Another Vundo victim

**B.S.Blues** · 10-16-2005, 07:13 PM

I've followed the steps you recommended before posting a Hijack This! Analyzer log, and I'm hoping you can use the log analysis below to help me get rid of Trojan.Vundo.
I've tried the Symantec FixVundo tool but it doesn't seem to pick the trojan up on my system. And I've only been able to go so far by trying to use VundoFix by way of the procedures you've outlined for other Tech Support Forum clients. It seems to me that each case has its own unique filepaths that have to be addressed.
Can you help me?
Thanks in advance.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 1:46:19 PM, on 16/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\MDG\MDGnotify.exe
C:\Documents and Settings\Richard Beales\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O1 - Hosts: d.com
O1 - Hosts: d.com
O1 - Hosts: g.mysearch.com
O1 - Hosts: nd.com
O1 - Hosts: nd.com
O1 - Hosts: ind.com
O1 - Hosts: ind.com
O1 - Hosts: find.com
O1 - Hosts: find.com
O1 - Hosts: yfind.com
O1 - Hosts: yfind.com
O1 - Hosts: tyfind.com
O1 - Hosts: tyfind.com
O1 - Hosts: styfind.com
O1 - Hosts: .whenu.com
O1 - Hosts: .whenu.com
O1 - Hosts: inc.whenu.com
O1 - Hosts: c.whenu.com
O1 - Hosts: nc.whenu.com
O1 - Hosts: nc.whenu.com
O1 - Hosts: inc.whenu.com
O1 - Hosts: inc.whenu.com
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: om
O1 - Hosts: om
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: d.com
O1 - Hosts: d.com
O1 - Hosts: d.com
O1 - Hosts: d.com
O1 - Hosts: nd.com
O1 - Hosts: nd.com
O1 - Hosts: ind.com
O1 - Hosts: ind.com
O1 - Hosts: find.com
O1 - Hosts: find.com
O1 - Hosts: yfind.com
O1 - Hosts: yfind.com
O1 - Hosts: tyfind.com
O1 - Hosts: tyfind.com
O1 - Hosts: styfind.com
O1 - Hosts: styfind.com
O1 - Hosts: estyfind.com
O1 - Hosts: estyfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: ww.zestyfind.com
O1 - Hosts: om
O1 - Hosts: ww.zestyfind.com
O1 - Hosts: .com
O1 - Hosts: rtoolbar.com
O1 - Hosts: sertoolbar.com
O1 - Hosts: owsertoolbar.com
O1 - Hosts: 127.0
O1 - Hosts: 2.browsertoolbar.com
O1 - Hosts: ww2.browsertoolbar.com
O1 - Hosts: .www2.browsertoolbar.com
O1 - Hosts: 127.0.0.
O1 - Hosts: ww.www2.browsertoolbar.com
O1 - Hosts: 127.0.0.
O2 - BHO: CATLEvents Object - {2527BEEF-1B3C-4D3B-98F0-7F3C1EB910A0} - C:\DOCUME~1\Peter\LOCALS~1\Temp\itnarc.dat (file missing)
O2 - BHO: (no name) - {446CF8A5-617E-4D91-95AE-AE78CE0D06AF} - (no file)
O2 - BHO: (no name) - {68132581-10F2-416E-B188-4E648075325A} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\WINDOWS\TEMP\bewsa.dat
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O2 - BHO: CATLEvents Object - {D487068E-9B04-4FE5-8A83-08344F800BF5} - C:\DOCUME~1\RICHAR~1\LOCALS~1\Temp\ipattnof.dat (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\WINDOWS\TEMP\bacrc.dat
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [*wavedvd] C:\WINDOWS\Tasks\wavedvd.exe
O4 - HKLM\..\Run: [*mp3] C:\WINDOWS\system\mp3.exe
O4 - HKLM\..\Run: [*regtcp] C:\WINDOWS\Web\regtcp.exe
O4 - HKLM\..\Run: [*uninet] C:\WINDOWS\msagent\uninet.exe
O4 - HKLM\..\Run: [*adnet] C:\WINDOWS\java\classes\adnet.exe
O4 - HKLM\..\Run: [*kbdisk] C:\WINDOWS\ServicePackFiles\kbdisk.exe
O4 - HKLM\..\Run: [*ipacc] C:\WINDOWS\ServicePackFiles\ipacc.exe
O4 - HKLM\..\Run: [*vssexp] C:\WINDOWS\msagent\chars\vssexp.exe
O4 - HKLM\..\Run: [*webjpeg] C:\WINDOWS\repair\webjpeg.exe
O4 - HKLM\..\Run: [*dvdimg] C:\WINDOWS\Fonts\dvdimg.exe
O4 - HKLM\..\Run: [*cmdras] C:\WINDOWS\system\cmdras.exe
O4 - HKLM\..\Run: [*vssvb] C:\WINDOWS\vssvb.exe
O4 - HKLM\..\Run: [*faxav] C:\WINDOWS\Tasks\faxav.exe
O4 - HKLM\..\Run: [*vssdrv] C:\WINDOWS\addins\vssdrv.exe
O4 - HKLM\..\Run: [*netplay] C:\WINDOWS\system\netplay.exe
O4 - HKLM\..\Run: [*antilib] C:\WINDOWS\Fonts\antilib.exe
O4 - HKLM\..\Run: [*fonttcp] C:\WINDOWS\system\fonttcp.exe
O4 - HKLM\..\Run: [*accdll] C:\WINDOWS\Driver Cache\accdll.exe
O4 - HKLM\..\Run: [*wmsad] C:\WINDOWS\ServicePackFiles\wmsad.exe
O4 - HKLM\..\Run: [*abrbin] C:\WINDOWS\repair\abrbin.exe
O4 - HKLM\..\Run: [*eulainet] C:\WINDOWS\addins\eulainet.exe
O4 - HKLM\..\Run: [*accodbc] C:\WINDOWS\Web\accodbc.exe
O4 - HKLM\..\Run: [*logwave] C:\WINDOWS\msagent\chars\logwave.exe
O4 - HKLM\..\Run: [*dlldoc] C:\WINDOWS\AppPatch\dlldoc.exe
O4 - HKLM\..\Run: [*eulacr] C:\WINDOWS\Config\eulacr.exe
O4 - HKLM\..\Run: [*vbacc] C:\WINDOWS\java\classes\vbacc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - Startup: Shortcut to MDGnotify.lnk = C:\WINDOWS\MDG\MDGnotify.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...p1.0.0.8-2.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1126473129562
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab
O20 - Winlogon Notify: ipcmd - C:\DOCUME~1\Peter\LOCALS~1\Temp\dmcpi.dat (file missing)
O20 - Winlogon Notify: playtapi - C:\DOCUME~1\Peter\LOCALS~1\Temp\ipatyalp.dat (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe

End of KRC HijackThis Analyzer Log.
====================================================================

sUBs · 10-17-2005, 12:01 AM

Hello and Welcome

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.

This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

With HiJackThis & place a check next to these items and select "Fix checked":

