Hi everyone,
I ran Ad-Aware, Spybot, win32delfkil, & smitRem but I still get alot of pop-ups.
These pop-ups started when I recently use a site to find air-fare.
One time I even hear a radio/tv music station on my speakers when no programs were running on my pc...freaky
Anyways here's my HJ log and I was hoping someone can help me out
Thanks
Ska
----------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:12:47 PM, on 4/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
[*]Double-click VundoFix.exe to run it.
[*]Click the Scan for Vundo button.
[*]Once it's done scanning, click the Remove Vundo button.
[*]You will receive a prompt asking if you want to remove the files, click YES [*]Once you click yes, your desktop will go blank as it starts removing Vundo.
[*]When completed, it will prompt that it will reboot your computer, click OK.
[*]Please post the contents of C:\vundofix.txt and a new HijackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Attempting to delete C:\WINDOWS\system32\tmpC.tmp.dll
C:\WINDOWS\system32\tmpC.tmp.dll Has been deleted!
Performing Repairs to the registry.
Done!
--------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 6:28:32 PM, on 4/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Originally posted by KotaGuy:Please download VundoFix.exe to your desktop.
[*]Double-click VundoFix.exe to run it.
[*]Click the Scan for Vundo button.
[*]Once it's done scanning, click the Remove Vundo button.
[*]You will receive a prompt asking if you want to remove the files, click YES [*]Once you click yes, your desktop will go blank as it starts removing Vundo.
[*]When completed, it will prompt that it will reboot your computer, click OK.
[*]Please post the contents of C:\vundofix.txt and a new HijackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Try to boot in safe mode.And look for any awanted programs that might have been installed.Hope you have a recovery disk?What type of POP UPS are you getting?It sounds like your Windows\system32 file was deleted.
Vundofix deleting that dll shouldn't have caused the shutdown issue.
How often are the shutdowns happening? When are they happening? And are you getting any kind of error messages? If so... can you tell me exactly what they are please.
Print this out for reference during the fix as you wil be booting into Safe Mode and won't be able to access this site.
For now download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
[*] Restart your computer
[*] After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
[*] Instead of Windows loading as normal, the Advanced Options Menu should appear;
[*] Select the first option, to run Windows in Safe Mode, then press Enter.
[*] Choose your usual account.
[*] Open the extracted SDFix folder and double click RunThis.bat to start the script.
[*] Type Y to begin the cleanup process.
[*] It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
[*] Press any Key and it will restart the PC.
[*] When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
[*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum).
[*] Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Remaining Files:
---------------
C:\WINDOWS\system32\rsvp32_2.dll Found - LSP!
Backups Folder: - C:\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes :
C:\Program Files\Steam\SteamApps\skahung123@yahoo.com\counter-strike\cstrike\radial.cdb
C:\WINDOWS\system\svchost.dll
C:\WINDOWS\system32\tmp_35b.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
Finished
--------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:45:15 PM, on 4/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
OK... been doing a bit of research into this... gonna take a bit more to do to get your machine fully clean.
Though you have a Vundo infection(which we will take care of later)... the main nasty is the nuwar worm. Can be a pain to get rid of. Follow my next instructions carefully as I will be giving you a bit to do.
Print this out for reference during the fix please.
Download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
[*]Install AVG Anti-Spyware by double clicking the installer.
[*]Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
[*]On the main screen under Your Computer's security.
[list]
[*]Click on Change state next to Resident shield. It should now change to inactive.
[*]Click on Change state next to Automatic updates. It should now change to inactive.
[*]Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
[*]Wait until you see the Update succesfull message.
[*]Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
[*]Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Don't scan with it yet.
Download Lspfix. Extract(unzip) it to its own folder. Disconnect from the internet, and close all browser windows. Run LSPFix. Click the "I know what I'm doing" button. In the left hand pane, hilite all instances of rsvp32_2.dll (and nothing else), move them to the "Remove" pane and by clicking the >> button. Click Finish. Reboot to complete the process.
Please reboot your computer in Safe Mode by doing the following :
[*] Restart your computer
[*] After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
[*] Instead of Windows loading as normal, the Advanced Options Menu should appear;
[*] Select the first option, to run Windows in Safe Mode, then press Enter.
[*] Choose your usual account.
[*] Open the extracted SDFix folder and double click RunThis.bat to start the script.
