"probably something still wrong"

jeanette · September 4, 2008

I posted my original query on the thread "quarantined and deleted successfully, but then..." on the general forum, and on advice followed the instructions on which logs and in what order and am posting here. From the other forum:

I "cleaned" an XP Home SP2 computer using Anti-Malware. It found 5 infected folders and 22 infected folders, and quarantined and deleted them all successfully. I then re-ran the software and it came up clean. I then ran the usual antivirus software (BitDefender) and that also came up clean. I then plugged in the network cord and within a minute BitDefender had stopped 4 viruses from being launched and the constant stream of e-mails began again. I ran another deep system BitDefender scan and it came up with 2 infected files with No Action Possible. I ran Anti-Malware a third time and though BD had 2 positives, it found nothing. (I also ran GMER yesterday and they said the rootkit file is c:\windows\system32\drivers\Lqt24.sys. Unfortunately, I did not get this response from them before thinking the system was clean and plugging in the network cord.)
The initial viruses that came up on the scan way back on Friday were Trojan.Dropper.Delf.Crypt.O, Trojan.Kobcka, Trojan.Inject.IA, and another that I don't remember. For every scan, a different name comes up, it seems.
From the initial system scan of Anti-Malware I got the following 7 different positives:
Rogue.XPSecurityCenter
Rootkit.Agent (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpsr)
Security.Hijack
Trojan.Agent
Adware.Funweb
Malware.Trace
Trojan.FakeAlert
Two of the viruses that BD blocked after I plugged in the network cord were Trojan.Inject.JF and Trojan.Kobcka.DV. The Kobcka trojan was identified as being at C:\Windows\System32\drivers\tcpsr.sys. Again, Anti-Malware picked up nothing after this second BD scan which showed a No Action Possible result. After deleting Lqt24.sys, I'm still getting two "can't find file specified" random number and letter .sys files on GMER scans (such as 8d6aff.sys), in the c:\windows\system32\drivers directory.

Also, when OUTLOOK sends/receives, occasionally there are duplicate accounts on the list (such as 3 accounts instead of the existing two).

jeanette · September 4, 2008

I posted my original query on the thread "quarantined and deleted successfully, but then..." on the general forum, and on advice ...

Here's the mbam log (clean):

Malwarebytes' Anti-Malware 1.26

Database version: 1112

Windows 5.1.2600 Service Pack 2

9/4/2008 10:45:17 AM

mbam-log-2008-09-04 (10-45-17).txt

Scan type: Quick Scan

Objects scanned: 59794

Time elapsed: 6 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

jeanette · September 4, 2008

I posted my original query on the thread "quarantined and deleted successfully, but then..." on the general forum, and on advice ...

Panda scan:

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-09-04 13:11:43

PROTECTIONS: 1

MALWARE: 49

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Bit-Defender Internet Security 2008 11.0.17 No Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00039204 adware/cws Adware No 0 Yes No c:\documents and settings\terry w. dodds\favorites\insurance

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@trafficmp[2].txt

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@casalemedia[2].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry w. dodds@doubleclick[3].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry w. dodds@doubleclick[2].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry w. dodds@doubleclick[1].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@atdmt[1].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@atdmt[4].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@atdmt[3].txt

00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@247realmedia[1].txt

00145453 Cookie/Bfast TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@bfast[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@tribalfusion[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry w. dodds@tribalfusion[2].txt

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@mediaplex[1].txt

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry w. dodds@mediaplex[1].txt

00149104 Cookie/Date TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@date[2].txt

00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry w. dodds@revenue[1].txt

00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@revenue[2].txt

00160284 Cookie/Findwhat TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@findwhat[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry w. dodds@com[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@com[1].txt

00167684 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry w. dodds@ehg-ati.hitbox[2].txt

00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@azjmp[2].txt

00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@azjmp[1].txt

00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry w. dodds@statcounter[2].txt

00167795 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@club.cdfreaks[1].txt

00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@perf.overture[2].txt

00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@perf.overture[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry w. dodds@ad.yieldmanager[2].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@ad.yieldmanager[1].txt

00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@burstnet[2].txt

00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TERRYOFFICE1\Cookies\administrator@burstnet[2].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@serving-sys[2].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@serving-sys[1].txt

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@bs.serving-sys[2].txt

00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@www.burstbeacon[1].txt

00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@www.burstbeacon[2].txt

00168105 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@cdfreaks[2].txt

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@server.iad.liveperson[1].txt

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry w. dodds@server.iad.liveperson[1].txt

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@server.iad.liveperson[7].txt

00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@stat.onestat[1].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@advertising[1].txt

00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry w[9].txt

00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@media.adrevolver[2].txt

00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry w. dodds@statse.webtrendslive[1].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@ads.pointroll[2].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@ads.pointroll[3].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry w. dodds@ads.pointroll[2].txt

00170534 Cookie/PurityScan TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@ads.valuead[1].txt

00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry w. dodds@overture[2].txt

00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@overture[2].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@realmedia[2].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@realmedia[1].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@questionmarket[1].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@questionmarket[2].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry w. dodds@questionmarket[1].txt

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry w. dodds@zedo[1].txt

00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@bluestreak[1].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@adrevolver[1].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry w. dodds@adrevolver[1].txt

00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@bravenet[1].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@go[1].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry w. dodds@go[1].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@go[2].txt

00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry w. dodds@searchportal.information[2].txt

00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@target[1].txt

00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@target[2].txt

00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@did-it[1].txt

00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@did-it[2].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry w. dodds@atwola[1].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@atwola[3].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@atwola[1].txt