O1 - Hosts: d.com
O1 - Hosts: d.com
O1 - Hosts: g.mysearch.com
O1 - Hosts: nd.com
O1 - Hosts: nd.com
O1 - Hosts: ind.com
O1 - Hosts: ind.com
O1 - Hosts: find.com
O1 - Hosts: find.com
O1 - Hosts: yfind.com
O1 - Hosts: yfind.com
O1 - Hosts: tyfind.com
O1 - Hosts: tyfind.com
O1 - Hosts: styfind.com
O1 - Hosts: .whenu.com
O1 - Hosts: .whenu.com
O1 - Hosts: inc.whenu.com
O1 - Hosts: c.whenu.com
O1 - Hosts: nc.whenu.com
O1 - Hosts: nc.whenu.com
O1 - Hosts: inc.whenu.com
O1 - Hosts: inc.whenu.com
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: om
O1 - Hosts: om
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: d.com
O1 - Hosts: d.com
O1 - Hosts: d.com
O1 - Hosts: d.com
O1 - Hosts: nd.com
O1 - Hosts: nd.com
O1 - Hosts: ind.com
O1 - Hosts: ind.com
O1 - Hosts: find.com
O1 - Hosts: find.com
O1 - Hosts: yfind.com
O1 - Hosts: yfind.com
O1 - Hosts: tyfind.com
O1 - Hosts: tyfind.com
O1 - Hosts: styfind.com
O1 - Hosts: styfind.com
O1 - Hosts: estyfind.com
O1 - Hosts: estyfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: ww.zestyfind.com
O1 - Hosts: om
O1 - Hosts: ww.zestyfind.com
O1 - Hosts: .com
O1 - Hosts: rtoolbar.com
O1 - Hosts: sertoolbar.com
O1 - Hosts: owsertoolbar.com
O1 - Hosts: 127.0
O1 - Hosts: 2.browsertoolbar.com
O1 - Hosts: ww2.browsertoolbar.com
O1 - Hosts: .www2.browsertoolbar.com
O1 - Hosts: 127.0.0.
O1 - Hosts: ww.www2.browsertoolbar.com
O1 - Hosts: 127.0.0.
O2 - BHO: CATLEvents Object - {2527BEEF-1B3C-4D3B-98F0-7F3C1EB910A0} - C:\DOCUME~1\Peter\LOCALS~1\Temp\itnarc.dat (file missing)
O2 - BHO: (no name) - {446CF8A5-617E-4D91-95AE-AE78CE0D06AF} - (no file)
O2 - BHO: (no name) - {68132581-10F2-416E-B188-4E648075325A} - (no file)
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\WINDOWS\TEMP\bewsa.dat
O2 - BHO: CATLEvents Object - {D487068E-9B04-4FE5-8A83-08344F800BF5} - C:\DOCUME~1\RICHAR~1\LOCALS~1\Temp\ipattnof.dat (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\WINDOWS\TEMP\bacrc.dat
O4 - HKLM\..\Run: [*wavedvd] C:\WINDOWS\Tasks\wavedvd.exe
O4 - HKLM\..\Run: [*mp3] C:\WINDOWS\system\mp3.exe
O4 - HKLM\..\Run: [*regtcp] C:\WINDOWS\Web\regtcp.exe
O4 - HKLM\..\Run: [*uninet] C:\WINDOWS\msagent\uninet.exe
O4 - HKLM\..\Run: [*adnet] C:\WINDOWS\java\classes\adnet.exe
O4 - HKLM\..\Run: [*kbdisk] C:\WINDOWS\ServicePackFiles\kbdisk.exe
O4 - HKLM\..\Run: [*ipacc] C:\WINDOWS\ServicePackFiles\ipacc.exe
O4 - HKLM\..\Run: [*vssexp] C:\WINDOWS\msagent\chars\vssexp.exe
O4 - HKLM\..\Run: [*webjpeg] C:\WINDOWS\repair\webjpeg.exe
O4 - HKLM\..\Run: [*dvdimg] C:\WINDOWS\Fonts\dvdimg.exe
O4 - HKLM\..\Run: [*cmdras] C:\WINDOWS\system\cmdras.exe
O4 - HKLM\..\Run: [*vssvb] C:\WINDOWS\vssvb.exe
O4 - HKLM\..\Run: [*faxav] C:\WINDOWS\Tasks\faxav.exe
O4 - HKLM\..\Run: [*vssdrv] C:\WINDOWS\addins\vssdrv.exe
O4 - HKLM\..\Run: [*netplay] C:\WINDOWS\system\netplay.exe
O4 - HKLM\..\Run: [*antilib] C:\WINDOWS\Fonts\antilib.exe
O4 - HKLM\..\Run: [*fonttcp] C:\WINDOWS\system\fonttcp.exe
O4 - HKLM\..\Run: [*accdll] C:\WINDOWS\Driver Cache\accdll.exe
O4 - HKLM\..\Run: [*wmsad] C:\WINDOWS\ServicePackFiles\wmsad.exe
O4 - HKLM\..\Run: [*abrbin] C:\WINDOWS\repair\abrbin.exe
O4 - HKLM\..\Run: [*eulainet] C:\WINDOWS\addins\eulainet.exe
O4 - HKLM\..\Run: [*accodbc] C:\WINDOWS\Web\accodbc.exe
O4 - HKLM\..\Run: [*logwave] C:\WINDOWS\msagent\chars\logwave.exe
O4 - HKLM\..\Run: [*dlldoc] C:\WINDOWS\AppPatch\dlldoc.exe
O4 - HKLM\..\Run: [*eulacr] C:\WINDOWS\Config\eulacr.exe
O4 - HKLM\..\Run: [*vbacc] C:\WINDOWS\java\classes\vbacc.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...up1.0.0.8-2.cab
O20 - Winlogon Notify: ipcmd - C:\DOCUME~1\Peter\LOCALS~1\Temp\dmcpi.dat (file missing)
O20 - Winlogon Notify: playtapi - C:\DOCUME~1\Peter\LOCALS~1\Temp\ipatyalp.dat (file missing)

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

Tick - Show hidden files and folder
Untick - Hide file extensions for known types
Untick - Hide protected operating system files

Click Yes to confirm & then click OK

Locate and delete the following files:

C:\WINDOWS\Tasks\wavedvd.exe
C:\WINDOWS\system\mp3.exe
C:\WINDOWS\Web\regtcp.exe
C:\WINDOWS\msagent\uninet.exe
C:\WINDOWS\java\classes\adnet.exe
C:\WINDOWS\ServicePackFiles\kbdisk.exe
C:\WINDOWS\ServicePackFiles\ipacc.exe
C:\WINDOWS\msagent\chars\vssexp.exe
C:\WINDOWS\repair\webjpeg.exe
C:\WINDOWS\Fonts\dvdimg.exe
C:\WINDOWS\system\cmdras.exe
C:\WINDOWS\vssvb.exe
C:\WINDOWS\Tasks\faxav.exe
C:\WINDOWS\addins\vssdrv.exe
C:\WINDOWS\system\netplay.exe
C:\WINDOWS\Fonts\antilib.exe
C:\WINDOWS\system\fonttcp.exe
C:\WINDOWS\Driver Cache\accdll.exe
C:\WINDOWS\ServicePackFiles\wmsad.exe
C:\WINDOWS\repair\abrbin.exe
C:\WINDOWS\addins\eulainet.exe
C:\WINDOWS\Web\accodbc.exe
C:\WINDOWS\msagent\chars\logwave.exe
C:\WINDOWS\AppPatch\dlldoc.exe
C:\WINDOWS\Config\eulacr.exe
C:\WINDOWS\java\classes\vbacc.exe

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Go to Start> Run - type cleanmgr (this starts Windows DiskCleanup)

Select Drive C: & click the 'OK' button
Select the following options:
- Temporary Internet Files
- Temporary Files
Click the 'OK' button

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

After you have rebooted, please perform an online scan with Internet Explorer at one of the following sites:

Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).

Double-click the tmas-web-scan.exe icon
It will say "Loading TrendMicro definitions".
Click "Start Scan"

After it's done scanning, click "Scan Results"

Make sure all items found have a check next to them, then click "Clean Threats Now".
Click Exit.

Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’

It would produce a log called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

In your next post, please include fresh logs from:

HiJackThis

Online scan

Antispyware.log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

**B.S.Blues** · 10-17-2005, 01:32 AM

I think I'll be able to do this.
One question, however -- it looks like you have me bypassing the VundoFix step and proceeding directly to the HijackThis step. Do I get there simply by opening up HijackThis.exe?

sUBs · 10-17-2005, 01:36 AM

Your version of Vundo does not require VundoFix.exe.

Please open Hijackthis manually.

**B.S.Blues** · 10-17-2005, 05:03 AM

Thanks for your help so far.
I followed your instructions as best I could, but I hit two speed bumps:
First, I was unable to locate any of the following files (and was therefore unable to delete them):

Locate and delete the following files:
C:\WINDOWS\Tasks\wavedvd.exe
C:\WINDOWS\system\mp3.exe
C:\WINDOWS\Web\regtcp.exe
C:\WINDOWS\msagent\uninet.exe
C:\WINDOWS\java\classes\adnet.exe
C:\WINDOWS\ServicePackFiles\kbdisk.exe
C:\WINDOWS\ServicePackFiles\ipacc.exe
C:\WINDOWS\msagent\chars\vssexp.exe
C:\WINDOWS\repair\webjpeg.exe
C:\WINDOWS\Fonts\dvdimg.exe
C:\WINDOWS\system\cmdras.exe
C:\WINDOWS\vssvb.exe
C:\WINDOWS\Tasks\faxav.exe
C:\WINDOWS\addins\vssdrv.exe
C:\WINDOWS\system\netplay.exe
C:\WINDOWS\Fonts\antilib.exe
C:\WINDOWS\system\fonttcp.exe
C:\WINDOWS\Driver Cache\accdll.exe
C:\WINDOWS\ServicePackFiles\wmsad.exe
C:\WINDOWS\repair\abrbin.exe
C:\WINDOWS\addins\eulainet.exe
C:\WINDOWS\Web\accodbc.exe
C:\WINDOWS\msagent\chars\logwave.exe
C:\WINDOWS\AppPatch\dlldoc.exe
C:\WINDOWS\Config\eulacr.exe
C:\WINDOWS\java\classes\vbacc.exe

Perhaps I would have better luck in safe mode?

Second, I was able to run the Panda program but was unable to do anything with the information afterward. I could see that it had identified 85 Spyware files and two suspicious files, but it would not allow me to open the window wide enough to take further action.
So I ran Kaspersky instead. What I found was almost 500 infected files, most of which are in Norton quarantine.
Trend Micro found nothing.
The results of my logs are below:

Trend Micro™ Anti-Spyware

Summary of Privacy Threats

No Spyware found.

-----------
Kasperky log results...