[*] Type Y to begin the cleanup process.
[*] It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
[*] Press any Key and it will restart the PC.
[*] When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
[*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Run and scan with HijackThis and place checks beside the following:
Close all open browsers/windows and click the Fix button.
Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
For Firefox:
Click Firefox at the top and choose: Select All Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
For Opera:
Click Opera at the top and choose: Select All Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
[*]Click on Scanner on the toolbar.
[*]Click on the Settings tab.
[*]Under How to act?
[*]Click on Recommended Action and choose Quarantine from the popup menu.
[*]Under How to scan?
[*]All checkboxes should be ticked.
[*]Under Possibly unwanted software:
[*]All checkboxes should be ticked.
[*]Under Reports:
[*]Select Automatically generate report after every scan and uncheck Only if threats were found.
[*]Under What to scan?
[*]Select Scan every file.
[*]Click on the Scan tab.
[*]Click on Complete System Scan to start the scan process.
[*]Let the program scan the machine.
[*]When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
[*]Make sure that Set all elements to: shows Quarantine(1), if not click on the link and choose Quarantine from the popup menu. (2) [*]At the bottom of the window click on the Apply all Actions button. (3)
[*]When done, click the Save Scan Report button. (4)
[*]Click the Save Report as button.
[*]Save the report to your Desktop.
[*]Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
[*]The program will launch and then begin downloading the latest definition files:
[*]Once the files have been downloaded click on NEXT [*]Now click on Scan Settings [*]In the scan settings make that the following are selected:
[*]Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
[*]Scan Options:
Scan Archives Scan Mail Bases
[*]Click OK [*]Now under select a target to scan:
Select My Computer
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
[*]Now click on the Save as Text button:
[*]Save the file to your desktop.
Post the contents of Report.txt, the Kaspersky scan log, the AVG log and a new HijackThis log please.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 04, 2007 8:10:07 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 4/04/2007
Kaspersky Anti-Virus database records: 290702
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 41581
Number of viruses found: 15
Number of infected objects: 42 / 0
Number of suspicious objects: 2
Duration of the scan process: 00:36:48
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007040420070405\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC33.zip/svchost.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC33.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP542\A0046112.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0049978.exe Infected: Email-Worm.Win32.Zhelatin.ck skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0049981.exe Infected: Email-Worm.Win32.Zhelatin.cj skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0051998.exe Infected: Email-Worm.Win32.Zhelatin.cj skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0052000.exe Infected: Email-Worm.Win32.Zhelatin.ck skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0054027.exe Infected: Email-Worm.Win32.Zhelatin.ck skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0054028.exe Infected: Email-Worm.Win32.Zhelatin.cj skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0054029.exe Infected: Email-Worm.Win32.Zhelatin.cj skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0054032.exe Infected: Email-Worm.Win32.Zhelatin.cl skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0054033.exe Infected: Email-Worm.Win32.Zhelatin.cl skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0054050.exe Infected: Email-Worm.Win32.Zhelatin.cl skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0054051.exe Infected: Email-Worm.Win32.Zhelatin.cl skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0054059.exe Infected: Email-Worm.Win32.Zhelatin.ck skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0054060.exe Infected: Email-Worm.Win32.Zhelatin.cj skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0054075.exe Infected: Email-Worm.Win32.Zhelatin.cj skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054211.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054212.EXE Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054213.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054214.EXE Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054215.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054216.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054217.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054218.EXE Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054219.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054220.exe Infected: Email-Worm.Win32.Locksky.t skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054221.exe Infected: Email-Worm.Win32.Locksky.t skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054222.exe Infected: Email-Worm.Win32.Locksky.t skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054223.exe Infected: Email-Worm.Win32.Locksky.t skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054224.exe Infected: Packed.Win32.Klone.b skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054225.exe Infected: Trojan-Dropper.Win32.Agent.aax skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054226.dll Infected: Trojan-Downloader.Win32.Agent.zi skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054227.exe Infected: Trojan-Downloader.Win32.Tibs.bc skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054228.dll Infected: Email-Worm.Win32.Locksky.p skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054229.exe Infected: Trojan-Downloader.Win32.Small.asa skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054230.exe Infected: Trojan-Proxy.Win32.Small.di skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054231.dll Infected: Trojan.Win32.Agent.agv skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\duo.exe Infected: Email-Worm.Win32.Zhelatin.cl skipped
C:\WINDOWS\pep.exe Infected: Email-Worm.Win32.Zhelatin.cl skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{B416D777-928C-4500-8EBD-A850E5C8CB51}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\bak\adirka.exe Infected: Email-Worm.Win32.Zhelatin.ck skipped
C:\WINDOWS\system32\bak\adirss.exe Infected: Email-Worm.Win32.Zhelatin.cj skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\duo.exe Infected: Email-Worm.Win32.Zhelatin.cl skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\smt.exe Infected: Email-Worm.Win32.Zhelatin.cl skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Logfile of HijackThis v1.99.1
Scan saved at 8:13:02 AM, on 4/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click No at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.
