Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Think Im Infected, Virtumonde, Sudden Web Page Popups


  • This topic is locked This topic is locked
10 replies to this topic

#1 whitesdford

whitesdford

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 01 February 2008 - 11:07 PM

Got something weird going on with my computer. Today all the sudden new crush calculator web pages keep popping up, other pages, etc. Computer seems to hang a little when using the I.E. Ran spybot S&D, keeps showing up virtumonde files everytime I run it. Hard drive light is always spinning, but the cpu usage is normal. Doesnt show any processes running or anything, help! Thanks in advance, here is my hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:06:17 PM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Aric\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DDKL] C:\Program Files\Keylogger\msdts.exe
O4 - HKLM\..\Run: [cwcptray] C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [d4c94a31] rundll32.exe "C:\WINDOWS\system32\ciuitkrf.dll",b
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\Speeditup Free\SpeedItUp.exe -MINI
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156817550483
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/download/files/w...tall/isetup.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9423 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:47 AM

Posted 02 February 2008 - 09:10 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 whitesdford

whitesdford
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 02 February 2008 - 11:05 AM

Thank you so much for helping me. Here is my combofix log.

ComboFix 08-02.02.5 - Aric 2008-02-02 8:39:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.456 [GMT -7:00]
Running from: C:\Documents and Settings\Aric\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awvvv.dll
C:\WINDOWS\system32\tuvwvuu.dll
C:\Program Files\myglobalsearch
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\Crack.exe
C:\WINDOWS\system32\awvvv.dll
C:\WINDOWS\system32\cmvhmcsm.dll
C:\WINDOWS\system32\kcbydpyu.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\paostjly.dll
C:\WINDOWS\system32\pkyfvhpl.dll
C:\WINDOWS\system32\rgpgeime.dll
C:\WINDOWS\system32\rgpgeime.dll . . . . failed to delete
C:\WINDOWS\system32\rgpgeime.dllbox
C:\WINDOWS\system32\tuvwvuu.dll
C:\WINDOWS\system32\Urncb.dll
C:\WINDOWS\system32\vvvwa.ini
C:\WINDOWS\system32\vvvwa.ini2
C:\WINDOWS\system32\yljtsoap.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-02 08:53 . 2008-02-02 08:54 134 ---hs---- C:\WINDOWS\system32\rgpgeime.dllbox
2008-02-02 08:16 . 2008-02-02 08:16 34 --a------ C:\WINDOWS\pxsetup.rf
2008-02-01 21:54 . 2008-02-02 08:47 163,904 --a------ C:\WINDOWS\system32\rgpgeime.dll
2008-02-01 21:45 . 2008-02-01 21:45 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-01 20:54 . 2008-02-01 20:55 <DIR> d-------- C:\Documents and Settings\Aric\.SunDownloadManager
2008-01-31 21:12 . 2008-01-31 21:12 299,172 --a------ C:\QDATA.IDX
2008-01-31 09:40 . 2008-02-01 21:45 <DIR> d-------- C:\VundoFix Backups
2008-01-31 09:30 . 2008-01-31 09:30 284 --a------ C:\move.bat
2008-01-30 10:45 . 2008-01-30 10:45 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-30 10:43 . 2008-01-30 10:43 <DIR> d-------- C:\WINDOWS\system32\nGpxx18
2008-01-30 10:43 . 2008-01-30 10:43 <DIR> d-------- C:\Temp\cXzz9
2008-01-30 10:43 . 2008-01-30 10:43 <DIR> d-------- C:\Temp
2008-01-29 20:44 . 2008-01-29 20:44 <DIR> d-------- C:\Program Files\Intuit
2008-01-29 20:42 . 2008-01-29 20:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2008-01-29 20:33 . 2008-01-29 20:33 <DIR> d-------- C:\Program Files\Undisker
2008-01-29 17:44 . 2008-01-30 13:57 <DIR> d-------- C:\Program Files\LimeWire
2008-01-25 21:26 . 2008-01-25 21:26 <DIR> d-------- C:\Program Files\Second Sight Software
2008-01-22 12:29 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-01-22 12:29 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-01-17 17:17 . 2008-01-17 17:17 <DIR> d-------- C:\Documents and Settings\LocalService\ContentWatch
2008-01-17 17:08 . 2008-01-17 17:08 <DIR> d-------- C:\Program Files\ContentWatch
2008-01-17 17:08 . 2008-01-17 17:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ContentWatch
2008-01-17 17:04 . 2008-01-17 17:04 <DIR> d-------- C:\Documents and Settings\Aric\ContentWatch
2008-01-17 16:55 . 2007-06-08 16:15 1,519,616 --a------ C:\WINDOWS\system32\mxpvct25.dat
2008-01-17 16:55 . 2004-03-09 15:45 132,880 --a------ C:\WINDOWS\system32\mxpvct22.dat
2008-01-15 17:25 . 2008-01-17 19:52 <DIR> d-------- C:\kitsap
2008-01-15 17:24 . 2008-01-15 17:25 <DIR> d-------- C:\Program Files\Common Files\LizardTech Shared
2008-01-15 17:23 . 2008-01-15 17:23 <DIR> d-------- C:\Program Files\LizardTech
2008-01-09 21:36 . 2008-02-02 08:10 <DIR> d-------- C:\Documents and Settings\Aric\Application Data\skypePM
2008-01-09 21:36 . 2008-01-09 21:36 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-09 21:35 . 2008-02-02 08:45 <DIR> d-------- C:\Documents and Settings\Aric\Application Data\Skype
2008-01-09 21:34 . 2008-01-09 21:34 <DIR> d-------- C:\Program Files\Skype
2008-01-09 21:34 . 2008-01-09 21:34 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-01-09 21:34 . 2008-01-09 21:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-01-07 20:35 . 2008-01-07 20:56 <DIR> d-------- C:\tanning bed