C:\Program Files\Norton AntiVirus\Quarantine\669B47C1.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\66FE2A25.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\674937E1.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\67D87079.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\681E403E.dat Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\68283E33.dat Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\69320573.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\6997589E.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\69FD4EA6.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\6ACE593C.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\6ACE7705.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\6B436AE9.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\6BAC1E10.tmp Infected: Trojan.Java.ClassLoader.aj
C:\Program Files\Norton AntiVirus\Quarantine\6BAC1E10.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\6BAC1E10.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\6BAC1E10.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\6BAC1E10.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\6BAC1E10.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\6BD56D4C.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\6C5849F9.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\6CBC2E63.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\6CC92BB7.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\6D0173E7.dat Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\6D0B71DC.dat Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\6D2F21BE.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\6D4535CC.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\6D93520D.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\6D9474EA.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\6DB52A3A.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\6E1F7C20.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\6E643FD5.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\6EF84275.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\6F2C6ECA.dat Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\6F784EA7.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\6FCC0654.dat Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\70097BCE.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\71D95F62.dat Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\72444989.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\72C33C51.exe Infected: Trojan-Clicker.Win32.Agent.bc
C:\Program Files\Norton AntiVirus\Quarantine\72C4734C.exe Infected: Trojan-Clicker.Win32.Agent.bc
C:\Program Files\Norton AntiVirus\Quarantine\72DC3B75.dat Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\72F86E09.exe Infected: IM-Worm.Win32.Prex.d
C:\Program Files\Norton AntiVirus\Quarantine\7366263F.dat Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\741108D4.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\741432D0.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\74185CCD.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\741B06C9.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\741E30C5.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\74225AC2.exe Infected: Trojan-Clicker.Win32.Agent.bc
C:\Program Files\Norton AntiVirus\Quarantine\742504BE.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\74282EBB.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\742B58B7.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\742F02B3.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\74322CB0.exe Infected: Trojan-Clicker.Win32.Agent.bc
C:\Program Files\Norton AntiVirus\Quarantine\743556AC.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\743800A9.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\743F54A1.exe Infected: Trojan-Clicker.Win32.Agent.bc
C:\Program Files\Norton AntiVirus\Quarantine\74426978.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\74427E9E.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\74495297.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\744F268F.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7453508C.exe Infected: Trojan-Clicker.Win32.Agent.bc
C:\Program Files\Norton AntiVirus\Quarantine\74567A88.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\74592485.exe Infected: Trojan-Dropper.Win32.Agent.ce
C:\Program Files\Norton AntiVirus\Quarantine\7460787E.exe Infected: Trojan-Dropper.Win32.Agent.fd
C:\Program Files\Norton AntiVirus\Quarantine\7463227A.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\74664C76.exe Infected: Trojan-Dropper.Win32.Agent.fd
C:\Program Files\Norton AntiVirus\Quarantine\74697673.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\746D206F.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\74737468.exe Infected: Trojan-Clicker.Win32.Agent.bc
C:\Program Files\Norton AntiVirus\Quarantine\74761E64.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\747A4861.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\747D725D.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\749A6C3D.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\749E1639.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\74A14036.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\74B546B3.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\75283779.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\753F4E1C.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\75554570.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\75723F50.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7575694C.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\75781348.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\757C3D45.exe Infected: Trojan-Dropper.Win32.Agent.fd
C:\Program Files\Norton AntiVirus\Quarantine\7582113E.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\758411D1.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\75863B3A.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\75896536.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\758C0F33.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\758D0AA4.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\758F392F.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7593632C.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\75960D28.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\75993725.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\75A3351A.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\75A65F16.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\75A90913.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\75AD330F.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\75B05D0B.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\75B30708.exe Infected: Trojan-Clicker.Win32.Agent.bc
C:\Program Files\Norton AntiVirus\Quarantine\75B63104.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\75C702F2.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\75D42AE4.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\75D5670D.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\75DE28D9.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\75E152D5.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\75EE7AC7.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\75F54EC0.exe Infected: Trojan-Clicker.Win32.Agent.bc
C:\Program Files\Norton AntiVirus\Quarantine\75F878BC.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\75FB22B9.exe Infected: Trojan-Clicker.Win32.Agent.bc
C:\Program Files\Norton AntiVirus\Quarantine\760520AE.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\760B74A7.exe Infected: Trojan-Dropper.Win32.Agent.fd
C:\Program Files\Norton AntiVirus\Quarantine\760F1EA3.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\760F7F38.exe Infected: Trojan-Clicker.Win32.Agent.bc
C:\Program Files\Norton AntiVirus\Quarantine\761248A0.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\761F7091.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\76221A8E.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7626448A.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\76336C7C.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\763C6A71.exe Infected: Trojan-Dropper.Win32.Agent.ce
C:\Program Files\Norton AntiVirus\Quarantine\7640146D.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\76466866.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\76491262.exe Infected: Trojan-Dropper.Win32.Agent.fd
C:\Program Files\Norton AntiVirus\Quarantine\764D3C5F.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\766966E1.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\767A082D.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\767E3229.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\76815C25.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7687301E.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\768B5A1B.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\76E05E7D.dat Infected: Trojan-Spy.Win32.Agent.p
C:\Program Files\Norton AntiVirus\Quarantine\772E0D67.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\77313763.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\77356160.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\77380B5C.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\773B3559.exe Infected: Trojan-Dropper.Win32.Agent.fd
C:\Program Files\Norton AntiVirus\Quarantine\77420951.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7745334E.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7755053C.exe Infected: Trojan-Dropper.Win32.Agent.fd
C:\Program Files\Norton AntiVirus\Quarantine\77582F38.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\775C5935.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\775F0331.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\77622D2D.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7766572A.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\77690126.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\776C2B23.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\776F551F.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\77737F1B.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\778D7BA6.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\77DB3EA8.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\77DE68A5.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\77E212A1.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\77E53C9E.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\77E8669A.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\77EB1096.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\77EF3A93.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\77F2648F.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\77F371AE.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\77F50E8C.exe Infected: Trojan-Clicker.Win32.Agent.bc
C:\Program Files\Norton AntiVirus\Quarantine\77F83888.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\77FC6285.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\77FF0C81.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7802367D.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7806607A.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\78090A76.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\780C3473.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\780F5E6F.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\78126183.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7813086B.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\78163268.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\78195C64.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\781C0661.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7820305D.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7830024B.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\783A0040.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\78405439.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\784A522E.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\784D7C2B.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\78512627.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\78545023.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\785967B5.exe Infected: Trojan-Dropper.Win32.Agent.fd
C:\Program Files\Norton AntiVirus\Quarantine\791A6BF1.dat Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\79497DA8.dat Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\796042FD.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\796A40F2.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\797D3CDC.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\798410D5.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\79873AD2.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\798A64CE.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\798B26F0.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\798D0ECA.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\799138C7.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\799462C3.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\79970CC0.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\799A36BC.exe Infected: Trojan-Dropper.Win32.Agent.fd
C:\Program Files\Norton AntiVirus\Quarantine\79A85EAE.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\79F07A1B.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7A1B6ADD.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7A5B6766.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7A7209CF.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7A825BBD.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7A932DAB.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7AA0559D.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7AAD7D8E.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7AB35187.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7AC109DC.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7AE8714E.exe Infected: Trojan-Dropper.Win32.Agent.fd
C:\Program Files\Norton AntiVirus\Quarantine\7AFC525A.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7B237F0E.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7B5030DB.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7B5A2ED0.exe Infected: Trojan-Clicker.Win32.Agent.bc
C:\Program Files\Norton AntiVirus\Quarantine\7B7B52AC.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7B8659C3.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7B887A9D.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7BAF7272.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7BB21C6F.exe Infected: Trojan-Dropper.Win32.Agent.aw
C:\Program Files\Norton AntiVirus\Quarantine\7BD91444.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7BDF3F22.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7BED102E.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7BF03A2A.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7BF36427.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7BF70E23.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7BFA3820.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7BFD621C.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7C000C19.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7C043615.dat Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7C0D340A.dat Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7C1731FF.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7C1B5BFC.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7C1E05F8.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7C212FF5.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7C2803ED.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7C2B2DEA.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7C2E57E6.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7C3101E3.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7C352BDF.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7C3B7FD8.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7C3E29D4.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7C5F2018.exe Infected: Trojan-Spy.Win32.Agent.l
C:\Program Files\Norton AntiVirus\Quarantine\7D7A7C32.dat Infected: Trojan-Spy.Win32.Agent.l
C:\WINDOWS\addins\disksys.exe Infected: Trojan-Spy.Win32.Agent.l
C:\WINDOWS\addins\ftpexp.exe Infected: Trojan-Spy.Win32.Agent.l
C:\WINDOWS\addins\keycom.exe Infected: Trojan-Spy.Win32.Agent.l
C:\WINDOWS\addins\psrun.exe Infected: Trojan-Spy.Win32.Agent.l
C:\WINDOWS\Cursors\sc.exe Infected: Trojan-Spy.Win32.Agent.l
C:\WINDOWS\java\eulasvr.exe Infected: Trojan-Spy.Win32.Agent.l
C:\WINDOWS\java\keymsvc.exe Infected: Trojan-Spy.Win32.Agent.l
C:\WINDOWS\msagent\chars\nutpc.exe Infected: Trojan-Spy.Win32.Agent.l
C:\WINDOWS\Registration\mp3as.exe Infected: Trojan-Spy.Win32.Agent.l
C:\WINDOWS\ServicePackFiles\log.exe Infected: Trojan-Spy.Win32.Agent.l
C:\WINDOWS\system\rasplay.exe Infected: Trojan-Spy.Win32.Agent.l
C:\WINDOWS\system32\drivers\etc\hosts.bak Infected: Trojan.Win32.Qhost.r
C:\WINDOWS\Temp\avajsii.dat Infected: Trojan-Spy.Win32.Agent.l
C:\WINDOWS\Temp\vrssii.dat Infected: Trojan-Spy.Win32.Agent.l

Scan process completed.

