# Please help, Trojan Win32.Virut



## Curly_Q_Link (Sep 12, 2007)

System is WinXP Pro

I can't seem to get rid of this virus. It knocked out my Norton AV program so I 
currently rely on online scanners. I have run SuperAntispyware, AVG Anti Virus (I must 
have done something wrong, as it deleted some start files causing a Logon-Logoff loop, 
resulting in a WindowsXP repair install) only to have some variation of the virus 
constantly returning. I also let Kaspersky online scanner run all night last night, but 
there was no option for cleaning unless you buy. I will need to obtain a good AV 
program also, need recommendations, don't trust Norton too much any more after this 
:confused stuff slipped through.

I have saved a copy of the Kaspersky report and will post it if needed, please advise.
Thank You
CQL


----------



## Cookiegal (Aug 27, 2003)

Hi and welcome to TSG,

Please do post your Kaspersky log and also do the following:

*Click here* and then scroll down to and click on *hijackthis self installer* to download *HJTsetup.exe*

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## Curly_Q_Link (Sep 12, 2007)

Hello to you also, Cookiegal, and thank you in advance for your help and a quick reply

Here are the requested logs:
_____________________________________________________________________
Wednesday, September 12, 2007 4:33:25 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 12/09/2007
Kaspersky Anti-Virus database records: 412445

Scan Settings 
Scan using the following antivirus database extended 
Scan Archives true 
Scan Mail Bases true

Scan Target My Computer 
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan Statistics 
Total number of scanned objects 111102 
Number of viruses found 5 
Number of infected objects 13 
Number of suspicious objects 0 
Duration of the scan process 02:44:11

Infected Object Name Virus Name Last Action 
C:\Documents and Settings\kjm\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\kjm\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\kjm\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\kjm\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\kjm\ntuser.dat Object is locked skipped

C:\Documents and Settings\kjm\NTUSER.DAT.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{D49ACE88-DFD6-40FA-B917-FF72DD081F39}\RP4\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Installer\{00040409-78E1-11D2-B60F-006097C998E7}\bindico.exe Infected: Virus.Win32.Virut.o skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{60C3424B-4090-4904-8844-F34CB80E89C9}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3T4X807H\dl[2].exe/data0005 Infected: Trojan-Downloader.Win32.VB.bgd skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3T4X807H\dl[2].exe NSIS: infected - 1 skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\FJWSHPA1\eihfujcv[1].htm Infected: Trojan-Downloader.Win32.Agent.coy skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YQPSUN6L\eihfujcv[1].htm Infected: Trojan-Downloader.Win32.Agent.coy skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\xpdx.sys Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\wjiio.exe Infected: Trojan-Downloader.Win32.Agent.coy skipped

D:\System Volume Information\_restore{D49ACE88-DFD6-40FA-B917-FF72DD081F39}\RP4\change.log Object is locked skipped

D:\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

E:\System Volume Information\_restore{D49ACE88-DFD6-40FA-B917-FF72DD081F39}\RP4\change.log Object is locked skipped

F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

F:\System Volume Information\_restore{D49ACE88-DFD6-40FA-B917-FF72DD081F39}\RP4\change.log Object is locked skipped

G:\Ken's\SW\Adobe Photoshop CS.rar.exe Object is locked skipped

G:\System Volume Information\_restore{D49ACE88-DFD6-40FA-B917-FF72DD081F39}\RP4\change.log Object is locked skipped

H:\System Volume Information\_restore{D49ACE88-DFD6-40FA-B917-FF72DD081F39}\RP4\change.log Object is locked skipped

I:\Downloads\Mp3 Programs\areslite181.exe/data0016/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped

I:\Downloads\Mp3 Programs\areslite181.exe/data0016/v2.0.2.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped

I:\Downloads\Mp3 Programs\areslite181.exe/data0016/v2.0.2.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped

I:\Downloads\Mp3 Programs\areslite181.exe/data0016/v2.0.2.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped

I:\Downloads\Mp3 Programs\areslite181.exe/data0016/v2.0.2.cab Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped

I:\Downloads\Mp3 Programs\areslite181.exe/data0016 Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped

I:\Downloads\Mp3 Programs\areslite181.exe NSIS: infected - 6 skipped

I:\System Volume Information\_restore{D49ACE88-DFD6-40FA-B917-FF72DD081F39}\RP4\change.log Object is locked skipped

Scan process completed.