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 15:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-02 03:57 --------- d-----w C:\Program Files\Java
2008-02-02 01:47 --------- d-----w C:\Program Files\Common Files\Intuit
2008-01-30 20:57 --------- d-----w C:\Documents and Settings\Aric\Application Data\LimeWire
2008-01-30 20:35 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-30 20:24 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-30 19:08 --------- d-----w C:\Program Files\Kazaa
2008-01-30 04:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-30 00:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-03 19:21 --------- d-----w C:\Documents and Settings\Aric\Application Data\AdobeUM
2007-12-28 15:55 --------- d-----w C:\Documents and Settings\Aric\Application Data\RipIt4Me
2007-12-21 04:09 --------- d-----w C:\Program Files\Avery Wizard 3.0
2007-12-17 21:08 --------- d-----w C:\Documents and Settings\Tamara\Application Data\AdobeUM
2005-05-12 05:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.
<pre>
----a-w		16,289,792 2003-05-27 15:30:49  C:\software\DVD Copy Plus 321Studios + Crack .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}]
C:\Program Files\RXToolBar\sfcont.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E9ABB6B-69AE-4041-AA30-7214E1943A65}]
C:\WINDOWS\system32\ddcyy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2008-02-02 08:47 163904 --a------ C:\WINDOWS\system32\rgpgeime.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D52C24F0-983E-4A1B-822C-12325E0CF1C2}]
C:\WINDOWS\system32\ddayx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6A707E1-592B-4BDF-9690-37D7BBF10AD8}]
C:\WINDOWS\system32\geeba.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 16:43 4670704]
"SpeedItUpEX"="C:\Program Files\Speeditup Free\SpeedItUp.exe" [ ]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:08 21686568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USRpdA"="C:\WINDOWS\SYSTEM32\USRmlnkA.exe" [2001-08-18 05:00 77891]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19 52840]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-06-01 16:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 16:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-06-01 16:22 86016]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 16:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 00:00 28672]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-29 07:03 180269]
"MP10_EnsureFileVer"="C:\WINDOWS\inf\unregmp2.exe" [2004-08-04 00:56 208896]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2006-12-12 14:45 21464]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 17:44 271672]
"DDKL"="C:\Program Files\Keylogger\msdts.exe" [ ]
"cwcptray"="C:\Program Files\ContentWatch\Internet Protection\cwtray.exe" [2007-10-17 09:42 403456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rgpgeime]
rgpgeime.dll 2008-02-02 08:47 163904 C:\WINDOWS\system32\rgpgeime.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminders Tray Icon.lnk
backup=C:\WINDOWS\pss\Event Planner Reminders Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 22:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-31 17:44 271672 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-08-29 07:03 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\Program Files\Save\Save.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Media Connect 2]
C:\Program Files\Windows Media Connect 2\WMCCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WUSB54Gv2]
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe

R0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\si3112r.sys [2002-10-15 19:57]
R2 CwAltaService20;ContentWatch;C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe [2007-10-17 09:42]
S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2007-03-14 14:09]
S3 SNPHV71;PC Camera (602a VGA);C:\WINDOWS\system32\DRIVERS\snphv71.sys [2003-04-17 15:28]
S3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys [2001-08-17 06:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\dvd-rom.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-28 05:43:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-02 03:00:01 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Aric.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 08:53:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\rgpgeime.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\rgpgeime.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Zune\ZuneNss.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-02-02 8:57:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-02 15:57:13
.
2008-01-09 10:02:53 --- E O F ---

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:47 AM

Posted 02 February 2008 - 12:39 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\Program Files\Save
C:\Program Files\RXToolBar
C:\VundoFix Backups
C:\Temp\cXzz9

File::
C:\WINDOWS\system32\rgpgeime.dll
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\ddayx.dll
C:\WINDOWS\system32\ddcyy.dll
C:\software\DVD Copy Plus 321Studios + Crack .exe
C:\WINDOWS\system32\rgpgeime.dllbox

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rgpgeime]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6A707E1-592B-4BDF-9690-37D7BBF10AD8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D52C24F0-983E-4A1B-822C-12325E0CF1C2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E9ABB6B-69AE-4041-AA30-7214E1943A65}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 whitesdford

whitesdford
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 02 February 2008 - 04:44 PM

ComboFix 08-02.02.5 - Aric 2008-02-02 14:28:06.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.355 [GMT -7:00]
Running from: C:\Documents and Settings\Aric\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Aric\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\software\DVD Copy Plus 321Studios + Crack .exe
C:\WINDOWS\system32\ddayx.dll
C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\rgpgeime.dll
C:\WINDOWS\system32\rgpgeime.dllbox
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\rgpgeime.dll
C:\software\DVD Copy Plus 321Studios + Crack .exe
C:\Temp\cXzz9
C:\VundoFix Backups
C:\VundoFix Backups\abeeg.ini.bad
C:\VundoFix Backups\abeeg.ini2.bad
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\ciuitkrf.dll.bad
C:\VundoFix Backups\ddayx.dll.bad
C:\VundoFix Backups\ddcyy.dll.bad
C:\VundoFix Backups\djnronqg.dll.bad
C:\VundoFix Backups\frktiuic.ini.bad
C:\VundoFix Backups\geeba.dll.bad
C:\VundoFix Backups\hcmrmbdl.dll.bad
C:\VundoFix Backups\hjupktuv.dll.bad
C:\VundoFix Backups\hnnsvolo.dll.bad
C:\VundoFix Backups\htrhwjvo.dll.bad
C:\VundoFix Backups\kttwflgw.dll.bad
C:\VundoFix Backups\mptpcqgs.exe.bad
C:\VundoFix Backups\okzmexiu.dll.bad
C:\VundoFix Backups\okzmexiu.dllbox.bad
C:\VundoFix Backups\pwpuerwp.dll.bad
C:\VundoFix Backups\pwpuerwp.dllbox.bad
C:\VundoFix Backups\rmlnweqy.dll.bad
C:\VundoFix Backups\vutkpujh.ini.bad
C:\VundoFix Backups\xyadd.ini.bad
C:\VundoFix Backups\xyadd.ini2.bad
C:\VundoFix Backups\yycdd.ini.bad
C:\VundoFix Backups\yycdd.ini2.bad
C:\VundoFix Backups\yyqvrusj.dll.bad
C:\VundoFix Backups\yyqvrusj.dllbox.bad
C:\WINDOWS\system32\rgpgeime.dll
C:\WINDOWS\system32\rgpgeime.dllbox