If your computer does not restart automatically, please restart it manually.
Once back in Windows do another Kaspersky scan and post its new log along with a new HijackThis log please.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 04, 2007 8:49:57 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 5/04/2007
Kaspersky Anti-Virus database records: 291643
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 43300
Number of viruses found: 16
Number of infected objects: 51 / 0
Number of suspicious objects: 2
Duration of the scan process: 00:35:12
Infected Object Name / Virus Name / Last Action
C:\!KillBox\adirka.exe Infected: Email-Worm.Win32.Zhelatin.ck skipped
C:\!KillBox\adirss.exe Infected: Email-Worm.Win32.Zhelatin.cj skipped
C:\!KillBox\duo.exe Infected: Email-Worm.Win32.Zhelatin.cl skipped
C:\!KillBox\duo.exe( 1) Infected: Email-Worm.Win32.Zhelatin.cl skipped
C:\!KillBox\pep.exe Infected: Email-Worm.Win32.Zhelatin.cl skipped
C:\!KillBox\smt.exe Infected: Email-Worm.Win32.Zhelatin.cl skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\april 4.doc Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007040420070405\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp1.tmp.exe Infected: Trojan-Downloader.Win32.Agent.bjk skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFBB33.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFC01E.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WN4JI7OB\CAU7IVA9.html Infected: Trojan-Downloader.Win32.Agent.bjk skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC33.zip/svchost.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC33.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP542\A0046112.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0049978.exe Infected: Email-Worm.Win32.Zhelatin.ck skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0049981.exe Infected: Email-Worm.Win32.Zhelatin.cj skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0051998.exe Infected: Email-Worm.Win32.Zhelatin.cj skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0052000.exe Infected: Email-Worm.Win32.Zhelatin.ck skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0054027.exe Infected: Email-Worm.Win32.Zhelatin.ck skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0054028.exe Infected: Email-Worm.Win32.Zhelatin.cj skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0054029.exe Infected: Email-Worm.Win32.Zhelatin.cj skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0054032.exe Infected: Email-Worm.Win32.Zhelatin.cl skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0054033.exe Infected: Email-Worm.Win32.Zhelatin.cl skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0054050.exe Infected: Email-Worm.Win32.Zhelatin.cl skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0054051.exe Infected: Email-Worm.Win32.Zhelatin.cl skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0054059.exe Infected: Email-Worm.Win32.Zhelatin.ck skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0054060.exe Infected: Email-Worm.Win32.Zhelatin.cj skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP601\A0054075.exe Infected: Email-Worm.Win32.Zhelatin.cj skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054211.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054212.EXE Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054213.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054214.EXE Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054215.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054216.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054217.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054218.EXE Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054219.exe Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054220.exe Infected: Email-Worm.Win32.Locksky.t skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054221.exe Infected: Email-Worm.Win32.Locksky.t skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054222.exe Infected: Email-Worm.Win32.Locksky.t skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054223.exe Infected: Email-Worm.Win32.Locksky.t skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054224.exe Infected: Packed.Win32.Klone.b skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054225.exe Infected: Trojan-Dropper.Win32.Agent.aax skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054226.dll Infected: Trojan-Downloader.Win32.Agent.zi skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054227.exe Infected: Trojan-Downloader.Win32.Tibs.bc skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054228.dll Infected: Email-Worm.Win32.Locksky.p skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054229.exe Infected: Trojan-Downloader.Win32.Small.asa skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054230.exe Infected: Trojan-Proxy.Win32.Small.di skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054231.dll Infected: Trojan.Win32.Agent.agv skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054253.exe Infected: Email-Worm.Win32.Zhelatin.cl skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054254.exe Infected: Email-Worm.Win32.Zhelatin.cl skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054255.exe Infected: Email-Worm.Win32.Zhelatin.ck skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054256.exe Infected: Email-Worm.Win32.Zhelatin.cj skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054257.exe Infected: Email-Worm.Win32.Zhelatin.cl skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\A0054258.exe Infected: Email-Worm.Win32.Zhelatin.cl skipped