______________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:44:05 PM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Brought to You by The Three Stooges
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Editor plugin - {D7C5460A-5F36-4af2-B9D3-60B49931156A} - mountr.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [] mstdmc.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] f:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] f:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] f:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] f:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Adobe Reader Synchronizer.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134fd.bay134.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189555125309
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6697AFA6-1CD3-462E-AC0A-363EF8BCD102} (SyScan2 Control) - http://www.evga.com/Support/SyScan/SyScan.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.taxsimple.com/TSWeb/msrdp.cab
O16 - DPF: {90F7E144-984F-4FA6-83A7-C9C8DCB9974C} (RSActiveXObj Control) - http://www.radarsync.com/RSActiveX.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: MSN Messenger - {280A7B65-8F00-438F-3E5A-1F039433FE60} - C:\WINDOWS\system32\dssdll32.dll (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - f:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - f:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.EXE (file missing)
O23 - Service: Diskeeper - Unknown owner - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Unknown owner - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - F:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: MaxSyncService (NTService1) - Unknown owner - F:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)

--
End of file - 6824 bytes

Thanks 
CQL


----------



## Cookiegal (Aug 27, 2003)

Download rustbfix.exe from *here* and save it to your desktop.

Double click on *rustbfix.exe*. If a Rustock.b infection is found, you will be asked to reboot your computer. The reboot will probably take quite a while and perhaps two reboots will be needed but this will happen automatically so please be patient and allow the process to complete.

After the reboot, two log files will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these log files along with a new HijackThis log please.


----------



## Curly_Q_Link (Sep 12, 2007)

Here you go!!!

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gqbltdsv

*******************

Script file located at: \??\C:\Documents and Settings\dtgygubf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver xpdx unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.
_____________________________________________

************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************
Wed 09/12/2007 18:23:45.08

******************* Pre-run Status of system *******************

Rootkit driver xpdx is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
No streams found.

Looking for Rustock.b-files in the System32-folder:
system32\xpdx.sys FOUND!
attempting to delete xpdx.sys from system32-folder

******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32

******************************* End of Logfile ********************************

______________________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:56:11 PM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Brought to You by The Three Stooges
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Editor plugin - {D7C5460A-5F36-4af2-B9D3-60B49931156A} - mountr.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [] mstdmc.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] f:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] f:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] f:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] f:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Adobe Reader Synchronizer.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134fd.bay134.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189555125309
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6697AFA6-1CD3-462E-AC0A-363EF8BCD102} (SyScan2 Control) - http://www.evga.com/Support/SyScan/SyScan.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.taxsimple.com/TSWeb/msrdp.cab
O16 - DPF: {90F7E144-984F-4FA6-83A7-C9C8DCB9974C} (RSActiveXObj Control) - http://www.radarsync.com/RSActiveX.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: MSN Messenger - {280A7B65-8F00-438F-3E5A-1F039433FE60} - C:\WINDOWS\system32\dssdll32.dll (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - f:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - f:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.EXE (file missing)
O23 - Service: Diskeeper - Unknown owner - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Unknown owner - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - F:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: MaxSyncService (NTService1) - Unknown owner - F:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)

--
End of file - 6872 bytes


----------



## Cookiegal (Aug 27, 2003)

Download and install *AVG Anti-Spyware v7.5*. Note to AVG Free anti-virus program users only: This is not the same program as the one you already have, this is an anti-spyware program so please proceed with the instructions. 

