Trojans and Worms - yuk yuk

I created this thread in the Viruses / Trojans / Spyware conference, see URL below:

http://discussions.virtualdr.com/sho...62#post1142862

As you can see I ran the Kaspersky online Scan, which does not have autoclean but I was able to save the file in htm format. I have not run two other online scanners or Trojan Scanner because Han suggested that I go ahead and create a HJT log, which is posted below. I tried twice to run Trojan Scanner and got an error both times.

Quote:

---

The only one that I'm not sure about is ActiveScan\qrvkrn.ini ... submit that ini file here..

http://virusscan.jotti.org/

---

Han, per your request, I did a search for qrvkm.ini, but there is no ini file with this name on my computer.

Hopefully, Han is correct that this is a reasonably easy cleanup process. I deleted temporary internet files in IE and in Java. Does this also need to be done in FireFox? Then I ran the HJT log below.

Thanks for your help.

Linda

_________________

Logfile of HijackThis v1.99.1
Scan saved at 2:53:20 PM, on 4/1/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
D:\Programs\Panda Platinum 7 - 2007\Firewall\PavFires.exe
D:\Programs\Panda Platinum 7 - 2007\pavsrv50.exe
D:\Programs\Panda Platinum 7 - 2007\AVENGINE.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINNT\system32\devldr32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
D:\programs\qttask.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
D:\Programs\Nero InCD Packet-Writing\InCD.exe
C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Programs\Panda Platinum 7 - 2007\APVXDWIN.EXE
C:\Program Files\Firetrust\Benign\B9.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
D:\Programs\Adobe\Distillr\acrotray.exe
D:\Programs\SnagIt 8.2\SnagIt32.exe
D:\Programs\SpywareGuard 2.2\SpywareGuard\sgmain.exe
D:\Programs\SnagIt 8.2\TSCHelp.exe
D:\Programs\SnagIt 8.2\SnagPriv.exe
D:\Programs\SpywareGuard 2.2\SpywareGuard\sgbhp.exe
C:\WINNT\system32\WISPTIS.EXE
C:\Program Files\Outlook Express\msimn.exe
D:\Programs\FireFox 1.5.0.2\firefox.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Programs\TrojanHunter 4.6\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Programs\Microsoft Office 2003\OFFICE11\WINWORD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.salon.com/
O1 - Hosts: 127.98.9.2 mail.ntpcug.org.b9
O1 - Hosts: 127.98.9.1 postoffice.swbell.net.b9
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Programs\SnagIt 8.2\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - D:\Programs\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Programs\SpywareGuard 2.2\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programs\SPYBOT~1.1\SPYBOT~1.1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar7.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Programs\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: ieCom Class - {C6CEAC32-D45C-11D4-94AF-0050BABD5FD6} - D:\Programs\URL Organizer\UrlOrgIE.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - D:\Programs\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Programs\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar7.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Programs\SnagIt 8.2\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\programs\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MailWasher] D:\Programs\MailWasher Pro\MailWasher Pro\MailWasher.exe
O4 - HKLM\..\Run: [InCD] D:\Programs\Nero InCD Packet-Writing\InCD.exe
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SCANINICIO] "D:\Programs\Panda Platinum 7 - 2007\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "D:\Programs\Panda Platinum 7 - 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [THGuard] "D:\Programs\TrojanHunter 4.6\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [b9] C:\Program Files\Firetrust\Benign\B9.exe /minimize
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: MailWasherPro.lnk = D:\Programs\MailWasher Pro\MailWasher Pro\MailWasher.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = D:\Programs\Microsoft Office 2003\OFFICE11\ONENOTEM.EXE
O4 - Startup: SpywareGuard.lnk = D:\Programs\SpywareGuard 2.2\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Programs\Adobe\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = D:\Programs\Microsoft Office 2003\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: NTI Ninja.lnk = D:\Programs\NTI Ninja - USB partitioning encryption\Open.exe
O4 - Global Startup: SnagIt 8.lnk = D:\Programs\SnagIt 8.2\SnagIt32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Programs\OfficeXP\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - D:\Programs\ACRONI~1.0\ACRONI~1\Blocker.dll (file missing)
O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - D:\Programs\ACRONI~1.0\ACRONI~1\Blocker.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Programs\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-do...ard3.0.4.3.cab
O16 - DPF: {13991839-0420-11D5-BDA3-00A0C982BA51} (PDAnalyzeCtrl Class) - http://www.raxco.com/analyze/PDWeb.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/de.../GoogleNav.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1123599823452
O16 - DPF: {88E48871-88E6-4480-9921-F1EC4EB9AB74} (FileReadCtrl Class) - http://www.raxco.com/fileaccesstimer/WebTimedRead.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://msdn.demoservers.com/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://msevents.webex.com/client/la...ex/ieatgpc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{25BC6CAC-69EC-457A-BA35-E4E1A902C98A}: NameServer = 151.164.1.8 206.13.28.12
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - D:\Programs\Panda Platinum 7 - 2007\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - D:\Programs\Panda Platinum 7 - 2007\pavsrv50.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe

Did you place quicktime here;
D:\programs\qttask.exe

==

1. Download this file :

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Chrunchie,

I probably did d/l QT because some website or program required it.

Here is the ComboFix log that I just ran per instructions.

Linda

________________


"Administrator" - Sun 04/01/2007 16:29:50 Service Pack 4
ComboFix 07-03-27.4.2 - Running from: "D:\Programs\TechSupport Forum - Chrunchie VDR"


((((((((((((((((((((((((((((((( Files Created from 2007-03-01 to 2007-04-01 ))))))))))))))))))))))))))))))))))


2007-04-01 12:04
d-------- C:\HJT
2007-03-29 00:40 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_72c.dat
2007-03-29 00:39 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_350.dat
2007-03-09 21:15 336 --a------ C:\Program Files\temp995.bat
2007-03-09 17:12
d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\pdf995
2007-03-09 17:04 51,716 --a------ C:\WINNT\SYSTEM32\pdf995mon.dll
2007-03-09 17:04 122,880 --a------ C:\WINNT\SYSTEM32\pdfmona.dll
2007-03-09 17:04
d-------- C:\Program Files\pdf995
2007-03-09 17:04
d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\pdf995
2007-03-09 17:03
d-------- C:\pdf995
2007-03-09 13:37 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_354.dat
2007-03-09 13:16
d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
2007-03-08 14:24
d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Viewpoint


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-09 11:44 -------- d--h----- C:\Program Files\installshield installation information
2007-02-26 17:01 16384 --a----t- C:\WINNT\SYSTEM32\perflib_perfdata_6f4.dat
2007-02-10 18:09 -------- d-------- C:\Program Files\google
2007-01-21 21:30 16384 --a----t- C:\WINNT\SYSTEM32\perflib_perfdata_70c.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"b9"="C:\\Program Files\\Firetrust\\Benign\\B9.exe /minimize"
"ctfmon.exe"="ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"TCASUTIEXE"="TCAUDIAG -off"
"MULTIMEDIA KEYBOARD"="C:\\Program Files\\Netropa\\Multimedia Keyboard\\MMKeybd.exe"
"UpdReg"="C:\\WINNT\\Updreg.exe"
"AtiPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"QuickTime Task"="\"D:\\programs\\qttask.exe\" -atboottime"
"NeroCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"MailWasher"="D:\\Programs\\MailWasher Pro\\MailWasher Pro\\MailWasher.exe"
"InCD"="D:\\Programs\\Nero InCD Packet-Writing\\InCD.exe"
"DIAGENT"="C:\\Program Files\\Creative\\SBLive2k\\Creative Diagnostics 2.0\\DIAGENT.EXE startup"
"CreateCD50"="\"C:\\Program Files\\Common Files\\Adaptec Shared\\CreateCD\\CreateCD50.exe\" -r"
"AHQInit"="C:\\Program Files\\Creative\\SBLive2k\\Program\\AHQInit.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Mell Reg Reminder"=""
"SCANINICIO"="\"D:\\Programs\\Panda Platinum 7 - 2007\\Inicio.exe\""
"APVXDWIN"="\"D:\\Programs\\Panda Platinum 7 - 2007\\APVXDWIN.EXE\" /s"
"Ninja"=""
"THGuard"="\"D:\\Programs\\TrojanHunter 4.6\\TrojanHunter 4.6\\THGuard.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
WmdmPmSN