.
((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-02 08:16 . 2008-02-02 08:16 34 --a------ C:\WINDOWS\pxsetup.rf
2008-02-01 21:45 . 2008-02-01 21:45 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-01 20:54 . 2008-02-01 20:55 <DIR> d-------- C:\Documents and Settings\Aric\.SunDownloadManager
2008-01-31 21:12 . 2008-01-31 21:12 299,172 --a------ C:\QDATA.IDX
2008-01-31 09:30 . 2008-01-31 09:30 284 --a------ C:\move.bat
2008-01-30 10:45 . 2008-01-30 10:45 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-30 10:43 . 2008-01-30 10:43 <DIR> d-------- C:\WINDOWS\system32\nGpxx18
2008-01-30 10:43 . 2008-02-02 14:28 <DIR> d-------- C:\Temp
2008-01-29 20:44 . 2008-01-29 20:44 <DIR> d-------- C:\Program Files\Intuit
2008-01-29 20:42 . 2008-01-29 20:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2008-01-29 20:33 . 2008-01-29 20:33 <DIR> d-------- C:\Program Files\Undisker
2008-01-29 17:44 . 2008-01-30 13:57 <DIR> d-------- C:\Program Files\LimeWire
2008-01-25 21:26 . 2008-01-25 21:26 <DIR> d-------- C:\Program Files\Second Sight Software
2008-01-22 12:29 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-01-22 12:29 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-01-17 17:17 . 2008-01-17 17:17 <DIR> d-------- C:\Documents and Settings\LocalService\ContentWatch
2008-01-17 17:08 . 2008-01-17 17:08 <DIR> d-------- C:\Program Files\ContentWatch
2008-01-17 17:08 . 2008-01-17 17:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ContentWatch
2008-01-17 17:04 . 2008-01-17 17:04 <DIR> d-------- C:\Documents and Settings\Aric\ContentWatch
2008-01-17 16:55 . 2007-06-08 16:15 1,519,616 --a------ C:\WINDOWS\system32\mxpvct25.dat
2008-01-17 16:55 . 2004-03-09 15:45 132,880 --a------ C:\WINDOWS\system32\mxpvct22.dat
2008-01-15 17:25 . 2008-01-17 19:52 <DIR> d-------- C:\kitsap
2008-01-15 17:24 . 2008-01-15 17:25 <DIR> d-------- C:\Program Files\Common Files\LizardTech Shared
2008-01-15 17:23 . 2008-01-15 17:23 <DIR> d-------- C:\Program Files\LizardTech
2008-01-09 21:36 . 2008-02-02 08:10 <DIR> d-------- C:\Documents and Settings\Aric\Application Data\skypePM
2008-01-09 21:36 . 2008-01-09 21:36 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-09 21:35 . 2008-02-02 13:53 <DIR> d-------- C:\Documents and Settings\Aric\Application Data\Skype
2008-01-09 21:34 . 2008-01-09 21:34 <DIR> d-------- C:\Program Files\Skype
2008-01-09 21:34 . 2008-01-09 21:34 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-01-09 21:34 . 2008-01-09 21:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-01-07 20:35 . 2008-01-07 20:56 <DIR> d-------- C:\tanning bed

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 16:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-02 03:57 --------- d-----w C:\Program Files\Java
2008-02-02 01:47 --------- d-----w C:\Program Files\Common Files\Intuit
2008-01-30 20:57 --------- d-----w C:\Documents and Settings\Aric\Application Data\LimeWire
2008-01-30 20:35 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-30 20:24 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-30 19:08 --------- d-----w C:\Program Files\Kazaa
2008-01-30 04:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-30 00:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-03 19:21 --------- d-----w C:\Documents and Settings\Aric\Application Data\AdobeUM
2007-12-28 15:55 --------- d-----w C:\Documents and Settings\Aric\Application Data\RipIt4Me
2007-12-21 04:09 --------- d-----w C:\Program Files\Avery Wizard 3.0
2007-12-17 21:08 --------- d-----w C:\Documents and Settings\Tamara\Application Data\AdobeUM
2005-05-12 05:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 16:43 4670704]
"SpeedItUpEX"="C:\Program Files\Speeditup Free\SpeedItUp.exe" [ ]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:08 21686568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USRpdA"="C:\WINDOWS\SYSTEM32\USRmlnkA.exe" [2001-08-18 05:00 77891]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19 52840]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-06-01 16:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 16:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-06-01 16:22 86016]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 16:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 00:00 28672]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-29 07:03 180269]
"MP10_EnsureFileVer"="C:\WINDOWS\inf\unregmp2.exe" [2004-08-04 00:56 208896]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2006-12-12 14:45 21464]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 17:44 271672]
"DDKL"="C:\Program Files\Keylogger\msdts.exe" [ ]
"cwcptray"="C:\Program Files\ContentWatch\Internet Protection\cwtray.exe" [2007-10-17 09:42 403456]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminders Tray Icon.lnk
backup=C:\WINDOWS\pss\Event Planner Reminders Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 22:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-31 17:44 271672 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-08-29 07:03 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Media Connect 2]
C:\Program Files\Windows Media Connect 2\WMCCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WUSB54Gv2]
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe

R0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\si3112r.sys [2002-10-15 19:57]
R2 CwAltaService20;ContentWatch;C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe [2007-10-17 09:42]
S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2007-03-14 14:09]
S3 SNPHV71;PC Camera (602a VGA);C:\WINDOWS\system32\DRIVERS\snphv71.sys [2003-04-17 15:28]
S3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys [2001-08-17 06:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\dvd-rom.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-28 05:43:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-02 03:00:01 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Aric.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 14:36:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Zune\ZuneNss.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-02-02 14:39:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-02 21:39:28
ComboFix2.txt 2008-02-02 15:57:19
.
2008-01-09 10:02:53 --- E O F ---

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:47 AM

Posted 03 February 2008 - 10:04 AM

Your log is looking better. Please post a new hijackthis log and we'll see if anything is left.

You still need to install the Recovery Console on your computer. Please visit this link for info.

http://www.bleepingcomputer.com/tutorials/how-to-install-the-windows-xp-recovery-console/


Let me know how your computer is working now. Any problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 whitesdford

whitesdford
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 03 February 2008 - 11:56 AM

Here is my new hijackthis log. The computer is running much better and Im very thankful for your help. One thing weird that is left is that in my computer, where it lists all your drives, I have a red x by the C drive. Thanks for taking a look at my computer, what was I infected with?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:56 AM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Aric\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DDKL] C:\Program Files\Keylogger\msdts.exe
O4 - HKLM\..\Run: [cwcptray] C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\Speeditup Free\SpeedItUp.exe -MINI
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156817550483
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/download/files/w...tall/isetup.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10005 bytes

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:47 AM

Posted 04 February 2008 - 12:07 AM

You definitely had a Vundo infection and some other stuff too. None of it good and we may not be done yet.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 whitesdford

whitesdford
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 04 February 2008 - 04:00 PM

Protection
----------
Total scanned: 505406
Detected: 27
Untreated: 12
Start time: 2/4/2008 8:11:47 AM
Duration: 00:00:00
Finish time: 2/4/2008 8:11:47 AM


