Panda Activescan log

iNTeRNeT-JuNKie

How do I get rid of this Virus:vbs/psyme.gen? I cannot find any traces of it on my PC..?

Panda ActiveScan LoG

Incident................................................Status.....................Location

Virus:vbs/psyme.gen



Hijackthis.LoG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:41 PM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 1779 bytes

Veka

Hello there.

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible. I'm in Hijackthis school and Teachers will check my posts.

Veka

Let's take a closer look to your system.

Please download Deckard's System Scanner (DSS)

Attention: You must be logged onto an account with administrator privileges.

• Close all open applications and windows.
• Double-click on dss.exe to run it, and follow the prompts.
• When the scan is complete, two text files will open:
  • main.txt (this will be maximized)
  • extra.txt (this will be minimized)
• Copy and paste the contents of main.txt and the extra.txt to your post in your reply.

iNTeRNeT-JuNKie

vekarppe wrote:

Let's take a closer look to your system.

Please download Deckard's System Scanner (DSS)

Attention: You must be logged onto an account with administrator privileges.

• Close all open applications and windows.
• Double-click on dss.exe to run it, and follow the prompts.
• When the scan is complete, two text files will open:
  • main.txt (this will be maximized)
  • extra.txt (this will be minimized)
• Copy and paste the contents of main.txt and the extra.txt to your post in your reply.

I have downloaded the application, but, when I run it, it says that DSS has enountered a problem and must shut down. It's a prompt similar to that of an IE error and then asks me if I want to report it.

Veka

That's weird.

Can you run Combofix?

Please download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

iNTeRNeT-JuNKie

ComboFix 08-01-03.3 - DaViD 2008-01-02 13:45:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.311 [GMT -8:00]
Running from: C:\Documents and Settings\DaViD\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Program Files\America Online 9.0\AOL.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\QmVsbG8\
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\gebxwvv.dll
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rqtss.ini
C:\WINDOWS\system32\rqtss.ini2
C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\sstqr.exe
C:\WINDOWS\system32\thumoixb.dll

"C:\Program Files\America Online 9.0\AOL .EXE" replaces infected copy of "C:\Program Files\America Online 9.0\AOL.EXE"
"C:\Program Files\Common Files\AOL\ACS\AOLDial .exe" replaces infected copy of "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
"C:\WINDOWS\system32\hkcmd .exe" replaces infected copy of "C:\WINDOWS\system32\hkcmd.exe"
"C:\WINDOWS\system32\igfxtray .exe" replaces infected copy of "C:\WINDOWS\system32\igfxtray.exe"
"C:\WINDOWS\system32\dla\tfswctrl .exe" replaces infected copy of "C:\WINDOWS\system32\dla\tfswctrl.exe"

.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

---

\LEGACY_CMDSERVICE

---

\LEGACY_CORE

---

\LEGACY_NETWORK_MONITOR

---

\cmdService

---

\core

---

\Network Monitor


((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))
.

2008-01-02 13:36 . 2000-08-31 08:00 51,200 --a

---

C:\WINDOWS\NirCmd.exe
2008-01-02 13:28 . 2008-01-02 13:28 155,648 --a

---

C:\WINDOWS\system32\igfxtray.exe
2008-01-02 13:28 . 2008-01-02 13:28 114,688 --a

---

C:\WINDOWS\system32\hkcmd.exe
2008-01-01 23:13 . 2008-01-01 23:13 7,168 --ahs---- C:\WINDOWS\Thumbs.db
2008-01-01 22:08 . 2008-01-01 22:08 <DIR> d

---

C:\WINDOWS\system32\pp1
2008-01-01 22:08 . 2008-01-01 22:27 <DIR> d

---

C:\WINDOWS\system32\mr9
2007-12-31 20:06 . 2008-01-01 23:38 <DIR> d

---

C:\WINDOWS\system32\ActiveScan
2007-12-31 20:06 . 2008-01-01 22:54 30,590 --a

---

C:\WINDOWS\system32\pavas.ico
2007-12-31 20:06 . 2008-01-01 22:54 2,550 --a

---

C:\WINDOWS\system32\Uninstall.ico
2007-12-31 20:06 . 2008-01-01 22:54 1,406 --a

---

C:\WINDOWS\system32\Help.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 21:55

---

d

---

w C:\Program Files\America Online 9.0
2008-01-02 07:30

---

d

---

w C:\Program Files\Dell AIO Printer A940
2008-01-02 07:30

---

d

---

w C:\Program Files\Common Files\aolshare
2008-01-01 06:03

---

d

---

w C:\Program Files\Common Files\Scanner
2007-11-21 17:37

---

d

---

w C:\Documents and Settings\DaViD\Application Data\Sonic
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.exe" [2008-01-02 13:29 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2008-01-02 13:28 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-01-02 13:28 114688]
"BCMSMMSG"="BCMSMMSG.exe" [2003-06-02 02:00 122880 C:\WINDOWS\BCMSMMSG.exe]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2008-01-02 13:28 114741]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2008-01-02 13:28 34904]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a

---

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
C:\Program Files\America Online 9.0\AOL.EXE -b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLAspSunset2]
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2008-01-02 13:28 34904 --a

---

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A940]
2003-06-25 07:29 294998 --a

---

C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-03-10 14:22 48280 --a

---

C:\Program Files\Common Files\AOL\1189032304\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 13:56:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-03 13:57:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-03 21:57:08

Veka

It worked!