------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:53:53 AM, on 17/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\MDG\MDGnotify.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Richard Beales\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Shortcut to MDGnotify.lnk = C:\WINDOWS\MDG\MDGnotify.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1126473129562
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 7:53:53 AM, on 17/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\MDG\MDGnotify.exe
C:\Documents and Settings\Richard Beales\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - Startup: Shortcut to MDGnotify.lnk = C:\WINDOWS\MDG\MDGnotify.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1126473129562
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe

End of KRC HijackThis Analyzer Log.
===================================================================="
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Shortcut to MDGnotify.lnk = C:\WINDOWS\MDG\MDGnotify.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1126473129562
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

sUBs · 10-17-2005, 05:13 AM

Dont worry about the msiisng files. They were taken out by Norton some time ago. That's why Norton's Quarantine has a lot of files. Please use Symantec's guide to remove the Quarantine files.

Let's get rid of the files found by Kaspersky
Download & launch KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Launch KillBox.exe & select the following options:

delete on Reboot

Select all the filenames listed below & then right-click & select Copy

C:\WINDOWS\addins\disksys.exe
C:\WINDOWS\addins\ftpexp.exe
C:\WINDOWS\addins\keycom.exe
C:\WINDOWS\addins\psrun.exe
C:\WINDOWS\Cursors\sc.exe
C:\WINDOWS\java\eulasvr.exe
C:\WINDOWS\java\keymsvc.exe
C:\WINDOWS\msagent\chars\nutpc.exe
C:\WINDOWS\Registration\mp3as.exe
C:\WINDOWS\ServicePackFiles\log.exe
C:\WINDOWS\system\rasplay.exe
C:\WINDOWS\system32\drivers\etc\hosts.bak
C:\WINDOWS\Temp\avajsii.dat
C:\WINDOWS\Temp\vrssii.dat

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Quote:

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

Post a new log after you have rebooted. Let me know if you still have other issues with your computer.

**B.S.Blues** · 10-17-2005, 07:28 PM

I'm sure we're making progress after I followed the last two steps, but I still get Vundo messages from Norton, and adaware still shows Virtumonde on two registry keys.
Here is my most recent Hijack This log and the analysis:

Logfile of HijackThis v1.99.1
Scan saved at 10:21:20 PM, on 17/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\MDG\MDGnotify.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Richard Beales\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Shortcut to MDGnotify.lnk = C:\WINDOWS\MDG\MDGnotify.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1126473129562
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:24:10 PM, on 17/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\MDG\MDGnotify.exe
C:\Documents and Settings\Richard Beales\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - Startup: Shortcut to MDGnotify.lnk = C:\WINDOWS\MDG\MDGnotify.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1126473129562
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe

End of KRC HijackThis Analyzer Log.
====================================================================

sUBs · 10-17-2005, 07:38 PM

Show me the exact message as displayed by Norton & Ad-aware.

Your HJT logs shows no active entries. Those are dormant entries which should preferbaly be removed.

**B.S.Blues** · 10-18-2005, 03:26 AM

Here's what I found on Ad-Aware and Norton logs this morning (the Ad-Aware scan is incomplete, I stopped it as soon as it had detected the two registry keys).
Norton's logs go on forever; since most entries are alike, I just cut and pasted this morning's activity to give you an idea of what it's doing.

Ad-Aware SE Build 1.06r1
Logfile Created on:October 18, 2005 5:49:29 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R70 12.10.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):5 total references
Virtumonde(TAC index:10):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R70 12.10.2005
Internal build : 82
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 532922 Bytes
Total size : 1597866 Bytes
Signature data size : 1564479 Bytes
Reference data size : 32875 Bytes
Signatures total : 44398
CSI Fingerprints total : 1051
CSI data size : 37487 Bytes
Target categories : 15
Target families : 759

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:55 %
Total physical memory:522032 kb
Available physical memory:283768 kb
Total page file size:1276672 kb
Available on page file:1051364 kb
Total virtual memory:2097024 kb
Available virtual memory:2041332 kb
OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

18-10-2005 5:49:29 AM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\Richard Beales\recent
Description : list of recently opened documents

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw

MRU List Object Recognized!
Location: : S-1-5-21-48506347-2237029002-1904607352-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-21-48506347-2237029002-1904607352-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-48506347-2237029002-1904607352-1005\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 568
ThreadCreationTime : 18-10-2005 9:46:02 AM
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 632
ThreadCreationTime : 18-10-2005 9:46:05 AM
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 656
ThreadCreationTime : 18-10-2005 9:46:06 AM
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 700
ThreadCreationTime : 18-10-2005 9:46:06 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 712
ThreadCreationTime : 18-10-2005 9:46:06 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 872
ThreadCreationTime : 18-10-2005 9:46:07 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 928
ThreadCreationTime : 18-10-2005 9:46:07 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1020
ThreadCreationTime : 18-10-2005 9:46:07 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1120
ThreadCreationTime : 18-10-2005 9:46:08 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1268
ThreadCreationTime : 18-10-2005 9:46:08 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1336
ThreadCreationTime : 18-10-2005 9:46:08 AM
BasePriority : Normal
FileVersion : 103.0.5.2
ProductVersion : 103.0.5.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:12 [spbbcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\SPBBC\
ProcessID : 1368
ThreadCreationTime : 18-10-2005 9:46:10 AM
BasePriority : Normal
FileVersion : 1,0,1,47
ProductVersion : 1,0,1,47
ProductName : SPBBC
CompanyName : Symantec Corporation
FileDescription : SPBBC Service
InternalName : SPBBCSvc
LegalCopyright : Copyright (c) 2004 Symantec Corporation. All rights reserved.
OriginalFilename : SPBBCSvc.exe

#:13 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1824
ThreadCreationTime : 18-10-2005 9:46:11 AM
BasePriority : Normal
FileVersion : 103.0.5.2
ProductVersion : 103.0.5.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:14 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1948
ThreadCreationTime : 18-10-2005 9:46:13 AM
BasePriority : Normal
FileVersion : 8.29
ProductVersion : 8.29
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : (C) 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:15 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1976
ThreadCreationTime : 18-10-2005 9:46:13 AM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:16 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1984
ThreadCreationTime : 18-10-2005 9:46:13 AM
BasePriority : Normal
FileVersion : 8.29
ProductVersion : 8.29
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : (C) 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)

#:17 [cisvc.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 216
ThreadCreationTime : 18-10-2005 9:46:21 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cisvc.exe

#:18 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ProcessID : 284
ThreadCreationTime : 18-10-2005 9:46:22 AM
BasePriority : Normal
FileVersion : 11.0.9.16
ProductVersion : 11.0.9
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2004 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:19 [npfmntor.exe]
FilePath : C:\Program Files\Norton AntiVirus\IWP\
ProcessID : 428
ThreadCreationTime : 18-10-2005 9:46:25 AM
BasePriority : Normal
FileVersion : 11.0.9.16
ProductVersion : 11.0.9
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Firewall Install Monitor
InternalName : NPFMonitor
LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2004 Symantec Corporation. All rights reserved.
OriginalFilename : NPFMonitor.EXE

#:20 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 588
ThreadCreationTime : 18-10-2005 9:46:26 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:21 [symlcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\
ProcessID : 616
ThreadCreationTime : 18-10-2005 9:46:26 AM
BasePriority : Normal
FileVersion : 1, 8, 54, 534
ProductVersion : 1, 8, 54, 534
ProductName : Symantec Core Component
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
LegalCopyright : Copyright (C) 2003
OriginalFilename : symlcsvc.exe

#:22 [wdfmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 900
ThreadCreationTime : 18-10-2005 9:46:27 AM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:23 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1456
ThreadCreationTime : 18-10-2005 9:46:32 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:24 [pronomgr.exe]
FilePath : C:\Program Files\Intel\NCS\PROSet\
ProcessID : 1640
ThreadCreationTime : 18-10-2005 9:46:37 AM
BasePriority : Normal
FileVersion : 6.1.42.0
ProductVersion : 6.1.42.0
ProductName : Intel(R) Network Configuration Services
CompanyName : Intel(R) Corporation
FileDescription : PRONotifyMgr Module
InternalName : PRONotifyMgr
LegalCopyright : Copyright(C) 2001-2002 Intel Corporation
OriginalFilename : PRONoMgr.exe

#:25 [igfxtray.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1652
ThreadCreationTime : 18-10-2005 9:46:38 AM
BasePriority : Normal
FileVersion : 3,0,0,1918
ProductVersion : 7,0,0,1918
ProductName : Intel(R) Common User Interface
CompanyName : Intel Corporation
FileDescription : igfxTray Module
InternalName : IGFXTRAY
LegalCopyright : Copyright 1999-2002, Intel Corporation
OriginalFilename : IGFXTRAY.EXE

#:26 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1664
ThreadCreationTime : 18-10-2005 9:46:38 AM
BasePriority : Normal
FileVersion : 3,0,0,1918
ProductVersion : 7,0,0,1918
ProductName : Intel(R) Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2002, Intel Corporation
OriginalFilename : HKCMD.EXE

#:27 [soundman.exe]
FilePath : C:\WINDOWS\
ProcessID : 1672
ThreadCreationTime : 18-10-2005 9:46:38 AM
BasePriority : Normal
FileVersion : 5.1.00
ProductVersion : 5.1.00
ProductName : Realtek Sound Manager
CompanyName : Realtek Semiconductor Corp.
FileDescription : Realtek Sound Manager
InternalName : ALSMTray
LegalCopyright : Copyright (c) 2001-2003 Realtek Semiconductor Corp.
OriginalFilename : ALSMTray.exe
Comments : Realtek AC97 Audio Sound Manager