00286736 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@www6.addfreestats[1].txt

00286738 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@www1.addfreestats[1].txt

00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry w. dodds@ehg-dig.hitbox[2].txt

00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry w. dodds@ads.addynamix[1].txt

00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@citi.bridgetrack[1].txt

00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@citi.bridgetrack[2].txt

01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@adserver.easyad[1].txt

01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Terry W. Dodds\Cookies\terry_w._dodds@adserver.easyad[2].txt

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

jeanette · September 4, 2008

I posted my original query on the thread "quarantined and deleted successfully, but then..." on the general forum, and on advice ...

hijackthis scan:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:16:12 PM, on 9/4/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

D:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

D:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe

C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe

C:\WINDOWS\system32\rundll32.exe

D:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

D:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe

C:\Program Files\OfficeCalendar Server\OfficeCalendarServer.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Internet Explorer\iexplore.exe

D:\PROGRA~1\MICROS~1\Office12\OUTLOOK.EXE

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe

C:\WINDOWS\system32\msiexec.exe

d:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://registration.excite.com/excitereg/l...ail.excite.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: GoodSearch Toolbar - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~1.DLL

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: GoodSearch Toolbar - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~1.DLL

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"

O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [MaxtorOneTouch] D:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [PC Suite Tray] "D:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Global Startup: OfficeCalendar Server.lnk = C:\Program Files\OfficeCalendar Server\OfficeCalendarServer.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.msi.com.tw

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191446587750

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191451904406

O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab

O16 - DPF: {C2ED62BE-4FF5-4FAF-9274-3BA328DCA35C} (TimeTrackingV2.UserControl1) - https://timetracking.quickbooks.com/ocx/tts...eTrackingV2.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0FBFEE45-B1B1-4CF3-83A1-8FB8ED3DC03C}: NameServer = 68.238.0.12,88.238.112.12

O17 - HKLM\System\CS1\Services\Tcpip\..\{0FBFEE45-B1B1-4CF3-83A1-8FB8ED3DC03C}: NameServer = 68.238.0.12,88.238.112.12

O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - D:\Program Files\Intuit\QuickBooks 2007\HelpAsyncPluggableProtocol.dll

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

O20 - AppInit_DLLs: karina.dat

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: MaxBackServiceInt - Unknown owner - D:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

O23 - Service: MaxSyncService (NTService1) - - D:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

O23 - Service: QuickBooksDB18 - iAnywhere Solutions, Inc. - D:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--

End of file - 9104 bytes

JeanInMontana · September 4, 2008

Hi jeanette and welcome. I need you to please get this file O20 - AppInit_DLLs: karina.dat and attach it as a zip here. I'll be back to you soon after the file is here.

jeanette · September 4, 2008

Hi jeanette and welcome. I need you to please get this file O20 - AppInit_DLLs: karina.dat and attach it as a zip here. I'll be back to you soon after the file is here.

The computer (windows search) cannot find the file (karina.dat), and I can't figure out where to look for it manually. Could I get some assistance there?

Also, I realize that prompt responses are asked for, but given that the infected computer is my boss' computer, and he is currently working, I have no way to access his system. So I apologize for any inconvenience of delayed replies for at least the next 3 hours, and possibly into tomorrow morning (US central time), depending on when he is able to not use it and the time that I leave for the day. I do appreciate the time you all spend assisting us.

JeanInMontana · September 4, 2008

Please set your system to show

all files; Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

Navigate to the Windows folder on C:/ and it should be in System or System32/dll cache .

http://www.systemlookup.com/lists.php?list...s:%20karina.dat

JeanInMontana · September 4, 2008

News flash! This is detected and is actually removed... we just need to take it out with HJT. So run HJT in scan only put a check and click fix. Reboot and run a new quick scan with MBAM after update and a new HJT scan. Post both logs and we will see.

jeanette · September 4, 2008

Please set your system to show
all files; Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Navigate to the Windows folder on C:/ and it should be in System or System32/dll cache .
http://www.systemlookup.com/lists.php?list...s:%20karina.dat

no go for attaching the file. I still couldn't find it anywhere. Searched *.dat, k*.dat and k*.* in c:\windows, c:\windows\system, c:\windows\system32 and c:\windows\system32\dllcache both in Windows Explorer and in the dos cmd. Nothing resembling karina.dat appeared. Next, I will re-run hijackthis and follow what you wrote in your next post and will reply to that when I'm done.

jeanette · September 5, 2008

News flash! This is detected and is actually removed... we just need to take it out with HJT. So run HJT in scan only put a check and click fix. Reboot and run a new quick scan with MBAM after update and a new HJT scan. Post both logs and we will see.

For just re-starting windows, do that many svchost.exe 's need to be started? That was the original file that BitDefender identified as being infected. Just checking. (Again, I appreciate the help from this forum. BD, which my boss paid for has yet to respond to the query we sent this morning, and it took them my boss calling them last night for them to respond to the original help e-mail from Friday!)

Updated scan log: MBAM Log

Malwarebytes' Anti-Malware 1.26

Database version: 1113

Windows 5.1.2600 Service Pack 2

9/4/2008 7:20:22 PM

mbam-log-2008-09-04 (19-20-22).txt

Scan type: Quick Scan

Objects scanned: 61643

Time elapsed: 1 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJT Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:08:27 PM, on 9/4/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

D:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

D:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe

C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

D:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\MsPMSPSv.exe

D:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

C:\Program Files\OfficeCalendar Server\OfficeCalendarServer.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe