Help - Search - Members - Calendar
Full Version: Infected Logo_1.exe, philis, and maybe more.
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
TWBRN
Feb 5 2007, 06:28 AM
I've found instances of several viruses in many locations. In searching for answers, I stumbled across a forum discussion here which referenced the program Logo1_.exe. This program exists on my machine despite numerous tries to remove it. From the forum I found and ran the McAfee stinger program for the philis virus, and that produces over 4000 infected desktop.ini files.
The results from a scan using Command Anti-virus indicate that there are several .exe files (mostly in the I386 folder) that are infected with what it refers to as CrazyCrunch-Based!Maximus, but that it is as yet unable to remove this infection. Whenever I find methods to remove the logo1_.exe program (including a .dll and another program that appears with it as well) and all of the philis files, they simply re-appear from running the programs that are indicated as Maximus viruses. (many of these are system-critical processes, and cannot be avoided).

I realize that I'm probably fighting a losing battle, but feel that I need to try. The help on the forum post I found was very kind and competent, and I thought perhaps you would be of help.

Here is the hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 11:17:08 PM, on 2/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Sonique\sqstart.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ty\Desktop\Ty's Stuff\Installers\tools\Philis-stinger\stinger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ty\Desktop\Ty's Stuff\Installers\tools\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = webmail.mines.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = webmail.mines.edu
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Startup: EverNote.lnk = C:\Program Files\EverNote\EverNote\EverNote.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE


Thanks again.

-TWBRN
Bobbi Flekman
Feb 5 2007, 12:28 PM
Hi TWBRN,

You are running multiple anti-virus programs. These programs don't like playing with each other, so they will leave you in less secure than you'd want to be. In other words get rid of the others so you just have one running in resident mode. The others you can keep and use to scan your discs on demand.

When you've gotten rid of the others can you run Stinger again? Tell me how it worked out.
TWBRN
Feb 5 2007, 09:13 PM
Thanks for your quick response.

When I leaned down the number of anti-virus programs I had running, I was shocked to discover that none of them were actively monitoring. I suppose I'm reaping the results of my negligence.

I'm currently running new scans, but while they're finishing, I thought I'd post what the hjt log looks like right when I turn the computer on. (The one I posted before was after some cleaning, and the stinger scan). The only entry on the log that worries me (there may be more) is in bold.

Logfile of HijackThis v1.99.1
Scan saved at 1:29:07 PM, on 2/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ty\Desktop\Ty's Stuff\Installers\tools\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = webmail.mines.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = webmail.mines.edu
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F3 - REG:win.ini: load=C:\WINDOWS\rundl132.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Startup: EverNote.lnk = C:\Program Files\EverNote\EverNote\EverNote.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

I'll post again with how the scans worked.

-TWBRN
TWBRN
Feb 6 2007, 03:29 AM
My computer is starting to look a lot better. Hopefully we can take it the last few steps here.

The stinger program returned some 60 desktop.ini files infected with philis, and they were removed. Thus far, they have not returned.

Command was able to quarantine all the files that were showing up as affected with the Maximus virus, and they have not returned either.

Command anti-virus is capable of detecting the logo1_.exe and rundl132.exe whenever they try to return and re-infect everything, so the infections are not returning whenever I load programs. However, every time I do load a program Command has to intervene to prevent the programs from returning. There is still something undetected that is trying to infect things once more.

If anyone has any ideas, I'm happy to give them a try.

Thanks again for your help up to this point.

-TWBRN
Bobbi Flekman
Feb 6 2007, 12:52 PM
Hi TWBRN,

Looks good.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Ugrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.

QUOTE
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW]
Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

The above Registry file was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
Run HijackThis, click on "Scan" and check the boxes next to all these items.

F3 - REG:win.ini: load=C:\WINDOWS\rundl132.exe

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your computer in Safe Mode. How do I Safe Boot my computer?

Show hidden files. How do I show hidden files?
At the end if the fix you can return the files to hidden status if you want.

Delete the following files in red (it could be that they are deleted already):

C:\WINDOWS\rundl132.exe
C:\WINDOWS\logo1_.exe
C:\WINDOWS\dll.dll

Restart your computer and post a new log in this thread.

Launch Notepad, and copy/paste the box below into a new text file. Save it as Export.bat and save it on your Desktop.

CODE
dir c:\vDll.dll /s /a:hs > Output.txt
notepad Output.txt


Locate Export.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.
TWBRN
Feb 6 2007, 07:22 PM
I have to start with a giant thank you, Bobbi. Three days ago I was ready to format my hard drive, and now it looks like we might have this cleaned up.

The Logo1_.exe and rundl32.exe have stopped installing whenever I run programs as soon as Java was replaced. Because of Command, the files you asked me to delete were not there.

Here is the new hjt:

Logfile of HijackThis v1.99.1
Scan saved at 12:09:12 PM, on 2/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ty\Desktop\Ty's Stuff\Installers\tools\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = webmail.mines.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = webmail.mines.edu
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Startup: EverNote.lnk = C:\Program Files\EverNote\EverNote\EverNote.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

and the output for the export.bat:

Volume in drive C has no label.
Volume Serial Number is ACA7-8650

Let me know if there's anything else that you think I need to do. I'll keep an eye out, but right now there are no noticeable syptoms.

Thanks again,

-TWBRN
Bobbi Flekman
Feb 7 2007, 10:50 AM
Hi TWBRN,

The log looks clean, but I would like to test it anyway.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the button
  • A new window will open.
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on to start the scan
  • When the scan completes, if anything malicious is detected, click the button, and save it to a convenient location. Post the contents of the ActiveScan report
TWBRN
Feb 7 2007, 04:53 PM
I may have spoken too soon, there is still something trying to install Logo1_.exe and rundl32.exe whenever I launch certain applications.

I'm away from the infected computer right now, but as soon as I get back to it I'll run the panda scan.

Thanks again for the help,

-TWBRN
TWBRN
Feb 7 2007, 11:23 PM
Here's the log, I picked up some of the things I had quarantined already, but there were a lot of new ones too.