#:28 [lxbkbmgr.exe]
FilePath : C:\Program Files\Lexmark X1100 Series\
ProcessID : 1688
ThreadCreationTime : 18-10-2005 9:46:38 AM
BasePriority : Normal
FileVersion : 0.1.1.1
ProductVersion : 0.1.1.1
ProductName : Button Manager Executable
CompanyName : Lexmark International, Inc.
FileDescription : Lexmark X1100 Series Button Manager
InternalName : lxbkbmgr.exe
LegalCopyright : (C) 2002 Lexmark International, Inc.
OriginalFilename : lxbkbmgr.exe

#:29 [wkufind.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\Works Shared\
ProcessID : 1704
ThreadCreationTime : 18-10-2005 9:46:38 AM
BasePriority : Normal
FileVersion : 7.00.0716.0
ProductVersion : 7.00.0716.0
ProductName : Update Detection Module
CompanyName : Microsoft® Corporation
FileDescription : Microsoft® Works Update Detection
InternalName : WkUFind
LegalCopyright : Copyright © 1987-2002 Microsoft Corporation.
OriginalFilename : WkUFind.exe

#:30 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 1720
ThreadCreationTime : 18-10-2005 9:46:38 AM
BasePriority : Normal
FileVersion : 0.1.0.3208
ProductVersion : 0.1.0.3208
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:31 [jusched.exe]
FilePath : C:\Program Files\Java\jre1.5.0_04\bin\
ProcessID : 1732
ThreadCreationTime : 18-10-2005 9:46:38 AM
BasePriority : Normal

#:32 [lxbkbmon.exe]
FilePath : C:\Program Files\Lexmark X1100 Series\
ProcessID : 1736
ThreadCreationTime : 18-10-2005 9:46:38 AM
BasePriority : Normal
FileVersion : 0.1.1.1
ProductVersion : 0.1.1.1
ProductName : Button Monitor Executable
CompanyName : Lexmark International, Inc.
FileDescription : Lexmark X1100 Series Button Monitor
InternalName : lxbkbmon.exe
LegalCopyright : (C) 2002 Lexmark International, Inc.
OriginalFilename : lxbkbmon.exe

#:33 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 1752
ThreadCreationTime : 18-10-2005 9:46:39 AM
BasePriority : Normal
FileVersion : 6.4
ProductVersion : QuickTime 6.4
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2003
OriginalFilename : QTTask.exe

#:34 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1780
ThreadCreationTime : 18-10-2005 9:46:41 AM
BasePriority : Normal
FileVersion : 103.0.5.2
ProductVersion : 103.0.5.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec User Session
InternalName : ccApp
LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:35 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 404
ThreadCreationTime : 18-10-2005 9:46:55 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:36 [mdgnotify.exe]
FilePath : C:\WINDOWS\MDG\
ProcessID : 1324
ThreadCreationTime : 18-10-2005 9:47:04 AM
BasePriority : Normal
FileVersion : 1.00
ProductVersion : 1.00
ProductName : shellnotify
CompanyName : MDG Computers Inc
InternalName : MDGnotify
OriginalFilename : MDGnotify.exe

#:37 [wuauclt.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2256
ThreadCreationTime : 18-10-2005 9:47:31 AM
BasePriority : Normal
FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)
ProductVersion : 5.8.0.2469
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:38 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ProcessID : 2664
ThreadCreationTime : 18-10-2005 9:48:12 AM
BasePriority : Normal
FileVersion : 4.7.3001
ProductVersion : Version 4.7.3001
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
LegalCopyright : Copyright (c) Microsoft Corporation 2004
LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:39 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3132
ThreadCreationTime : 18-10-2005 9:49:16 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Virtumonde Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : atlevents.atlevents

Virtumonde Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : atlevents.atlevents.1

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 7

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
<STOP>
5:49:55 AM Scan stopped by user

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:00:26.141
Objects scanned:54541
Objects identified:2
Objects ignored:0
New critical objects:2

Excerpted from Norton's activity log:
Source: C:\WINDOWS\TEMP\BEWKSID.DAT
Source: C:\WINDOWS\TEMP\BEWKSID.DAT
Source: C:\WINDOWS\TEMP\BEWKSID.DAT
Source: C:\WINDOWS\TEMP\BEWKSID.DAT

Excerpted from Norton's Alerts log:
SymProtect Event Details:
Time: 18/10/2005 5:49:39 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:39 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:37 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:37 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:36 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:36 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:36 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Norton AntiVirus\navapsvc.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:36 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Norton AntiVirus\navapsvc.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:36 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:36 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:36 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:36 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:36 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com
SymProtect Event Details:
Time: 18/10/2005 5:49:36 AM
Actor: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe (PID=3132)
Target: C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped
http://www.symantec.com

sUBs · 10-18-2005, 05:50 AM

Download the file I've attached to this post - regdel.zip

From within it, double click on regdel.reg & answer Yes when prompted to merge into the Registry

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Then, Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot...

In the popup box that appears, type in C:\WINDOWS\TEMP\BEWKSID.DAT
Click the Open button.
Click YES when prompted to restart your computer.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

After you have rebooted, download & install - CleanUp.exe

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache

Delete Newsgroup Subscriptions

Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Please perform an online scan with Internet Explorer with Panda ActiveScan

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

Let me know how your machine is behaving now

**B.S.Blues** · 10-19-2005, 03:50 AM

You guys at TSF remind me of field biologists -- checking out an animal's scat to see what's wrong!
Great job so far, thanks.
Here's my Panda Active Scan log after the last scan:

Incident Status Location

Adware:adware/quicksearch No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\Install.inf
Adware:adware/comet No disinfected C:\WINDOWS\INF\dm.inf
Adware:adware/wupd No disinfected C:\PROGRAM FILES\Windows ControlAd
Adware:adware/wintools No disinfected Windows Registry
Spyware:Spyware/Spytool No disinfected C:\!Submit\ftpexp.exe
Possible Virus. No disinfected C:\WINDOWS\addins\kbc.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\Config\iisbak.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\dnsun.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Downloaded Program Files\flash.inf
Possible Virus. No disinfected C:\WINDOWS\Drivers\exps.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\Help\antinet.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\java\classes\expnut.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\repair\dllinfo.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\security\cabkey.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\security\logs\dvdmain.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system\cateula.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system\vbac.exe
Spyware:Spyware/Spytool No disinfected C:\WINDOWS\system32\ctts.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\Tasks\assrv.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\Tasks\dnsmain.exe

sUBs · 10-19-2005, 06:39 AM

Please visit this website - http://virusscan.jotti.org
Submit these file(s) for a comprehensive scan & then post the results back here.

C:\WINDOWS\Drivers\exps.exe

If found to be malicious, add it to the file deletion list found below.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

Tick - Show hidden files and folder
Untick - Hide file extensions for known types
Untick - Hide protected operating system files

Click Yes to confirm & then click OK

Locate and delete the following folders, if present:

C:\PROGRAM FILES\Windows ControlAd

Locate and delete the following files:

C:\WINDOWS\DOWNLOADED PROGRAM FILES\Install.inf
C:\WINDOWS\INF\dm.inf
C:\WINDOWS\addins\kbc.exe
C:\WINDOWS\Config\iisbak.exe
C:\WINDOWS\dnsun.exe
C:\WINDOWS\Downloaded Program Files\flash.inf
C:\WINDOWS\Help\antinet.exe
C:\WINDOWS\java\classes\expnut.exe
C:\WINDOWS\repair\dllinfo.exe
C:\WINDOWS\security\cabkey.exe
C:\WINDOWS\security\logs\dvdmain.exe
C:\WINDOWS\system\cateula.exe
C:\WINDOWS\system\vbac.exe
C:\WINDOWS\system32\ctts.exe
C:\WINDOWS\Tasks\assrv.exe
C:\WINDOWS\Tasks\dnsmain.exe

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Note: For any file you cannot find, we'll use Killbox for it...

Launch KillBox.exe & select the following options:

delete on Reboot

Select all the filenames listed below & then right-click & select Copy

C:\WINDOWS\DOWNLOADED PROGRAM FILES\Install.inf
C:\WINDOWS\INF\dm.inf
C:\WINDOWS\addins\kbc.exe
C:\WINDOWS\Config\iisbak.exe
C:\WINDOWS\dnsun.exe
C:\WINDOWS\Downloaded Program Files\flash.inf
C:\WINDOWS\Help\antinet.exe
C:\WINDOWS\java\classes\expnut.exe
C:\WINDOWS\repair\dllinfo.exe
C:\WINDOWS\security\cabkey.exe
C:\WINDOWS\security\logs\dvdmain.exe
C:\WINDOWS\system\cateula.exe
C:\WINDOWS\system\vbac.exe
C:\WINDOWS\system32\ctts.exe
C:\WINDOWS\Tasks\assrv.exe
C:\WINDOWS\Tasks\dnsmain.exe

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Let me know how that went. Also let me know if you still have any other issues with your computer.