And it seems like you have a very new infection called Vundo file infector.

Please do the followings...

1. Download RenV.exe by sUBs to your desktop
2. Double click on it to run it
3. It will search your system drive looking for any modified .exe file and will produce a log for you.
4. Please attach this report to your reply (Do not copy and paste)

iNTeRNeT-JuNKie

Ran on Fri 01/04/2008 -  8:36:20.31

 Entries:                0  (0)
 Directories:            0  Files:             0
 Bytes:                  0  Blocks:            0

iNTeRNeT-JuNKie

Newest Panda ActiveScan Log
Incident Status Location

Virus:vbs/psyme.gen Not disinfected Operating system
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\DaViD\Cookies\david@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\DaViD\Cookies\david@atdmt[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\DaViD\Cookies\david@questionmarket[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\DaViD\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\DaViD\Desktop\ComboFix.exe[nircmd.cfexe]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\MuMz\Cookies\mumz@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\MuMz\Cookies\mumz@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\MuMz\Cookies\mumz@atwola[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\MuMz\Cookies\mumz@questionmarket[2].txt
Virus:Trj/Dropper.ZN Disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\sstqr.exe.vir
Hacktool:Rootkit/Agent.HNI Not disinfected C:\QooBox\Quarantine\catchme2008-01-03_135559.03.zip[core.sys]
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\catchme2008-01-03_135559.03.zip[sstqr.dll]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe

Veka

Hello. Looks good!


STEP #1

Please remove these folders (if present):

C:\WINDOWS\system32\pp1
C:\WINDOWS\system32\mr9


STEP #2

I'd like you to do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

STEP #3

After all that, please post back with how things went as well as Kaspersky's log and a new HijackThis log.

iNTeRNeT-JuNKie

There is no Kaspersky Online Scanner link to click on. Am I not seeing it due to some setting on my browser? It does not appear on the web page at all. I've been looking for an 1 hour now.

Veka

Make sure you're using Internet Explorer. Try clearing your cache (CTRL + F5).

Does this help?

iNTeRNeT-JuNKie

Still no luck. I am using IE. I don't get it. I feel like your avatar at the moment..

Veka

Yea, i know the feeling. :banghead:

OK, forget Kaspersky.

Post a fresh HijackThis log. Let's see what it says.

iNTeRNeT-JuNKie

I changed the geographic location to Global and the link to the online scanner worked..

---

KASPERSKY ONLINE SCANNER REPORT
Friday, January 04, 2008 12:52:55 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/01/2008
Kaspersky Anti-Virus database records: 502545

---

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 23682
Number of viruses found: 14
Number of infected objects: 35
Number of suspicious objects: 0
Duration of the scan process: 00:15:26

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\APP10393.LST Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\clsleeper97\MyDB.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\clsleeper97\toolbar.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\SNMaster.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\CACHE\clsleeper00 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\cl sleeper97.abi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\cl sleeper97.aby Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\clsleeper97 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ea563f5ed0b8ea72081a19b9b561dd25_2224aad2-bc93-4ec6-a627-c720d39998a5 Object is locked skipped
C:\Documents and Settings\DaViD\Application Data\AOL\C_America Online 9.0\IDB\Apps.Lst Object is locked skipped
C:\Documents and Settings\DaViD\Application Data\AOL\C_America Online 9.0\IDB\art.idx Object is locked skipped
C:\Documents and Settings\DaViD\Application Data\AOL\C_America Online 9.0\IDB\sap.dat Object is locked skipped
C:\Documents and Settings\DaViD\Application Data\AOL\C_America Online 9.0\IDB\spool.lst Object is locked skipped
C:\Documents and Settings\DaViD\Application Data\AOL\C_America Online 9.0\IDB\sysnews.lst Object is locked skipped
C:\Documents and Settings\DaViD\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\DaViD\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\DaViD\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\DaViD\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\DaViD\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\DaViD\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\DaViD\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\AOL\ACS\US\static Object is locked skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080101-224258-297.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dgw skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080101-224519-995.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dgw skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP100\A0015274.exe Infected: Trojan-Downloader.Win32.VB.bvj skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP100\A0015275.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP100\A0015275.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP100\A0015276.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP100\A0015277.exe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP100\A0015277.exe/data0005 Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP100\A0015277.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP100\A0015278.exe Infected: Trojan-Downloader.Win32.VB.caw skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP100\A0015279.exe Infected: Trojan.Win32.Pakes.bvs skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP100\A0015280.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP100\A0015281.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP100\A0015284.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP100\A0015285.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP101\A0015348.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP101\A0015350.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP101\A0015351.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP101\A0015352.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP101\A0015357.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP102\A0015376.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP102\A0015377.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP102\A0015379.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP102\A0015380.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP102\A0015381.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP104\A0015404.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP104\A0015405.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP104\A0015406.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP104\A0015407.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP104\A0015408.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP104\A0015409.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP104\A0015426.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dgw skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP104\A0015427.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP106\A0016527.exe Infected: Trojan-Downloader.Win32.Small.hkt skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP106\change.log Object is locked skipped
C:\System Volume Information\_restore{16CAEC1A-6642-44C9-AD7C-EB9F3ABE3F9B}\RP98\A0015172.dll Infected: Trojan-Downloader.Win32.Bojo.e skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Veka

Good! Would you please post a fresh HijackThis log also.

iNTeRNeT-JuNKie

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:46:50 PM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{27E98478-E7C8-49D3-8555-57ACDB337580}: NameServer = 205.188.146.145
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 2245 bytes

Veka

Looks clean.

It appear you don't have Antivirus or Firewall running.

Download one Antivirus below:

AntiVir PE Classic
AVG Free Edition

and one Firewall:

Sunbelt Personal Firewall
ZoneAlarm Firewall Free

Install both and reboot.

How is your computer running now? Any problems?

iNTeRNeT-JuNKie

Computer seems to be running normal. The only firewall enabled is the crappy Windows xP one that comes with this OS system. Curious as to why, when I run a Panda Activescan it says that a virus has been detected? It is the same one on my first post of this thread.

Panda ActiveScan LoG

Incident................................................Status.....................Location

Virus:vbs/psyme.gen

Is this a trace of the infection, or, a left over file? I will be purchasing and Anti-virus in the next couple of days. Any suggestions?

Veka

Hello iJ.

Please print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.


Please download

CCleaner
AVG Anti-Spyware


STEP #1

Install and run CCleaner.

CCleaner is a freeware system optimization and privacy tool. It removes unused files from your system - allowing Windows to run faster and freeing up valuable hard disk space. It also cleans traces of your online activities such as your Internet history.

• Launch CCleaner and under Options > Advanced > uncheck "Only delete files in Windows Temp folder older than 48 hours".
• A pop up box will appear advising this process will permanently delete files from your system.
• To protect logon cookies that you wish to retain, under Options > Cookies. Select and using the arrow move those cookies to the "Cookies to keep" column.
• Then select the items you wish to clean up.
  • In the Windows Tab:
    • Clean all entries in the "Internet Explorer" section.
    • Clean all the entries in the "Windows Explorer" section.
    • Clean all entries in the "System" section.
    • Clean all entries in the "Advanced" section.
    • Clean any others that you choose.
  • In the Applications Tab:
  • Clean all in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Please UNcheck "Utilities" (i.e., Ad-Aware, ewido and other security program logs.)

• Click the "Run Cleaner" button and it will scan and clean your system.
• Click exit.
• Restart the computer.

Jahewi's CCleaner guide.

http://www.jahewi.nl/ccleaner/quick/quick.html


STEP #2

Configure and update AVG Anti-Spyware

• Install and start AVG Anti-Spyware
• Click the Update icon
• Click Start update
• Wait until updates are downloaded
• Click the Scanner icon
• Open the Settings tab
  • Make sure that under "How to act?" read Quarantine (If not, click the text and choose Quarantine)
  • Under "How to scan?" all checkboxes should be ticked
  • Under "Reports" select DO NOT Automatically generate report after every scan and uncheck Only if threats were found.
  • Under "What to scan?" select Scan every file

• Click the Shield icon
• Under the "Resident shield is" click active to make it inactive
• Close AVG Anti-Spyware (do not scan yet)

Reboot into Safe Mode

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
• Instead of Windows loading as normal, a menu with options should appear
• Select the first option, to run Windows in Safe Mode, then press Enter
• Choose your usual account.

Run AVG Anti-Spyware

• Close all open windows / programs / folders
• Start AVG Anti-Spyware
• Click the Scanner icon
• Click Registry Scan
  
• Let the program scan the machine
  (do NOT use the computer while sanning)
• When the scan has finished, follow the instructions below
  • Make sure that under "Set all elements to" read Quarantine (If not, click the text and choose Quarantine)
  • Click Apply all actions
  • Click Save Report
  • Click Save reports as
  • Save report to your Desktop and post here

Trogan

Whilst we appreciate that you may be busy, it has been 5 days or more since we heard from you. This topic is now closed.

Infections can change and fresh instructions will now need to be given. If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own Thread instead (grin)