID: 2240): attempt to perform suspicious actions allowed.
2008-04-22 10:33 Process C:\ComboFix\catchme.tmp (PID: 2384): attempt to perform suspicious actions allowed.
2008-04-22 10:33 Process C:\ComboFix\catchme.tmp (PID: 2448): attempt to perform suspicious actions allowed.
2008-04-22 10:33 Process C:\ComboFix\catchme.tmp (PID: 4024): attempt to embed itself into another process allowed.
2008-04-22 10:33 Process C:\ComboFix\catchme.tmp (PID: 2152): attempt to embed itself into another process allowed.
2008-04-22 10:33 Process C:\ComboFix\catchme.tmp (PID: 2192): attempt to embed itself into another process allowed.
2008-04-22 10:33 Process C:\ComboFix\catchme.tmp (PID: 2240): attempt to embed itself into another process allowed.
2008-04-22 10:39 Update completed successfully
2008-04-22 10:44 Protection of your computer is not running. You are advised to resume protection.
2008-04-22 10:45 Security threats have been detected. You are advised to neutralize them immediately.
2008-04-22 10:45 Protection of your computer is enabled.
2008-04-22 10:45 Process C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (PID: 3336): attempt to perform suspicious actions allowed.
2008-04-22 10:46 The application C:\Program Files\Network Associates\Common Framework\FrameworkService.exe cannot establish connection with server 172.22.232.176. Please check your internet connection settings. If you have a firewall installed, check that the application avp.exe is allowed internet access.


Reports
-------
Component Status Start Finish Size
--------- ------ ----- ------ ----
Proactive Defense running 2008-04-22 10:45 9.9 KB
File Anti-Virus running 2008-04-22 10:45 418.7 KB
Mail Anti-Virus running 2008-04-22 10:45 0 bytes
Web Anti-Virus running 2008-04-22 10:45 7.3 KB
Scan startup objects running 2008-04-22 10:47 61.3 KB


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----
Infected: Trojan program Trojan-Downloader.Win32.Homles.bb C:\WINDOWS\mrofinu572.exe 37.5 KB
Infected: Trojan program Trojan.Win32.KillAV.rf c:\windows\system32\liccltrq.dll 3.6 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.pil C:\WINDOWS\SYSTEM32\UMNUCCLC.DLL 94 KB
Infected: riskware not-a-virus:Downloader.Win32.WinFixer.au c:\documents and settings\kopfn\local settings\temp\icd1.tmp\uga6p_0001_n122m2802netinstaller.exe 181 KB
Infected: Trojan program Packed.Win32.Monder.gen C:\WINDOWS\System32\aicmbkcc.dll 89.6 KB
Infected: virus Packed.Win32.Monder.gen C:\WINDOWS\system32\urqRKCsp.dll 36 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.nvf c:\documents and settings\kopfn\local settings\temporary internet files\content.ie5\j8r1wcj2\kriv[1] 83 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.pjx C:\WINDOWS\System32\towivjue.dll 85.6 KB
Infected: Trojan program Trojan.Win32.KillAV.rf C:\Documents and Settings\kopfn\Local Settings\Temporary Internet Files\Content.IE5\05QRWLQZ\zrt20080408[1] 3.5 KB
Infected: Trojan program Trojan.Win32.KillAV.rf C:\DOCUME~1\kopfn\LOCALS~1\Temp\gqdlitrs.dll 3.6 KB
Infected: Trojan program Trojan-Downloader.Win32.Homles.bb c:\windows\mrofinu572.exe.tmp 37.5 KB
Infected: Trojan program Packed.Win32.Monder.gen C:\WINDOWS\System32\xwyytbnb.dll 90 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.pon C:\WINDOWS\System32\eutwtmmo.dll 92.6 KB
Infected: virus Packed.Win32.Monder.gen C:\WINDOWS\system32\awtsTLCv.dll 36 KB
Infected: Trojan program Packed.Win32.Monder.gen c:\windows\system32\gebsrrjj.dll 264 KB
Infected: Trojan program Trojan.Win32.KillAV.rf C:\WINDOWS\system32\yqtrbcnu.dll 3.6 KB
Infected: virus Packed.Win32.Monder.gen c:\windows\system32\khfdwwxu.dll 36 KB
Infected: virus Packed.Win32.Monder.gen c:\windows\system32\xxyawvsm.dll 36 KB
Infected: Trojan program Trojan.Win32.KillAV.rf C:\Documents and Settings\kopfn\Local Settings\Temporary Internet Files\Content.IE5\O167GTYF\zrt20080408[1] 3.5 KB
Infected: Trojan program Trojan.Win32.KillAV.rf C:\DOCUME~1\kopfn\LOCALS~1\Temp\cvxqstxw.dll 3.6 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.nvf C:\WINDOWS\SYSTEM32\NXIDUARP.DLL 83 KB
Infected: Trojan program Trojan.Win32.KillAV.rf c:\documents and settings\kopfn\local settings\temporary internet files\content.ie5\igtrjtu7\zrt20080408[1] 3.5 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.okj c:\windows\system32\eugnxyjp.dll 94 KB
Infected: Trojan program Trojan.Win32.KillAV.rf C:\WINDOWS\system32\oegdwdtv.dll 3.6 KB
Infected: Trojan program Trojan.Win32.KillAV.rf C:\Documents and Settings\kopfn\Local Settings\Temporary Internet Files\Content.IE5\J8R1WCJ2\zrt20080408[1] 3.5 KB
Infected: riskware not-a-virus:Downloader.Win32.WinFixer.au c:\windows\downloaded program files\uga6p_0001_n122m2802netinstaller.exe 181 KB
Infected: Trojan program Packed.Win32.Monder.gen C:\WINDOWS\SYSTEM32\XQJPXNSE.DLL 93 KB