********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: Sun 2007-04-01 16:35:30

When I first started researching this problem, I thought that I would uninstall the most recent programs that I had downloaded. One of those programs is pdf995 but it is NOT listed when I go to the "Remove Programs" function. I have found several other programs that do not show up in this list either, one of which is a replacement program for Acrobat Reader, which was recommended here at VDR. I don't remember the name right now.

Linda

Foxit reader is what it was :)

Fink,

You are right. It is Foxit. Can you please explain to me why this program does not appear in the list of "add/remove Programs"?

Thanks,

Linda

Have you logged in as administrator to have a look at the add/remove list? Might be worth a try.

That combofix log looks ok. Can you try the following now please;

Please download VundoFix.exe
to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HijackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

Fink,

FoxIt is not on the "Add/Remove Programs" list, when I am logged in as administrator. Why?

Chrunchie,

I will post the log as soon as it is finished.

Thanks,

Linda

Quote:

---

FoxIt is not on the "Add/Remove Programs" list, when I am logged in as administrator. Why?

---

I don't know but the info for that list is in the registry here...
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Uninstall

Would be worth having a look to see if it corresponds with what showing in the windows interface. If there's recent corruption in those reg entries that could be the cause. A system restore should fix it but I wouldn't do that in the middle of the procedure(s) to search/eliminate possible malware... when that's sorted you could reinstall the missing programs to see if it places the entry back where it's supposed to be in add/remove.

Chrunchie,

I downloaded VundoFix.exe and saved it as one of my programs in Windows Explorer. I ran the program and it found NO infected files but Vundo did not reboot my system, so I decided I had better do everything exactly as you stated.

So I downloaded the program again, this time to my desktop and ran it. Again no infected files were found and when I clicked remove Vundo, a dialog box popped up that said it was closing Vundo. My system did not go black and it did not reboot.

Likewise no file was generated, probably because no infected files were found.

Anyway, that is my report.

Do I need to uninstall VundoFix?

Linda

You should just be able to delete it.
Please download FileFind from Atribune:
http://www.atribune.org/downloads/FileFind.zip

Unzip the file and save it to your desktop.

To run FileFind, please do the following:

* Click on FileFind.exe
* In the box labeled "Enter the directory to search"
o Enter Drive eg.. C:\
* In the box labeled "Enter the file to search"
o Enter qrvkrn to search for the file
* Now click on the "Find" button
* Once the utility has found the files click on "Export"
* This will save a text file to your C:\ drive as "Export.txt"
* Do the same for this one; mkvrq
* Double click on Export.txt, copy and paste this information in your next post

Crunchie,

I have two hard drives on this computer and I did a search on both hard drives for

mkvrq
qrvkrn

and FileFind did not find either file. This is assuming that I entered these file names correctly.

Because FileFind did not find anything, there was no information to export.

What are these files?

Thanks Crunchie.

Linda

The file name looks very much like what Vundo creates. Some are also named in the reverse order of letters. The file name is the one you posted in your first post.
Are you still having the same problem?

Crunchie,

That was based on a post by HAN, where he reviewed the results (in my other thread) about the Kaspersky online scan.

Yes, I am still having the problems.

Thanks,

Linda