Incident Status Location

Adware:adware/quicksearch Not disinfected c:\program files\QuickSearch
Adware:adware/powerstrip Not disinfected Windows Registry
Spyware:spyware/media-motor Not disinfected Windows Registry
Adware:adware/sahagent Not disinfected Windows Registry
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-catalyst-8-10-050119a-020581c\AtiCimUn.exe
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-catalyst-8-10-050119a-020581c\BIN\atiicdxx.exe
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-catalyst-8-10-050119a-020581c\BIN\EnumDev.exe
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-catalyst-8-10-050119a-020581c\BIN\UpdatPnP.exe
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-catalyst-8-10-050119a-020581c\CheckVer.exe
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-catalyst-8-10-050119a-020581c\CPanel\Setup.exe
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-catalyst-8-10-050119a-020581c\Driver\Setup.exe
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-catalyst-8-10-050119a-020581c\DrvUI64A.exe
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-catalyst-8-10-050119a-020581c\issetup.exe
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-catalyst-8-10-050119a-020581c\makensisw.exe
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-catalyst-8-10-050119a-020581c\Setup.exe
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-catalyst-8-10-050119a-020581c\WDM\Setup.exe
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-ccc-8-10-050119a-020581c-english\ACE\setup.exe
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-ccc-8-10-050119a-020581c-english\AtiCimUn.exe
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-ccc-8-10-050119a-020581c-english\BIN\atiicdxx.exe
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-ccc-8-10-050119a-020581c-english\BIN\EnumDev.exe
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-ccc-8-10-050119a-020581c-english\BIN\UpdatPnP.exe
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-ccc-8-10-050119a-020581c-english\CheckVer.exe
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-ccc-8-10-050119a-020581c-english\Driver\Setup.exe
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-ccc-8-10-050119a-020581c-english\DrvUI64A.exe
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-ccc-8-10-050119a-020581c-english\issetup.exe
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-ccc-8-10-050119a-020581c-english\makensisw.exe
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-ccc-8-10-050119a-020581c-english\Setup.exe
Virus:W32/Viking.E Disinfected C:\ATI\SUPPORT\wxp-w2k-ccc-8-10-050119a-020581c-english\WDM\Setup.exe
Virus:W32/Viking.E Disinfected C:\av\csav\4.92.1\setup.exe
Virus:W32/Viking.E Disinfected C:\av\csav\4.92.6\setup.exe
Virus:W32/Viking.E Disinfected C:\av\csav\4.92.7\setup.exe
Virus:W32/Viking.E Disinfected C:\av\csav\4.92.8\setup.exe
Virus:W32/Viking.E Disinfected C:\av\csav\4.92.91\setup.exe
Virus:W32/Viking.E Disinfected C:\av\csav\4.93.0\setup.exe
Virus:W32/Viking.E Disinfected C:\av\csav\4.93.7\setup.exe
Virus:W32/Viking.E Disinfected C:\av\csav\4.93.8\setup.exe
Virus:W32/Viking.E Disinfected C:\DELL\EXPRESS.EXE
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0164338.EXE.Quarantined
Virus:W32/Viking.E.worm Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0166103.exe.Quarantined
Virus:W32/Viking.E.worm Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0166104.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0166114.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0166125.exe.Quarantined
Virus:W32/Viking.E.worm Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0166148.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0166149.exe.Quarantined
Virus:W32/Viking.E.worm Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0166151.exe.Quarantined
Virus:W32/Viking.E.worm Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0166174.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0166184.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0166192.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0166218.rbf.Quarantined
Virus:W32/Viking.E.worm Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0166248.exe.Quarantined
Virus:W32/Viking.E.worm Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0166249.exe.Quarantined
Virus:W32/Viking.E.worm Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0166290.exe.Quarantined
Virus:W32/Viking.E.worm Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0166300.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0166304.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0166305.EXE.Quarantined
Virus:W32/Viking.E.worm Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0166310.exe.Quarantined
Virus:W32/Viking.E.worm Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0166311.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0171051.EXE.Quarantined
Virus:W32/Viking.E.worm Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0171295.exe.Quarantined
Virus:W32/Viking.E.worm Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0171301.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0171686.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0171747.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0171846.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0171858.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0171914.exe.Quarantined
Virus:W32/Viking.E.worm Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0171928.exe.Quarantined
Virus:W32/Viking.E.worm Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0171929.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0171950.exe.Quarantined
Virus:W32/Viking.E.worm Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0171966.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0171992.rbf.Quarantined
Virus:W32/Viking.E.worm Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0172296.exe.Quarantined
Virus:W32/Viking.E.worm Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0172297.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0172351.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\A0172352.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\AcroRd32Info.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\APPEND.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\AppLauncher.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\ARP.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\AT.EXE.Quarantined.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\ATAPI.EXE.Quarantined.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\ATI2MDXX.EXE.Quarantined.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\ATMADM.EXE.Quarantined.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\ATTRIB.EXE.Quarantined.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\AUTOLFN.EXE.Quarantined.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\BBPtr.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\BOOTOK.EXE.Quarantined.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\BOOTVRFY.EXE.Quarantined.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\CACLS.EXE.Quarantined.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\CB32.EXE.Quarantined.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\cdrun.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\CFiles.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\CHKDSK.EXE.Quarantined.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\CHKNTFS.EXE.Quarantined.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\chktrust.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\CIDAEMON.EXE.Quarantined.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\CISVC.EXE.Quarantined.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\CKCNV.EXE.Quarantined.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\CLIPSRV.EXE.Quarantined.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\CMMON32.EXE.Quarantined.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\COMP.EXE.Quarantined.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\COMPACT.EXE.Quarantined.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\COMREPL.EXE.Quarantined.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\COMREREG.EXE.Quarantined.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\CONIME.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\CONTROL.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\convert.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\CSRSS.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\CTFMON.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\CTPdfErr.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\CTPdflnk.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\CTRegSvr.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\d2lwin11.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\DA_PASlog.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\dbexport.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\DBGLogger.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\DCOMCNFG.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\DDESHARE.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\DEBUG.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\DISKPERF.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\DLLHOST.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\DLLHST3G.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\DMREMOTE.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\DOSKEY.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\DOSXPRES.EXE.Quarantined.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\dplaysvr.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\dpnsvr.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\DrK.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\DRWATSON.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\DSentry.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\DS_PASlog.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\DUMPREP.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\DVDUPGRD.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\EDLIN.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\EnumPCI.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\EVENTVWR.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\EXE2BIN.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\ExecModule.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\EXPAND.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\ExpEval21.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\FASTOPEN.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\FC.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\FIND.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\FINDSTR.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\FINGER.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\FIXMAPI.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\FONTVIEW.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\FORCEDOS.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\fxssend.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\GDI.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\GRPCONV.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\HELP.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\HELPER.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\HKSendTo.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\HOSTNAME.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\hpjsira.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\htdigest.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\htpasswd.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\hwinfo.exe.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\ICWRMIND.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\IDADOFx1.EXE.Quarantined
Virus:W32/Viking.E Disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\IDEREGAD.EXE.Quarantined
Virus:W32/Viking.E
TWBRN
Feb 7 2007, 11:31 PM
The forum truncated that list, but there were only two types of virus it identified: viking.E and viking.E.worm. All instances of those types of files are listed as disinfected.