**B.S.Blues** · 10-19-2005, 07:48 PM

Here's what Jotto found:

Service load: 0% 100%

File: exps.exe
Status: INFECTED/MALWARE
MD5 7957a206388393a27094ba269361f5b1
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Vundo.381952.A
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Virtumonde.f
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found Adware.Virtumonde
VBA32 Found AdWare.Virtumonde.f

Statistics
Last file scanned at least one scanner reported something about: 16x.exe, detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web BackDoor.Mosu
F-Prot Antivirus X
Fortinet W32/MoSucker.07a-bdr
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control W32/Mosuck.J
UNA X
VBA32 X

I've gone ahead and deleted/killboxed the other files and folders you recommended while I await your analysis.

sUBs · 10-19-2005, 08:37 PM

LOL..it's scum. Nuke it!!

After that, you'll be clean again.

Now that your system is clean, please follow these simple steps in order to keep your computer clean and secure:

CLEAR & RESET SYSTEM RESTORE'S CACHE
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
- Tick on the checkbox - Turn off System Restore on all drives
- Click Apply
Turn it back 'On' by unticking the same checkbox & click OK
DISABLE THE VIEWING OF SYSTEM FILES
From Windows Explorer, go to Tools>Folder Options> View tab.
- Untick - Show hidden files and folder
- Tick - Hide file extensions for known types
- Tick - Hide protected operating system files
Click Yes to confirm & then click OK
SECURING INTERNET EXPLORER
From within Internet Explorer click on the Tools menu and then click on Internet Options.
- Select the Security tab
  - Click once on the Internet icon so it becomes highlighted.
  - Select Custom Level .
    - Change 'Download signed ActiveX controls' to Prompt
    - Change 'Download unsigned ActiveX controls' to Disable
    - Change 'Initialize and script ActiveX controls not marked as safe' to Disable
    - Change 'Installation of desktop items' to Prompt
    - Change 'Launching programs and files in an IFRAME' to Prompt
    - Change 'Navigate sub-frames across different domains' to Prompt
    - When all these changes have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Select OK to exit the Internet Properties page.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
FIREWALL
Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
Microsoft Windows Update
Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here
IE-SPYAD
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.
Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
Google Toolbar - Get the free google toolbar to help stop pop up windows.
CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

**B.S.Blues** · 10-19-2005, 09:01 PM

Thanks for all your help; I have one other small issue unrelated to this that I'll be posting in a separate thread.
I tried to send a donation but Paypal is having technical difficulties, so I'll try again in a day or two.

10-16-2005, 07:13 PM	#1 (permalink)
B.S.Blues I helped the forums. Join Date: Oct 2005 Posts: 18 OS: XP	Another Vundo victim I've followed the steps you recommended before posting a Hijack This! Analyzer log, and I'm hoping you can use the log analysis below to help me get rid of Trojan.Vundo. I've tried the Symantec FixVundo tool but it doesn't seem to pick the trojan up on my system. And I've only been able to go so far by trying to use VundoFix by way of the procedures you've outlined for other Tech Support Forum clients. It seems to me that each case has its own unique filepaths that have to be addressed. Can you help me? Thanks in advance. ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 1:46:19 PM, on 16/10/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\WINDOWS\MDG\MDGnotify.exe C:\Documents and Settings\Richard Beales\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ O1 - Hosts: d.com O1 - Hosts: d.com O1 - Hosts: g.mysearch.com O1 - Hosts: nd.com O1 - Hosts: nd.com O1 - Hosts: ind.com O1 - Hosts: ind.com O1 - Hosts: find.com O1 - Hosts: find.com O1 - Hosts: yfind.com O1 - Hosts: yfind.com O1 - Hosts: tyfind.com O1 - Hosts: tyfind.com O1 - Hosts: styfind.com O1 - Hosts: .whenu.com O1 - Hosts: .whenu.com O1 - Hosts: inc.whenu.com O1 - Hosts: c.whenu.com O1 - Hosts: nc.whenu.com O1 - Hosts: nc.whenu.com O1 - Hosts: inc.whenu.com O1 - Hosts: inc.whenu.com O1 - Hosts: m O1 - Hosts: m O1 - Hosts: m O1 - Hosts: m O1 - Hosts: om O1 - Hosts: om O1 - Hosts: com O1 - Hosts: com O1 - Hosts: com O1 - Hosts: com O1 - Hosts: .com O1 - Hosts: .com O1 - Hosts: d.com O1 - Hosts: d.com O1 - Hosts: d.com O1 - Hosts: d.com O1 - Hosts: nd.com O1 - Hosts: nd.com O1 - Hosts: ind.com O1 - Hosts: ind.com O1 - Hosts: find.com O1 - Hosts: find.com O1 - Hosts: yfind.com O1 - Hosts: yfind.com O1 - Hosts: tyfind.com O1 - Hosts: tyfind.com O1 - Hosts: styfind.com O1 - Hosts: styfind.com O1 - Hosts: estyfind.com O1 - Hosts: estyfind.com O1 - Hosts: .zestyfind.com O1 - Hosts: .zestyfind.com O1 - Hosts: ww.zestyfind.com O1 - Hosts: om O1 - Hosts: ww.zestyfind.com O1 - Hosts: .com O1 - Hosts: rtoolbar.com O1 - Hosts: sertoolbar.com O1 - Hosts: owsertoolbar.com O1 - Hosts: 127.0 O1 - Hosts: 2.browsertoolbar.com O1 - Hosts: ww2.browsertoolbar.com O1 - Hosts: .www2.browsertoolbar.com O1 - Hosts: 127.0.0. O1 - Hosts: ww.www2.browsertoolbar.com O1 - Hosts: 127.0.0. O2 - BHO: CATLEvents Object - {2527BEEF-1B3C-4D3B-98F0-7F3C1EB910A0} - C:\DOCUME~1\Peter\LOCALS~1\Temp\itnarc.dat (file missing) O2 - BHO: (no name) - {446CF8A5-617E-4D91-95AE-AE78CE0D06AF} - (no file) O2 - BHO: (no name) - {68132581-10F2-416E-B188-4E648075325A} - (no file) O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\WINDOWS\TEMP\bewsa.dat O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll O2 - BHO: CATLEvents Object - {D487068E-9B04-4FE5-8A83-08344F800BF5} - C:\DOCUME~1\RICHAR~1\LOCALS~1\Temp\ipattnof.dat (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\WINDOWS\TEMP\bacrc.dat O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [wavedvd] C:\WINDOWS\Tasks\wavedvd.exe O4 - HKLM\..\Run: [mp3] C:\WINDOWS\system\mp3.exe O4 - HKLM\..\Run: [regtcp] C:\WINDOWS\Web\regtcp.exe O4 - HKLM\..\Run: [uninet] C:\WINDOWS\msagent\uninet.exe O4 - HKLM\..\Run: [adnet] C:\WINDOWS\java\classes\adnet.exe O4 - HKLM\..\Run: [kbdisk] C:\WINDOWS\ServicePackFiles\kbdisk.exe O4 - HKLM\..\Run: [ipacc] C:\WINDOWS\ServicePackFiles\ipacc.exe O4 - HKLM\..\Run: [vssexp] C:\WINDOWS\msagent\chars\vssexp.exe O4 - HKLM\..\Run: [webjpeg] C:\WINDOWS\repair\webjpeg.exe O4 - HKLM\..\Run: [dvdimg] C:\WINDOWS\Fonts\dvdimg.exe O4 - HKLM\..\Run: [cmdras] C:\WINDOWS\system\cmdras.exe O4 - HKLM\..\Run: [vssvb] C:\WINDOWS\vssvb.exe O4 - HKLM\..\Run: [faxav] C:\WINDOWS\Tasks\faxav.exe O4 - HKLM\..\Run: [vssdrv] C:\WINDOWS\addins\vssdrv.exe O4 - HKLM\..\Run: [netplay] C:\WINDOWS\system\netplay.exe O4 - HKLM\..\Run: [antilib] C:\WINDOWS\Fonts\antilib.exe O4 - HKLM\..\Run: [fonttcp] C:\WINDOWS\system\fonttcp.exe O4 - HKLM\..\Run: [accdll] C:\WINDOWS\Driver Cache\accdll.exe O4 - HKLM\..\Run: [wmsad] C:\WINDOWS\ServicePackFiles\wmsad.exe O4 - HKLM\..\Run: [abrbin] C:\WINDOWS\repair\abrbin.exe O4 - HKLM\..\Run: [eulainet] C:\WINDOWS\addins\eulainet.exe O4 - HKLM\..\Run: [accodbc] C:\WINDOWS\Web\accodbc.exe O4 - HKLM\..\Run: [logwave] C:\WINDOWS\msagent\chars\logwave.exe O4 - HKLM\..\Run: [dlldoc] C:\WINDOWS\AppPatch\dlldoc.exe O4 - HKLM\..\Run: [eulacr] C:\WINDOWS\Config\eulacr.exe O4 - HKLM\..\Run: [vbacc] C:\WINDOWS\java\classes\vbacc.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - Startup: Shortcut to MDGnotify.lnk = C:\WINDOWS\MDG\MDGnotify.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...p1.0.0.8-2.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1126473129562 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab O20 - Winlogon Notify: ipcmd - C:\DOCUME~1\Peter\LOCALS~1\Temp\dmcpi.dat (file missing) O20 - Winlogon Notify: playtapi - C:\DOCUME~1\Peter\LOCALS~1\Temp\ipatyalp.dat (file missing) O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe End of KRC HijackThis Analyzer Log. ====================================================================

10-17-2005, 12:01 AM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,238 OS: N/A	Hello and Welcome Please subscribe to this thread to get immediate notification of fixes as soon as they are posted. This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise. If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * With HiJackThis & place a check next to these items and select "Fix checked": O1 - Hosts: d.com O1 - Hosts: d.com O1 - Hosts: g.mysearch.com O1 - Hosts: nd.com O1 - Hosts: nd.com O1 - Hosts: ind.com O1 - Hosts: ind.com O1 - Hosts: find.com O1 - Hosts: find.com O1 - Hosts: yfind.com O1 - Hosts: yfind.com O1 - Hosts: tyfind.com O1 - Hosts: tyfind.com O1 - Hosts: styfind.com O1 - Hosts: .whenu.com O1 - Hosts: .whenu.com O1 - Hosts: inc.whenu.com O1 - Hosts: c.whenu.com O1 - Hosts: nc.whenu.com O1 - Hosts: nc.whenu.com O1 - Hosts: inc.whenu.com O1 - Hosts: inc.whenu.com O1 - Hosts: m O1 - Hosts: m O1 - Hosts: m O1 - Hosts: m O1 - Hosts: om O1 - Hosts: om O1 - Hosts: com O1 - Hosts: com O1 - Hosts: com O1 - Hosts: com O1 - Hosts: .com O1 - Hosts: .com O1 - Hosts: d.com O1 - Hosts: d.com O1 - Hosts: d.com O1 - Hosts: d.com O1 - Hosts: nd.com O1 - Hosts: nd.com O1 - Hosts: ind.com O1 - Hosts: ind.com O1 - Hosts: find.com O1 - Hosts: find.com O1 - Hosts: yfind.com O1 - Hosts: yfind.com O1 - Hosts: tyfind.com O1 - Hosts: tyfind.com O1 - Hosts: styfind.com O1 - Hosts: styfind.com O1 - Hosts: estyfind.com O1 - Hosts: estyfind.com O1 - Hosts: .zestyfind.com O1 - Hosts: .zestyfind.com O1 - Hosts: ww.zestyfind.com O1 - Hosts: om O1 - Hosts: ww.zestyfind.com O1 - Hosts: .com O1 - Hosts: rtoolbar.com O1 - Hosts: sertoolbar.com O1 - Hosts: owsertoolbar.com O1 - Hosts: 127.0 O1 - Hosts: 2.browsertoolbar.com O1 - Hosts: ww2.browsertoolbar.com O1 - Hosts: .www2.browsertoolbar.com O1 - Hosts: 127.0.0. O1 - Hosts: ww.www2.browsertoolbar.com O1 - Hosts: 127.0.0. O2 - BHO: CATLEvents Object - {2527BEEF-1B3C-4D3B-98F0-7F3C1EB910A0} - C:\DOCUME~1\Peter\LOCALS~1\Temp\itnarc.dat (file missing) O2 - BHO: (no name) - {446CF8A5-617E-4D91-95AE-AE78CE0D06AF} - (no file) O2 - BHO: (no name) - {68132581-10F2-416E-B188-4E648075325A} - (no file) O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\WINDOWS\TEMP\bewsa.dat O2 - BHO: CATLEvents Object - {D487068E-9B04-4FE5-8A83-08344F800BF5} - C:\DOCUME~1\RICHAR~1\LOCALS~1\Temp\ipattnof.dat (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\WINDOWS\TEMP\bacrc.dat O4 - HKLM\..\Run: [wavedvd] C:\WINDOWS\Tasks\wavedvd.exe O4 - HKLM\..\Run: [mp3] C:\WINDOWS\system\mp3.exe O4 - HKLM\..\Run: [regtcp] C:\WINDOWS\Web\regtcp.exe O4 - HKLM\..\Run: [uninet] C:\WINDOWS\msagent\uninet.exe O4 - HKLM\..\Run: [adnet] C:\WINDOWS\java\classes\adnet.exe O4 - HKLM\..\Run: [kbdisk] C:\WINDOWS\ServicePackFiles\kbdisk.exe O4 - HKLM\..\Run: [ipacc] C:\WINDOWS\ServicePackFiles\ipacc.exe O4 - HKLM\..\Run: [vssexp] C:\WINDOWS\msagent\chars\vssexp.exe O4 - HKLM\..\Run: [webjpeg] C:\WINDOWS\repair\webjpeg.exe O4 - HKLM\..\Run: [dvdimg] C:\WINDOWS\Fonts\dvdimg.exe O4 - HKLM\..\Run: [cmdras] C:\WINDOWS\system\cmdras.exe O4 - HKLM\..\Run: [vssvb] C:\WINDOWS\vssvb.exe O4 - HKLM\..\Run: [faxav] C:\WINDOWS\Tasks\faxav.exe O4 - HKLM\..\Run: [vssdrv] C:\WINDOWS\addins\vssdrv.exe O4 - HKLM\..\Run: [netplay] C:\WINDOWS\system\netplay.exe O4 - HKLM\..\Run: [antilib] C:\WINDOWS\Fonts\antilib.exe O4 - HKLM\..\Run: [fonttcp] C:\WINDOWS\system\fonttcp.exe O4 - HKLM\..\Run: [accdll] C:\WINDOWS\Driver Cache\accdll.exe O4 - HKLM\..\Run: [wmsad] C:\WINDOWS\ServicePackFiles\wmsad.exe O4 - HKLM\..\Run: [abrbin] C:\WINDOWS\repair\abrbin.exe O4 - HKLM\..\Run: [eulainet] C:\WINDOWS\addins\eulainet.exe O4 - HKLM\..\Run: [accodbc] C:\WINDOWS\Web\accodbc.exe O4 - HKLM\..\Run: [logwave] C:\WINDOWS\msagent\chars\logwave.exe O4 - HKLM\..\Run: [dlldoc] C:\WINDOWS\AppPatch\dlldoc.exe O4 - HKLM\..\Run: [eulacr] C:\WINDOWS\Config\eulacr.exe O4 - HKLM\..\Run: [vbacc] C:\WINDOWS\java\classes\vbacc.exe O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...up1.0.0.8-2.cab O20 - Winlogon Notify: ipcmd - C:\DOCUME~1\Peter\LOCALS~1\Temp\dmcpi.dat (file missing) O20 - Winlogon Notify: playtapi - C:\DOCUME~1\Peter\LOCALS~1\Temp\ipatyalp.dat (file missing) * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * If you have not done so already, please enable the viewing of Hidden files From Windows Explorer, go to Tools>Folder Options> View tab. Tick - Show hidden files and folder Untick - Hide file extensions for known types Untick - Hide protected operating system files Click Yes to confirm & then click OK Locate and delete the following files: C:\WINDOWS\Tasks\wavedvd.exe C:\WINDOWS\system\mp3.exe C:\WINDOWS\Web\regtcp.exe C:\WINDOWS\msagent\uninet.exe C:\WINDOWS\java\classes\adnet.exe C:\WINDOWS\ServicePackFiles\kbdisk.exe C:\WINDOWS\ServicePackFiles\ipacc.exe C:\WINDOWS\msagent\chars\vssexp.exe C:\WINDOWS\repair\webjpeg.exe C:\WINDOWS\Fonts\dvdimg.exe C:\WINDOWS\system\cmdras.exe C:\WINDOWS\vssvb.exe C:\WINDOWS\Tasks\faxav.exe C:\WINDOWS\addins\vssdrv.exe C:\WINDOWS\system\netplay.exe C:\WINDOWS\Fonts\antilib.exe C:\WINDOWS\system\fonttcp.exe C:\WINDOWS\Driver Cache\accdll.exe C:\WINDOWS\ServicePackFiles\wmsad.exe C:\WINDOWS\repair\abrbin.exe C:\WINDOWS\addins\eulainet.exe C:\WINDOWS\Web\accodbc.exe C:\WINDOWS\msagent\chars\logwave.exe C:\WINDOWS\AppPatch\dlldoc.exe C:\WINDOWS\Config\eulacr.exe C:\WINDOWS\java\classes\vbacc.exe * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Go to Start> Run - type cleanmgr (this starts Windows DiskCleanup) Select Drive C: & click the 'OK' button Select the following options: Temporary Internet Files Recycle Bin Temporary Files Click the 'OK' button * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * After you have rebooted, please perform an online scan with Internet Explorer at one of the following sites: Panda ActiveScan Kaspersky Web Scanner Take note the names and locations of any file it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button). Double-click the tmas-web-scan.exe icon It will say "Loading TrendMicro definitions". Click "Start Scan" After it's done scanning, click "Scan Results" Make sure all items found have a check next to them, then click "Clean Threats Now". Click Exit. Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’ It would produce a log called "Antispyware.log", please double-click that log and copy the entire contents and paste them here. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * In your next post, please include fresh logs from: HiJackThis Online scan Antispyware.log Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________

10-17-2005, 01:32 AM	#3 (permalink)
B.S.Blues I helped the forums. Join Date: Oct 2005 Posts: 18 OS: XP	Following up I think I'll be able to do this. One question, however -- it looks like you have me bypassing the VundoFix step and proceeding directly to the HijackThis step. Do I get there simply by opening up HijackThis.exe?