After download, double click on the file to launch the install process. 
Choose a language, click "*OK*" and then click "*Next*". 
Read the "_License Agreement_" and click "*I Agree*". 
Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "*Next*", then click "*Install*". 
After setup completes, click "*Finish*" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray. 
The main "*Status*" menu will appear. Select "_Change state_" to inactivate '*Resident Shield*' and '*Automatic Updates*'. _As AVG Anti-Spyware may interfere with some of our other fixes, we are temporarily disabling its active protection features until your system is clean, then you can re-enable them._ 
Then right click on AVG Anti-Spyware in the system tray and *uncheck* "*Start with Windows*". 
Connect to the Internet, go back to AVG Anti-Spyware, select the "*Update*" button and click "*Start update*". 
Wait until you see the "_Update successful_" message. If you are having problems with the updater, manually download and update with the AVG Anti-Spyware Full database installer. 
Exit AVG Anti-Spyware when done - *DO NOT perform a scan yet*.
*Reboot your computer in SAFE MODE* using the *F8* method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". _(Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them inaccessible for doing a scan. If this happens press Alt + Spacebar. A menu will come open, make sure you select maximize then run the scan. If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)_

*Scan with AVG Anti-Spyware as follows*:
Click on the "*Scanner*" button and choose the "*Settings*" tab.

Under "*How to act?*", click on "*Recommended actions*" and choose "*Quarantine*" to set default action for detected malware. 
Under "*How to Scan? *", "*Possibly unwanted software*", and *What to Scan?*" leave all the default settings. 
Under "*Reports*" select "*Do not automatically generate reports*". 
Click the "*Scan*" tab to return to scanning options. 
Click "*Complete System Scan*" to start. 
When the scan has finished, it should automatically be set to *Quarantine*--if not click on _Recommended Action_ and set it there. 
You will also be presented with a list of infected objects found. Click "*Apply all actions*" to place the files in Quarantine.
_*IMPORTANT!* Do not save the report before you have clicked the :*Apply all actions* button. If you do, the log that is created will indicate "*No action taken*", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button._
Click on "*Save Report*" to view all completed scans. Click on the most recent scan you just performed and select "*Save report as*" - the default file name will be in date/time format as follows: *Report-Scan-20060620-142816.txt*. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\ 
Exit AVG Anti-Spyware when done, reboot normally and post the log report in your next response.
_Note: Close all open windows, programs, and *DO NOT USE the computer while AVG Anti-Spyware is scanning*. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection._

_AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can continue to use as an on-demand scanner or you may purchase a license to use the full version. We are installing AVG Anti-Spyware with its real-time protection disabled. Once your system is clean you may re-enable it so you can continue using this feature for the remainder of the trial period._

Please go *HERE* to run Panda's ActiveScan
You need to use IE to run this scan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report

*Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.*


----------



## Curly_Q_Link (Sep 12, 2007)

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:	9:27:05 PM 9/12/2007

+ Scan result:

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\FJWSHPA1\eihfujcv[1].htm -> Downloader.Agent.coy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YQPSUN6L\eihfujcv[1].htm -> Downloader.Agent.coy : Cleaned with backup (quarantined).
C:\wjiio.exe -> Downloader.Agent.coy : Cleaned with backup (quarantined).
C:\Documents and Settings\kjm\Cookies\[email protected][2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
:mozilla.15:C:\Documents and Settings\kjm\Application Data\Mozilla\Firefox\Profiles\dy73g59c.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.

::Report end
_______________________________________________________

Incident Status Location

Adware:adware/azesearch Not disinfected C:\Documents and Settings\kjm\Favorites\sports\Auto Racing.url 
Adware:adware/coolsavings Not disinfected Windows Registry 
Virus:Js/Psyme.GF Disinfected C:\Program Files\installer.js  
Spyware:Cookie/Atwola Not disinfected C:\RECYCLER\NPROTECT\00001984 
Spyware:Cookie/Versiontracker Not disinfected C:\RECYCLER\NPROTECT\00002000 
Virus:Trj/Downloader.OXI Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3T4X807H\dl[2].exe

_______________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:39 PM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Brought to You by The Three Stooges
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Editor plugin - {D7C5460A-5F36-4af2-B9D3-60B49931156A} - mountr.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [] mstdmc.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] f:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] f:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] f:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] f:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Adobe Reader Synchronizer.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134fd.bay134.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189555125309
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6697AFA6-1CD3-462E-AC0A-363EF8BCD102} (SyScan2 Control) - http://www.evga.com/Support/SyScan/SyScan.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.taxsimple.com/TSWeb/msrdp.cab
O16 - DPF: {90F7E144-984F-4FA6-83A7-C9C8DCB9974C} (RSActiveXObj Control) - http://www.radarsync.com/RSActiveX.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: MSN Messenger - {280A7B65-8F00-438F-3E5A-1F039433FE60} - C:\WINDOWS\system32\dssdll32.dll (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - f:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - f:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.EXE (file missing)
O23 - Service: Diskeeper - Unknown owner - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Unknown owner - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - F:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: MaxSyncService (NTService1) - Unknown owner - F:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)

--
End of file - 7029 bytes


----------



## Curly_Q_Link (Sep 12, 2007)

Bump Please...