The only ones not listed as disinfected are here:

Adware:adware/quicksearch Not disinfected c:\program files\QuickSearch
Adware:adware/powerstrip Not disinfected Windows Registry
Spyware:spyware/media-motor Not disinfected Windows Registry
Adware:adware/sahagent Not disinfected Windows Registry
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\javainstaller.jar-5aa0b436-68fe6a7d.zip.Quarantined[javainstaller/InstallerApplet.class]
Virus:W32/Viking.E Renamed C:\Documents and Settings\All Users\Application Data\Command Software\Command AntiVirus\Quarantine\M5drvr32.exe.Quarantined
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\Window-- The nicest hobby on Earth ;) --.dll.047

The majority of infected programs were again in the I386 folder.

If you need the whole list, I can put it up in pieces. Just let me know.

Thanks again,

-TWBRN
Bobbi Flekman
Feb 8 2007, 11:58 AM
It took some time to find data about Viking, but after finding the name other companies use I conclude that you are better off reformatting the computer. This infection infects .exe files ,and it would mean that you would have to replace each and every file that is infected. You are better and quicker off with starting fresh.

Sorry for the bad news.
TWBRN
Feb 8 2007, 07:37 PM
Bobbi,

Thanks again for spending time trying to fix this.

Before I reformat, I thought I should give some more information.

I was aware that something was in my .exe files. The icons associated with them were either corrupted or switched with the Adobe logo. Some of those icons were restored to normal after the Java version had been updated, and since I ran the ActiveScan, I've yet to find a program where the icon did not revert back to normal.

Furthermore, additional ActiveScans have shown that the viking.E has not returned to any of the files that it disinfected (it only shows a file in my antivirus quarantine). I'm not noticing any of the usual symptoms where launching a program will cause the computer to re-infect everything.

I realize that it is idealistic to think that the problem has gone away, but my system seems to be running just fine.

I respect your opinion, and if you say that I still need to reformat, I will do so.

Any thoughts?

Thanks again,
-TWBRN
Bobbi Flekman
Feb 9 2007, 12:55 PM
Hi TWBRN,

my personal opinion is that when you are dealing with file infectors it is best to simply reinstall everything as it will be very difficult to search and replace every infected file. And a lot faster. Be aware that this wor travels to other computers in your network, so check them as well.

QUOTE
I realize that it is idealistic to think that the problem has gone away, but my system seems to be running just fine.
Once again personal, but the real question is... Can you fully trust your computer? As soon as the answer becomes no, it is best to reformat as you don't want something stealing passwords or creditcard info.

Don't forget to make a backup of everything, as data will not be infected. I guess you would like to keep the data ;)

To sum it up. If you feel secure than by all means go ahead as you are, but personally I wouldn't trust my computer anymore.
TWBRN
Feb 9 2007, 10:25 PM
I'm starting to think you're right. Every little thing my computer does makes me nervous now. There have been some programs that have come up for windows to configure without much reason, so there may still be something there anyway.

My biggest problem with the reformat was losing the data I have, so its good to know that it won't be in that. I have an external hard drive, would that be the best place to store things for the time being?

This will be the first time I've reformatted a disk, is there a good tutorial somewhere?

Thanks once more for your time and effort in this.

-TWBRN
Bobbi Flekman
Feb 10 2007, 12:27 PM
QUOTE (TWBRN @ Feb 9 2007, 11:25 PM) *
My biggest problem with the reformat was losing the data I have, so its good to know that it won't be in that. I have an external hard drive, would that be the best place to store things for the time being?
That's as good a place as any. Just be sure not to execute programs from that disc afterward. Only retrieve data from it.
QUOTE
This will be the first time I've reformatted a disk, is there a good tutorial somewhere?
http://spyware-free.us/tutorials/reformat/
QUOTE
Thanks once more for your time and effort in this.
You're welcome, and don't hesitate to ask if you have questions.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.