10-17-2005, 01:36 AM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,238 OS: N/A	Your version of Vundo does not require VundoFix.exe. Please open Hijackthis manually. __________________

10-17-2005, 07:38 PM	#8 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,238 OS: N/A	Show me the exact message as displayed by Norton & Ad-aware. Your HJT logs shows no active entries. Those are dormant entries which should preferbaly be removed. __________________

10-17-2005, 07:28 PM	#7 (permalink)
B.S.Blues I helped the forums. Join Date: Oct 2005 Posts: 18 OS: XP	I'm sure we're making progress after I followed the last two steps, but I still get Vundo messages from Norton, and adaware still shows Virtumonde on two registry keys. Here is my most recent Hijack This log and the analysis: Logfile of HijackThis v1.99.1 Scan saved at 10:21:20 PM, on 17/10/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\MDG\MDGnotify.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\Richard Beales\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE" O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Shortcut to MDGnotify.lnk = C:\WINDOWS\MDG\MDGnotify.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1126473129562 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 10:24:10 PM, on 17/10/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\WINDOWS\MDG\MDGnotify.exe C:\Documents and Settings\Richard Beales\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - Startup: Shortcut to MDGnotify.lnk = C:\WINDOWS\MDG\MDGnotify.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1126473129562 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe End of KRC HijackThis Analyzer Log. ====================================================================

10-18-2005, 05:50 AM	#10 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,238 OS: N/A	Download the file I've attached to this post - regdel.zip From within it, double click on regdel.reg & answer Yes when prompted to merge into the Registry * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Then, Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot... In the popup box that appears, type in C:\WINDOWS\TEMP\BEWKSID.DAT Click the Open button. Click YES when prompted to restart your computer. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * After you have rebooted, download & install - CleanUp.exe Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files 4. Click OK 5. Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will not create any backups!! * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Please perform an online scan with Internet Explorer with Panda ActiveScan Click Scan your PC & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Click on see report. Then click Save report Post the contents of the report in your next reply You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Turn off the real time scanner of any existing antivirus program while performing the online scan Let me know how your machine is behaving now __________________

10-19-2005, 03:50 AM	#11 (permalink)
B.S.Blues I helped the forums. Join Date: Oct 2005 Posts: 18 OS: XP	panda scan You guys at TSF remind me of field biologists -- checking out an animal's scat to see what's wrong! Great job so far, thanks. Here's my Panda Active Scan log after the last scan: Incident Status Location Adware:adware/quicksearch No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\Install.inf Adware:adware/comet No disinfected C:\WINDOWS\INF\dm.inf Adware:adware/wupd No disinfected C:\PROGRAM FILES\Windows ControlAd Adware:adware/wintools No disinfected Windows Registry Spyware:Spyware/Spytool No disinfected C:\!Submit\ftpexp.exe Possible Virus. No disinfected C:\WINDOWS\addins\kbc.exe Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\Config\iisbak.exe Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\dnsun.exe Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Downloaded Program Files\flash.inf Possible Virus. No disinfected C:\WINDOWS\Drivers\exps.exe Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\Help\antinet.exe Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\java\classes\expnut.exe Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\repair\dllinfo.exe Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\security\cabkey.exe Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\security\logs\dvdmain.exe Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system\cateula.exe Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system\vbac.exe Spyware:Spyware/Spytool No disinfected C:\WINDOWS\system32\ctts.exe Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\Tasks\assrv.exe Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\Tasks\dnsmain.exe

10-19-2005, 06:39 AM	#12 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,238 OS: N/A	Please visit this website - http://virusscan.jotti.org Submit these file(s) for a comprehensive scan & then post the results back here. C:\WINDOWS\Drivers\exps.exe If found to be malicious, add it to the file deletion list found below. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * If you have not done so already, please enable the viewing of Hidden files From Windows Explorer, go to Tools>Folder Options> View tab. Tick - Show hidden files and folder Untick - Hide file extensions for known types Untick - Hide protected operating system files Click Yes to confirm & then click OK Locate and delete the following folders, if present: C:\PROGRAM FILES\Windows ControlAd Locate and delete the following files: C:\WINDOWS\DOWNLOADED PROGRAM FILES\Install.inf C:\WINDOWS\INF\dm.inf C:\WINDOWS\addins\kbc.exe C:\WINDOWS\Config\iisbak.exe C:\WINDOWS\dnsun.exe C:\WINDOWS\Downloaded Program Files\flash.inf C:\WINDOWS\Help\antinet.exe C:\WINDOWS\java\classes\expnut.exe C:\WINDOWS\repair\dllinfo.exe C:\WINDOWS\security\cabkey.exe C:\WINDOWS\security\logs\dvdmain.exe C:\WINDOWS\system\cateula.exe C:\WINDOWS\system\vbac.exe C:\WINDOWS\system32\ctts.exe C:\WINDOWS\Tasks\assrv.exe C:\WINDOWS\Tasks\dnsmain.exe * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Note: For any file you cannot find, we'll use Killbox for it... Launch KillBox.exe & select the following options: delete on Reboot Select all the filenames listed below & then right-click & select Copy C:\WINDOWS\DOWNLOADED PROGRAM FILES\Install.inf C:\WINDOWS\INF\dm.inf C:\WINDOWS\addins\kbc.exe C:\WINDOWS\Config\iisbak.exe C:\WINDOWS\dnsun.exe C:\WINDOWS\Downloaded Program Files\flash.inf C:\WINDOWS\Help\antinet.exe C:\WINDOWS\java\classes\expnut.exe C:\WINDOWS\repair\dllinfo.exe C:\WINDOWS\security\cabkey.exe C:\WINDOWS\security\logs\dvdmain.exe C:\WINDOWS\system\cateula.exe C:\WINDOWS\system\vbac.exe C:\WINDOWS\system32\ctts.exe C:\WINDOWS\Tasks\assrv.exe C:\WINDOWS\Tasks\dnsmain.exe * Go to the File menu, and choose Paste from Clipboard * Click the RED X button. * Click Yes at the Delete on Reboot prompt. * Click Yes at the 'Pending Operations prompt'. Let me know how that went. Also let me know if you still have any other issues with your computer. __________________

10-19-2005, 07:48 PM	#13 (permalink)
B.S.Blues I helped the forums. Join Date: Oct 2005 Posts: 18 OS: XP	Continuing on... Here's what Jotto found: Service load: 0% 100% File: exps.exe Status: INFECTED/MALWARE MD5 7957a206388393a27094ba269361f5b1 Packers detected: - Scanner results AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found Trojan.Vundo.381952.A ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Virtumonde.f NOD32 Found nothing Norman Virus Control Found nothing UNA Found Adware.Virtumonde VBA32 Found AdWare.Virtumonde.f Statistics Last file scanned at least one scanner reported something about: 16x.exe, detected by: Scanner Malware name AntiVir X ArcaVir X Avast X AVG Antivirus X BitDefender X ClamAV X Dr.Web BackDoor.Mosu F-Prot Antivirus X Fortinet W32/MoSucker.07a-bdr Kaspersky Anti-Virus X NOD32 X Norman Virus Control W32/Mosuck.J UNA X VBA32 X I've gone ahead and deleted/killboxed the other files and folders you recommended while I await your analysis.

10-19-2005, 08:37 PM	#14 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,238 OS: N/A	LOL..it's scum. Nuke it!! After that, you'll be clean again. Now that your system is clean, please follow these simple steps in order to keep your computer clean and secure: CLEAR & RESET SYSTEM RESTORE'S CACHE Go to Start >> Run - type control sysdm.cpl,,4 & press Enter Tick on the checkbox - Turn off System Restore on all drives Click Apply Turn it back 'On' by unticking the same checkbox & click OK DISABLE THE VIEWING OF SYSTEM FILES From Windows Explorer, go to Tools>Folder Options> View tab. Untick - Show hidden files and folder Tick - Hide file extensions for known types Tick - Hide protected operating system files Click Yes to confirm & then click OK SECURING INTERNET EXPLORER From within Internet Explorer click on the Tools menu and then click on Internet Options. Select the Security tab Click once on the Internet icon so it becomes highlighted. Select Custom Level . Change 'Download signed ActiveX controls' to Prompt Change 'Download unsigned ActiveX controls' to Disable Change 'Initialize and script ActiveX controls not marked as safe' to Disable Change 'Installation of desktop items' to Prompt Change 'Launching programs and files in an IFRAME' to Prompt Change 'Navigate sub-frames across different domains' to Prompt When all these changes have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Select OK to exit the Internet Properties page. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. FIREWALL Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here. Microsoft Windows Update Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here SPYWAREBLASTER SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites. Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here IE-SPYAD IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) Weather Watcher - Free taskbar weather program that is free, malware free, and resource light. Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. Google Toolbar - Get the free google toolbar to help stop pop up windows. CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein After doing all these, your system will be optimised against future threats. It's okay to delete the Hijack This folder in a couple weeks if everything is working okay. Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved. __________________

10-19-2005, 09:01 PM	#15 (permalink)
B.S.Blues I helped the forums. Join Date: Oct 2005 Posts: 18 OS: XP	Thanks Thanks for all your help; I have one other small issue unrelated to this that I'll be posting in a separate thread. I tried to send a donation but Paypal is having technical difficulties, so I'll try again in a day or two.