----------



## Cookiegal (Aug 27, 2003)

Download ComboFix from *Here* or *Here* to your Desktop.

Double click *combofix.exe * and follow the prompts.
When finished, it shall produce a log for you. Post that log and a *HiJackthis* log in your next reply
*Note: Do not mouseclick combofix's window while its running. That may cause it to stall*


----------



## Curly_Q_Link (Sep 12, 2007)

HI Cookiegal, I DL'd combofix and ran it, the DOS window came up, it said Preparing to run, then disappeared, no prompts to follow.

Is that right??

CQL


----------



## Cookiegal (Aug 27, 2003)

Do you see a log in C:\ComboFix.txt?


----------



## Curly_Q_Link (Sep 12, 2007)

I find C: combofix folder with 87 files but no combofix.txt in it. Also it's not on Desktop.


----------



## Cookiegal (Aug 27, 2003)

Did you not download it to your desktop?


----------



## Curly_Q_Link (Sep 12, 2007)

I meant the log was not there, I saved combofix to desktop and double clicked to run, should I delete the folder and try again or something else?


----------



## Cookiegal (Aug 27, 2003)

Yes, delete it and try downloading it again please.


----------



## Curly_Q_Link (Sep 12, 2007)

DL'd to desktop, ran it, still get window that says Please wait Combofix is Preparing to Run. Then window disappears... no combofix.txt in c:\ Maybe run it in safe mode??


----------



## Cookiegal (Aug 27, 2003)

I think AVG may be interfering. Are you getting any alerts from AVG anti-virus? Apparently, it's been flagging the combofix.exe as a false positive. Can you check the AVG quarantine folder and see if it's there?


----------



## Curly_Q_Link (Sep 12, 2007)

Hi, I'll have to check back Sun. night or Monday.
MOre inffo: when I ran AVG last week it deleted/quarantined about 1400 infections, many program .exe files. Not many of my progs sttill work includin Notepad (even though other logs came through.) 
Don't forget about me, keep posting any relevant info, I will check in laptop until I return


----------



## Cookiegal (Aug 27, 2003)

Please run the *F-Secure Online Scanner*

Note: *You must use Internet Explorer for this scan!*


Accept the License Agreement. 
Once the ActiveX installs click *Full System Scan* 
Once the download completes, the scan will begin automatically. 
The scan will take some time to finish, so please be patient. 
When the scan completes, click the *Automatic cleaning (recommended)* button. 
Click the *Show Report* button and copy and paste the entire report in your next reply.


----------



## Curly_Q_Link (Sep 12, 2007)

Previous post:

[I think AVG may be interfering. Are you getting any alerts from AVG anti-virus? Apparently, it's been flagging the combofix.exe as a false positive. Can you check the AVG quarantine folder and see if it's there?]

I noticed that AVG AV is no longer operative. Apparently when I ran the AVG scan and let it Quarantined 1542 files, mostly .exe files, several of then were AVG Program files, which knocked it out.

I reinstalled AVG AV and tried Combofix again, same result, no log and no Combofix being flagged by AVG AV, no Combofix in Quarantine folder either.

I'm currently running F-Scanner and will post when it finishes. (I'm using another computer to post this reply)

Two more things, I should probably wait until all viruses and spyware are cleaned before reinstalling any other programs, right? and should I clean out all Temp files and others with ATF Cleaner before shutting down/restarting and on startup??


----------



## Cookiegal (Aug 27, 2003)

Yes, please hold off installing anything other that what we need for this clean up. You can run ATF Cleaner if you wish.


----------



## Curly_Q_Link (Sep 12, 2007)

I ran F-Secure, it finished , found one virus and 2 spyware, clicked autoclean then IE just closed down, no report. I think too many program .exe files are in the AVG quarantine, keeping things from running properly.
WHat about restoring all the quarantined files and letting another AV program detect and repair? just a thought.