C:\System Volume Information\_restore{8D7B33E8-B5AA-42C5-9C14-7B00DA1EA453}\RP603\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\fcyxvs.dll Infected: Trojan.Win32.Agent.agv skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A3D02057-B7C1-4B64-B14A-AA919FD286A5}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Logfile of HijackThis v1.99.1
Scan saved at 8:50:35 PM, on 4/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
1. Download this file - combofix.exe 2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run | SoundService
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run- | Lexmark_X79-55
Files to delete:
C:\WINDOWS\fcyxvs.dll
C:\WINDOWS\a.bat
C:\WINDOWS\system32\fontqxet.dll
C:\WINDOWS\system32\msratnit.dll
C:\WINDOWS\system32\rasqervy.dll
C:\WINDOWS\system32\winupdat.dll
C:\WINDOWS\system32\winivfop.dll
C:\WINDOWS\system32\sdfinacs.dll
C:\WINDOWS\system32\grlib.dll
C:\WINDOWS\system32\kiscbxz.dat
C:\WINDOWS\system32\cscentfy.dll
C:\WINDOWS\system32\wuasirvy.dll
C:\WINDOWS\system32\appeng.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp1.tmp.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WN4JI7OB\CAU7IVA9.html
Now, start The Avenger program by clicking on its icon on your desktop.
[*] Under "Script file to execute" choose "Input Script Manually".
[*] Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
[*] Paste the text copied to clipboard into this window by pressing (Ctrl+V).
[*] Click Done [*] Now click on the Green Light to begin execution of the script
[*] Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
[*] It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
[*] On reboot, it will briefly open a black command window on your desktop, this is normal.
[*] After the restart, it creates a log file that should open with the results of Avenger?s actions. This log file will be located at C:\avenger.txt [*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HjT log by using Add/Reply.
Kotaguy, a question pertaining to this guy's problem, have you had him stop his windows messenger yet *either by hand or with ShootTheMessenger?*
Because i know some of this malware is famous for redownloading through WM, and causing popups through it.
File C:\Documents and Settings\Administrator\Local Settings\Temp\tmp1.tmp.exe not found!
Deletion of file C:\Documents and Settings\Administrator\Local Settings\Temp\tmp1.tmp.exe failed!
Could not process line:
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp1.tmp.exe
Status: 0xc0000034
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WN4JI7OB\CAU7IVA9.html not found!
Deletion of file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WN4JI7OB\CAU7IVA9.html failed!
Could not process line:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WN4JI7OB\CAU7IVA9.html
Status: 0xc0000034
Could not delete registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|SoundService
Deletion of registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|SoundService failed!
Status: 0xc0000034
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-|Lexmark_X79-55 deleted successfully.
Originally posted by ska123:Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\yxmihomf
*******************
Script file located at: \??\C:\Documents and Settings\lrkqgkgm.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
File C:\Documents and Settings\Administrator\Local Settings\Temp\tmp1.tmp.exe not found!
Deletion of file C:\Documents and Settings\Administrator\Local Settings\Temp\tmp1.tmp.exe failed!
Could not process line:
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp1.tmp.exe
Status: 0xc0000034
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WN4JI7OB\CAU7IVA9.html not found!
Deletion of file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WN4JI7OB\CAU7IVA9.html failed!
Could not process line:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WN4JI7OB\CAU7IVA9.html
Status: 0xc0000034
Could not delete registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|SoundService
Deletion of registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|SoundService failed!
Status: 0xc0000034
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-|Lexmark_X79-55 deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Logfile of HijackThis v1.99.1
Scan saved at 7:44:26 PM, on 4/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Logfile of HijackThis v1.99.1
Scan saved at 8:42:31 PM, on 4/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