#12 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 22 April 2008 - 10:34 AM

Remove your internet connection until you're ready to reboot;

Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
right click it-> select Pause Protection.
click on -> By User Request
a popup will claim that protection is now disabled and a sign like this: Posted Image will now be shown.



Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\rpaqdlud.dll
C:\WINDOWS\system32\kuyadjai.dll
C:\WINDOWS\BM07e436a1.xml
C:\WINDOWS\System32\geBsrRjJ.dll
C:\WINDOWS\System32\ikbfsgnc.dll
C:\WINDOWS\System32\ntos.exe
C:\WINDOWS\system32\qtquhhgp.dll
C:\WINDOWS\system32\tninyxkp.dll

Folder::
C:\WINDOWS\system32\bharebio01
C:\temp\wdlw14

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A954A20A-219A-406D-B82A-72313EFAF1F3}]


Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#13 Whatthetechfan

Whatthetechfan

    New Member

  • New Member
  • Pip
  • 13 posts

Posted 22 April 2008 - 11:54 AM

Ok. Here are the logs. My computer never rebooted. I didn't remove the internet connection (sorry I'm a dummy) until a minute after I ComboFix started running. Should I have manually rebooted before running a Hijack this? Anyways here are the logs

Here is ComboFix

ComboFix 08-04-20.5 - KopfN 2008-04-22 13:27:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.644 [GMT -4:00]
Running from: C:\Documents and Settings\kopfN\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\kopfN\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BM07e436a1.xml
C:\WINDOWS\System32\geBsrRjJ.dll
C:\WINDOWS\System32\ikbfsgnc.dll
C:\WINDOWS\system32\kuyadjai.dll
C:\WINDOWS\System32\ntos.exe
C:\WINDOWS\system32\qtquhhgp.dll
C:\WINDOWS\system32\rpaqdlud.dll
C:\WINDOWS\system32\tninyxkp.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\wdlw14
C:\WINDOWS\BM07e436a1.xml
C:\WINDOWS\system32\bharebio01

.
((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-21 13:22 . 2008-04-21 13:22 <DIR> d-------- C:\Documents and Settings\kopfN\Application Data\Malwarebytes
2008-04-21 13:20 . 2008-04-21 13:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-21 13:20 . 2008-04-21 13:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-17 09:27 . 2008-04-18 09:27 1,522,222 ---hs---- C:\WINDOWS\system32\gkqgfegr.ini
2008-04-15 09:38 . 2008-04-15 09:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-11 17:23 . 2008-04-11 17:23 <DIR> d-------- C:\Program Files\Opera
2008-04-11 10:13 . 2008-04-17 17:48 96,645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-04-11 10:13 . 2008-04-17 17:48 87,941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-04-11 10:12 . 2008-04-11 10:12 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-04-11 10:12 . 2008-04-22 10:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-11 10:12 . 2008-04-22 13:32 4,044,576 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-11 10:12 . 2008-04-22 13:31 58,912 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-11 10:12 . 2008-04-22 10:44 54,548 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-11 10:12 . 2008-04-22 10:44 6,212 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-11 10:10 . 2008-04-11 10:10 <DIR> d-------- C:\kav
2008-03-24 17:25 . 2008-04-11 13:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-24 17:25 . 2008-03-24 17:25 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 13:20 --------- d-----w C:\Program Files\Trillian
2008-04-08 16:21 --------- d-----w C:\Documents and Settings\kopfN\Application Data\U3
2008-02-22 17:58 --------- d-----w C:\Documents and Settings\kopfN\Application Data\webex
2008-02-22 17:57 --------- d-----w C:\Program Files\WebEx
2008-02-08 22:37 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
2007-08-13 17:31 722,176 ----a-w C:\Documents and Settings\kopfN\gotomypc_428.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-22_10.28.43.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-22 14:17:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-22 14:45:01 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-10 13:57:40 54,010 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-22 14:46:53 54,010 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-10 13:57:40 383,822 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-22 14:46:53 383,822 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CardScan AutoSync"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18 1670144]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 10:48 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-30 12:01 88267 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 15:09 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 15:08 618496]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [ ]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-25 04:50 139320]
"NeroFilterCheck"="C:\WINDOWS\System32\NeroCheck.exe" [2006-03-13 15:38 155648]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2002-08-29 08:00 135680]
"BigDog303"="C:\WINDOWS\VM303_STI.exe" [2005-03-10 11:32 53248]
"OdTray.exe"="C:\Program Files\Funk Software\Odyssey Client\OdTray.exe" [2006-04-17 11:16 1024063]
"eFax 4.1"="C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" [2005-12-16 19:59 107008]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07 49263]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 19:14 576320]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 19:15 600896]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]
"04d7053d"="C:\WINDOWS\System32\ikbfsgnc.dll" [ ]

C:\Documents and Settings\kopfN\Start Menu\Programs\Startup\
scratchpad.txt [2008-04-14 17:45:14 26015]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 0 (0x0)
"DisableLockWorkstation"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 0 (0x0)
"NoAutoUpdate"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
odyEvent.dll 2006-04-17 11:16 106496 C:\WINDOWS\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqRKCsp]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.H261"= h261_32.dll
"VIDC.VXTR"= vxtr.dll
"VIDC.SM4V"= SorensonMPEG4Dec.dll
"vidc.3IV2"= 3ivxVfWCodec_dec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax 4.1.lnk
backup=C:\WINDOWS\pss\eFax 4.1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ VPN Client.lnk
backup=C:\WINDOWS\pss\ VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Shortcut to OutlookRemindersSend.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Shortcut to OutlookRemindersSend.exe.lnk
backup=C:\WINDOWS\pss\Shortcut to OutlookRemindersSend.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
--a------ 2005-05-18 15:49 282624 C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 17:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-11-15 16:18 1670144 C:\Program Files\Messenger\MSMSGS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SportsPort]
C:\Program Files\SportsPort\SportsPort.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-24 10:48 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R2 radexecd;Radia Notify Daemon;"C:\Program Files\Novadigm\radexecd.exe" [2005-05-04 17:35]
R2 radsched;Radia Scheduler Daemon;"C:\Program Files\Novadigm\radsched.exe" [2004-08-25 14:05]
R2 Radstgms;Radia MSI Redirector;"C:\Program Files\Novadigm\Radstgms.exe" [2004-10-22 17:53]
R3 CONAN;CONAN;C:\WINDOWS\System32\drivers\o2mmb.sys [2003-07-28 20:49]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\System32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM4.sys [2006-04-17 11:16]
R3 RadiaMsi;RadiaMsi;C:\WINDOWS\System32\DRIVERS\radiamsi.sys [2004-09-10 16:45]
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\System32\DRIVERS\RimSerial.sys [2005-08-16 13:02]
R3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;C:\WINDOWS\System32\DRIVERS\ar5211.sys [2003-08-04 22:00]
R4 black;black;C:\WINDOWS\System32\drivers\BlackDrv.sys [2005-03-29 18:04]
S3 MbxStby;MbxStby;C:\WINDOWS\System32\drivers\MbxStby.sys [2003-07-24 10:50]
S3 RapFile;RapFile;C:\WINDOWS\System32\drivers\RapFile.sys [2003-06-19 18:40]
S3 RapNet;RapNet;C:\WINDOWS\System32\drivers\RapNet.sys [2003-06-19 18:40]

*Newly Created Service* - ALG
*Newly Created Service* - CATCHME
*Newly Created Service* - IPNAT

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\iTunesPrefs]
C:\patches\iTunes\Prefs\prefs.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ItunesPrefs2]
C:\patches\iTunes\Prefs\prefs.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\JavaSettings]
C:\patches\JAVA\JAVASET.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmactedp.inf,PerUserStub
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 13:32:04
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\CSGina.dll
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-04-22 13:34:24
ComboFix-quarantined-files.txt 2008-04-22 17:34:22
ComboFix2.txt 2008-04-22 14:36:45

Pre-Run: 36,060,221,440 bytes free
Post-Run: 36,050,362,368 bytes free

180

Here is HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:52, on 2008-04-22
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\ VPN\ VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://email.secureserver.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera 301PLH
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [04d7053d] rundll32.exe "C:\WINDOWS\System32\ikbfsgnc.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: scratchpad.txt
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\Parameters:
O17 - HKLM\Software\..\Telephony:
O17 - HKLM\System\CS1\Services\Tcpip\Parameters:
O17 - HKLM\System\CS2\Services\Tcpip\Parameters:
O20 - Winlogon Notify: urqRKCsp - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: MIS Technology Support VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\ VPN\ VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: Radia Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe

--
End of file - 8320 bytes

#14 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 22 April 2008 - 12:34 PM

If the fix doesn't reboot, be sure to reboot before posting a new HijackThis log.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\gkqgfegr.ini
C:\WINDOWS\System32\ikbfsgnc.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqRKCsp]


Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#15 Whatthetechfan

Whatthetechfan

    New Member

  • New Member
  • Pip
  • 13 posts

Posted 22 April 2008 - 01:54 PM

Ok. but should i disable Kaspersky like before? Should i also unplug my internet cable?

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users