----------



## Cookiegal (Aug 27, 2003)

Let's try doing a system restore to before this all started happening. Let me know if you need instructions for that. If it doesn't help, it can be undone.


----------



## Curly_Q_Link (Sep 12, 2007)

I did try that right after this occurred, no luck. I've had system restore turned off on all drives since I got the infection, to try and keep the viruses out of the restore files, so there are no restore points. 

I see a Format of my C drive looming in the future, most programs are on other drives.


----------



## Cookiegal (Aug 27, 2003)

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.

In the *Processes * group click *ALL* 
In the *Win32 Services * group click *ALL* 
In the *Driver Services * group click *ALL* 
In the *Registry * group click *ALL* 
In the *Files Created Within* group click *60 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *File String Search* group select *ALL*
in the *Additional Scans* sections please press select *ALL* 
Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
Please post the resulting log here as an attachment.


----------



## Curly_Q_Link (Sep 12, 2007)

File is too big, I'll split it up, standby. 
In the meantime, I DL'd a new copy of Notepad2.exe, works OK.


----------



## Curly_Q_Link (Sep 12, 2007)

First part.


----------



## Curly_Q_Link (Sep 12, 2007)

second part


----------



## Cookiegal (Aug 27, 2003)

Disconnect from the Internet and disable your anti-virus and firewall programs. *Be sure to remember to re-start them before going on-line again.*

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program. Copy and paste the information in the code box below into the pane where it says "Paste fix here" and then click the Run Fix button. The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

Post the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log) back here along with a new HijackThis log please.


```
[Kill Explorer]
[Unregister Dlls]
[Registry - All]
< SSODL [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YN -> {280A7B65-8F00-438F-3E5A-1F039433FE60} [HKLM] -> %System32%\dssdll32.dll [MSN Messenger]
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {D7C5460A-5F36-4af2-B9D3-60B49931156A} [HKLM] -> mountr.dll [Editor plugin]
< Security Settings > -> 
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Internet Explorer\IEXPLORE.EXE -> C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer
< Uninstall List > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
YN -> Viewpoint Manager -> Viewpoint Manager (Remove Only)
YN -> ViewpointMediaPlayer -> Viewpoint Media Player
[Files/Folders - Created Within 60 days]
NY -> capcom -> %System32%\capcom
NY -> cfig322 -> %System32%\cfig322
NY -> drvr2 -> %System32%\drvr2
NY -> eadbbcbd.nls -> %System32%\eadbbcbd.nls
NY -> f03WtR -> %System32%\f03WtR
NY -> H7 -> %System32%\H7
NY -> dfl2z32.dll -> %LocalAppData%\dfl2z32.dll
[Files/Folders - Modified Within 30 days]
NY -> capcom -> %System32%\capcom
NY -> cfig322 -> %System32%\cfig322
NY -> f03WtR -> %System32%\f03WtR
NY -> H7 -> %System32%\H7
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```


----------



## Curly_Q_Link (Sep 12, 2007)

Before I read this post I ran F-secure again and got a log file, here it is and I will come back shortly and follow the last post instructions, unless new instructions are received. 

CQL

Scanning Report
Monday, September 17, 2007 09:42:08 - 10:38:37
Computer name: PUTEROOM 
Scanning type: Scan system for viruses, rootkits, spyware 
Target: C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ 


--------------------------------------------------------------------------------

Result: 2 malware found
Virus.Win32.Virut.o (virus) 
C:\WINDOWS\INSTALLER\{00040409-78E1-11D2-B60F-006097C998E7}\BINDICO.EXE (Submitted) 
Win32.TrojanDownloader.Agent (spyware) 
System (Disinfected) 

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 45269 
System: 4018 
Not scanned: 3 
Actions:
Disinfected: 1 
Renamed: 0 
Deleted: 0 
None: 1 
Submitted: 1 
Files not scanned:
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT 
D:\PAGEFILE.SYS 

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-09-15 
F-Secure AVP: 7.0.171, 2007-09-17 
F-Secure Orion: 1.2.37, 2007-09-17 
F-Secure Blacklight: 1.0.64 
F-Secure Draco: 1.0.35, 0597-150-72 
F-Secure Pegasus: 1.19.0, 2007-08-10 
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX 
Use Advanced heuristics 

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.


----------



## Curly_Q_Link (Sep 12, 2007)

WinPFind log:

Explorer killed successfully
[Registry - All]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\MSN Messenger not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D7C5460A-5F36-4af2-B9D3-60B49931156A} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D7C5460A-5F36-4af2-B9D3-60B49931156A} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Internet Explorer\IEXPLORE.EXE deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Viewpoint Manager deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer deleted successfully.
[Files/Folders - Created Within 60 days]
C:\WINDOWS\SYSTEM32\capcom moved successfully.
C:\WINDOWS\SYSTEM32\cfig322 moved successfully.
C:\WINDOWS\SYSTEM32\drvr2 moved successfully.
C:\WINDOWS\SYSTEM32\eadbbcbd.nls moved successfully.
C:\WINDOWS\SYSTEM32\f03WtR moved successfully.
C:\WINDOWS\SYSTEM32\H7 moved successfully.
LoadLibrary failed for C:\Documents and Settings\kjm\Local Settings\Application Data\dfl2z32.dll
C:\Documents and Settings\kjm\Local Settings\Application Data\dfl2z32.dll NOT unregistered.
C:\Documents and Settings\kjm\Local Settings\Application Data\dfl2z32.dll moved successfully.
[Files/Folders - Modified Within 30 days]
File C:\WINDOWS\SYSTEM32\capcom not found!
File C:\WINDOWS\SYSTEM32\cfig322 not found!
File C:\WINDOWS\SYSTEM32\f03WtR not found!
File C:\WINDOWS\SYSTEM32\H7 not found!
[Empty Temp Folders]
C:\DOCUME~1\kjm\LOCALS~1\Temp\ -> emptied.
D:\Temp\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
Explorer started successfully
< End of log >
Created on 09/17/2007 12:06:41

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:12 PM, on 9/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
F:\Program Files\UltimateZip 2007\Notepad2.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Brought to You by The Three Stooges
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Adobe Reader Synchronizer.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134fd.bay134.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189555125309
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6697AFA6-1CD3-462E-AC0A-363EF8BCD102} (SyScan2 Control) - http://www.evga.com/Support/SyScan/SyScan.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.taxsimple.com/TSWeb/msrdp.cab
O16 - DPF: {90F7E144-984F-4FA6-83A7-C9C8DCB9974C} (RSActiveXObj Control) - http://www.radarsync.com/RSActiveX.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.EXE (file missing)
O23 - Service: Diskeeper - Unknown owner - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - F:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: MaxSyncService (NTService1) - Unknown owner - F:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)

--
End of file - 6598 bytes


----------



## Cookiegal (Aug 27, 2003)

You mentioned earlier that AVG may have deleted some files that were infected. Please check your logs and post the names and entire paths of files that were deleted rather than cleaned. 

This is a nasty one that infects many of the exe files and it's difficult to clean.


----------



## Curly_Q_Link (Sep 12, 2007)

I've attached the file as an 2 Excel files (Scanned by Norton & SuperAntiSpyware) sorted by Path name.

CQL


----------



## Curly_Q_Link (Sep 12, 2007)

Part 2


----------



## Curly_Q_Link (Sep 12, 2007)

try again


----------



## Cookiegal (Aug 27, 2003)

AVG has a virut remover tool so try running it:

http://free.grisoft.com/doc/virus-removal/us/frt/0/ndi/67762

Let me know how it goes.


----------



## Curly_Q_Link (Sep 12, 2007)

Followed the instructions, everything had an OK status except for some files that said "can't open". I'm running AVG AV now...Do you need those "can't open" file names, or a new HJT log (before or after Reboot)?


----------



## Cookiegal (Aug 27, 2003)

Yes, please post the "can't open" ones and a post run HijackThis log.


----------



## Curly_Q_Link (Sep 12, 2007)

After running AVG AV after the Win32/Virut fix the only thing it logged was
No threats
Object: C:\Windows\System32\kernel32.dll 
Result: Change 
Status: Changed
__________________________________________________________________

WinPFind can't open files:

C:\Documents and Settings\kjm\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat; Can't open
C:\Documents and Settings\kjm\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG; Can't open
C:\Documents and Settings\kjm\ntuser.dat; Can't open
C:\Documents and Settings\kjm\NTUSER.DAT.LOG; Can't open
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat; Can't open
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG; Can't open
C:\Documents and Settings\LocalService\NTUSER.DAT; Can't open
C:\Documents and Settings\LocalService\ntuser.dat.LOG; Can't open
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat; Can't open
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG; Can't open
C:\Documents and Settings\NetworkService\NTUSER.DAT; Can't open
C:\Documents and Settings\NetworkService\ntuser.dat.LOG; Can't open
C:\WINDOWS\system32\CatRoot2\edb.log; Can't open
C:\WINDOWS\system32\CatRoot2\tmp.edb; Can't open
C:\WINDOWS\system32\config\default; Can't open
C:\WINDOWS\system32\config\default.LOG; Can't open
C:\WINDOWS\system32\config\SAM; Can't open
C:\WINDOWS\system32\config\SAM.LOG; Can't open
C:\WINDOWS\system32\config\SECURITY; Can't open
C:\WINDOWS\system32\config\SECURITY.LOG; Can't open
C:\WINDOWS\system32\config\software; Can't open
C:\WINDOWS\system32\config\software.LOG; Can't open
C:\WINDOWS\system32\config\system; Can't open
C:\WINDOWS\system32\config\system.LOG; Can't open
_____________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:09:19 PM, on 9/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Brought to You by The Three Stooges
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Adobe Reader Synchronizer.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134fd.bay134.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189555125309
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6697AFA6-1CD3-462E-AC0A-363EF8BCD102} (SyScan2 Control) - http://www.evga.com/Support/SyScan/SyScan.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.taxsimple.com/TSWeb/msrdp.cab
O16 - DPF: {90F7E144-984F-4FA6-83A7-C9C8DCB9974C} (RSActiveXObj Control) - http://www.radarsync.com/RSActiveX.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.EXE (file missing)
O23 - Service: Diskeeper - Unknown owner - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - F:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: MaxSyncService (NTService1) - Unknown owner - F:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)

--
End of file - 6590 bytes


----------



## Cookiegal (Aug 27, 2003)

Are all those files still in quarantine? Do you know if the tool scanned them?


----------



## Curly_Q_Link (Sep 12, 2007)

Just double clicked rmvirut.exe (with the other 2 dl'd files in the same folder) and it started scanning all drives, I don't know how to set the scan parameters.
Didn't see anything about Quarantine.
Maybe have to let it run on reboot.

PS 
if you meant the infected .exe files from the old AVG AV scan, yes they are still Q'd.
I'll be back on tomorrow afternoon CST.
CQL


----------



## Cookiegal (Aug 27, 2003)

If you still want to continue to try to fix this then I suggest you back up all of your important data before doing anything else and also create a new system restore point. To do that, turn system restore back on and then click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I would suggest you restore many of those files from AVG's quarantine vault but the list is much too lengthy for me to do an exhaustive search as to what's bad and what's good so we may restore some infected files. I took a glance through the list and you should NOT restore these:

*Do NOT restore *any files running from these locations:

C:\
C:\RECYCLER
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files
C:\Documents and Settings\kjm\Local Settings\Temporary Internet Files
or any other TEMP file location.

*DO restore*:
Everything running from these locations:
C:\Program files
C:\Windows\System32\dllcache
C:\Windows

and *most *of the files in C:\Windows\System32 but *be careful NOT to restore these*:

C:\WINDOWS\system32\allworld.exe
C:\WINDOWS\system32\capcom\nab22011.exe
C:\WINDOWS\system32\cfig322\icm33o.exe
C:\WINDOWS\system32\f03WtR\f03WtR1066.exe

Do not run AVG Free at all as we don't want it to quarantine them again but run the AVG virut removal tool again and also run this on-line scanner:

Run Kaspersky online virus scan *Kaspersky Online Scanner*.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the *"Extended database" *for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

*Note:* You have to use Internet Explorer to do the online scan.

*Post a new HiJackThis log along with the results from Kaspersky scan*


----------



## Curly_Q_Link (Sep 12, 2007)

Did the backup, created restore point.
A lot of the AVG restorable files are WIN32/Expiro infected, will the rmvirut and /or Kaspersky take care of those as well?
Should I just delete the BAD files from quarantine?
I didn't find a remover for that particular one.
It is quite a long list.

CQL


----------



## Cookiegal (Aug 27, 2003)

Not that particular tool but the Kaspersky scan should clean some of them. Then you can also run this one.

Please run the *F-Secure Online Scanner*

Note: *You must use Internet Explorer for this scan!*


Accept the License Agreement. 
Once the ActiveX installs click *Full System Scan* 
Once the download completes, the scan will begin automatically. 
The scan will take some time to finish, so please be patient. 
When the scan completes, click the *Automatic cleaning (recommended)* button. 
Click the *Show Report* button and copy and paste the entire report in your next reply.

As this infection steals information, you should change passwords, credit card and bank account numbers, etc. if you have any of that sort of information in your computer.


----------



## Cookiegal (Aug 27, 2003)

If they are programs that you can reinstall, then it would be best to delete those files rather than restoring them but others will have to be restored so we can clean them.


----------



## Cookiegal (Aug 27, 2003)

How are things going here?

I meant to say to download the trial version of Kaspersky as the on-line scan won't fix anything.

http://usa.kaspersky.com/trials/tri...ownloads/trial-versions.php&chapter=146481750


----------



## Curly_Q_Link (Sep 12, 2007)

Just got home from work 
If a restored file tries to overwite an existing file, such as a system32\dllcache file should I let it?
Remember, I did a repair install of winXP, so many files may have been replaced?

If I have to restore most files one by one, I am seriously thinking about just reformatting c: drive and reinstalling everything, won't be the first time.
CQL


----------



## Cookiegal (Aug 27, 2003)

No, do not overwrite any files with the quarantined ones.

If reformatting is an option for you, that it what I would still recommend as we can't really know the extent of the damage it's done.

Don't back up anything that has an .exe extension or an .scr extension as those files are likely all infected.


----------



## Curly_Q_Link (Sep 12, 2007)

Yeah, sounds like the best idea now.
I have already backed up to an external, drive partitions g: through j, some important info from c:
Drive partitions d through f were applications that can be reinstalled. 
What would you suggest, for making sure there is no infections left on all drives but c: before reformatting? Kaspersky, F-secure etc
There are some .scr files on c:, many .exe on most drives 

I'm running kaspersky 7.0 trial now to see if it shows anything

One more thing, does Kaspersky run on Apple Macs?
CQL


----------



## Cookiegal (Aug 27, 2003)

Kaspersky will not run on a Mac.

As I said before, any .scr and .exe files may be infected so backing them up would be risky.

You should back up data, music, pictures and things like that.

Program should be reinstalled.


----------



## Curly_Q_Link (Sep 12, 2007)

I'm backing up those important files and weeding out .exe files a little at a time when I can.
I've run Kaspersky a couple times with no detections other than the first time. Running again at the Max settings.
I'll post back the results of this and an HJT log. Soon I'll find time to reformat and reinstall

CQL


----------



## Cookiegal (Aug 27, 2003)

Sounds good.


----------



## Curly_Q_Link (Sep 12, 2007)

After thorough scans by Kaspersky & Trend 6.6, no threats. I'll start the reinstall - format process this week and let you know how things turn out.

Anyway, here's an HJT. See anything that a format of c: won't cover?

Thanks...CQL

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:58 PM, on 9/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
F:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Brought to You by The Three Stooges
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [MaxtorOneTouch] F:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Adobe Reader Synchronizer.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134fd.bay134.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189555125309
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6697AFA6-1CD3-462E-AC0A-363EF8BCD102} (SyScan2 Control) - http://www.evga.com/Support/SyScan/SyScan.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.taxsimple.com/TSWeb/msrdp.cab
O16 - DPF: {90F7E144-984F-4FA6-83A7-C9C8DCB9974C} (RSActiveXObj Control) - http://www.radarsync.com/RSActiveX.ocx
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.EXE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Unknown owner - E:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: MaxBackServiceInt - Unknown owner - F:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - F:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)

--
End of file - 6064 bytes


----------



## Cookiegal (Aug 27, 2003)

A reformat will take care of everything.


----------