Detected
--------
Status Object
------ ------
detected: adware not-a-virus:AdWare.Win32.Altnet.b File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\005504B1.exe//CryptFF
detected: adware not-a-virus:AdWare.Win32.Lop.bb File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1B511AA3.exe//CryptFF
detected: adware not-a-virus:AdWare.Win32.Altnet.g File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2FD6486A.cab//CryptFF/AltnetUninstall.exe
detected: Trojan program Trojan-Downloader.Win32.Small.jc File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3D153B7B.exe//CryptFF
detected: Trojan program Trojan.Win32.Crypt.e File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\48A31FE8.exe//CryptFF
detected: adware not-a-virus:AdWare.Win32.MySearch.e File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\493C5277.dll//CryptFF
detected: virus P2P-Worm.Win32.VB.dw File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\52EA584F.exe//CryptFF//UPX
detected: adware not-a-virus:AdWare.Win32.Altnet.l File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\576E6757.cab//CryptFF/asm.exe//Pex
detected: adware not-a-virus:AdWare.Win32.Altnet.t File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\576E6757.cab//CryptFF/asmps.dll
detected: adware not-a-virus:AdWare.Win32.Altnet.t File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5E063215.dll//CryptFF
detected: adware not-a-virus:AdWare.Win32.Altnet.d File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5E1D57FC.dll//CryptFF
detected: Trojan program Trojan-Downloader.Win32.VB.cgu File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7F737284.exe//CryptFF
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.dnn File: C:\QooBox\Quarantine\catchme2008-02-02_ 85303.70.zip/rgpgeime.dll
deleted: Trojan program Trojan.Win32.BHO.auf File: C:\QooBox\Quarantine\catchme2008-02-02_ 85303.70.zip/tuvwvuu.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.dnn File: C:\QooBox\Quarantine\catchme2008-02-02_143550.26.zip/rgpgeime.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.dnn File: C:\QooBox\Quarantine\C\VundoFix Backups\djnronqg.dll.bad.vir
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.dnn File: C:\QooBox\Quarantine\C\VundoFix Backups\kttwflgw.dll.bad.vir
deleted: Trojan program Trojan-Downloader.Win32.Agent.gwe File: C:\QooBox\Quarantine\C\VundoFix Backups\mptpcqgs.exe.bad.vir
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.dnn File: C:\QooBox\Quarantine\C\VundoFix Backups\okzmexiu.dll.bad.vir
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.dnn File: C:\QooBox\Quarantine\C\VundoFix Backups\pwpuerwp.dll.bad.vir
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.dnn File: C:\QooBox\Quarantine\C\VundoFix Backups\rmlnweqy.dll.bad.vir
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.dnn File: C:\QooBox\Quarantine\C\VundoFix Backups\yyqvrusj.dll.bad.vir
deleted: Trojan program Trojan.Win32.Agent.cmn File: C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir/Crack.exe
deleted: Trojan program Trojan.Win32.Agent.cmn File: C:\QooBox\Quarantine\C\WINDOWS\Fonts\Crack.exe.vir
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.dnn File: C:\QooBox\Quarantine\C\WINDOWS\system32\pkyfvhpl.dll.vir
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.dnn File: C:\QooBox\Quarantine\C\WINDOWS\system32\rgpgeime.dll.vir
deleted: Trojan program Trojan-Dropper.Win32.DNet.b File: C:\software\2 Microsoft Product Activation Crack All Products Office Windows Xp 2003 Pro Professional Home Server Enterprise(2).zip/microsoft.product.activation.crack.all.products.office.windows.xp.2003.pro.professional.home.server.enterprise.exe/instw32.exe


Events
------
Time Event
---- -----
2/4/2008 8:10:41 AM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
2/4/2008 8:22:39 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:39 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:39 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet1.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:39 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet1.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:39 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet10.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:39 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet10.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:39 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet11.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:39 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet11.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:39 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet12.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:39 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet12.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:39 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet2.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:39 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet2.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:39 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet3.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:39 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet3.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:39 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet4.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:39 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet4.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:39 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet5.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:39 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet5.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet6.zip/My Altnet Shares/Bullguard Protection/plugins.cab.cab: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet6.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet7.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet7.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet8.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet8.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet9.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet9.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AskMyGlobalSearch.zip/search: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AskMyGlobalSearch.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AskMyGlobalSearch1.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AskMyGlobalSearch1.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AskMyGlobalSearch2.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AskMyGlobalSearch2.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AskMyGlobalSearch3.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AskMyGlobalSearch4.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AskMyGlobalSearch5.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AskMyGlobalSearch5.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AskMyGlobalSearch6.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AskMyGlobalSearch6.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AskMyGlobalSearch7.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AskMyGlobalSearch7.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AskMyGlobalSearch8.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AskMyGlobalSearch8.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CliprexDVDPro.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CliprexDVDPro.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CliprexDVDPro1.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CliprexDVDPro1.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CometCursors.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CometCursors.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify1.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify1.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyBar.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyBar.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ProDataDoctorKeylogger.zip/text.dat: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ProDataDoctorKeylogger.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ProDataDoctorKeylogger1.zip/Urncbc.dll: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ProDataDoctorKeylogger1.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ProDataDoctorKeylogger2.zip/msdts.exe: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ProDataDoctorKeylogger2.zip/Support.dll: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ProDataDoctorKeylogger2.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ProDataDoctorKeylogger3.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ProDataDoctorKeylogger3.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/removalfile.bat: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:40 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde5.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde5.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde6.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde6.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc.zip/mptpcqgs.exe: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric1.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric1.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric10.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric10.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric11.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric11.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric12.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric12.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric13.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric13.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric14.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric14.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric15.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric15.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric2.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric2.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric3.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric3.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric4.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric4.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric5.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric5.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric6.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric6.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric7.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric7.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric8.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric8.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric9.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric9.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn.zip/00jj99uuii66ddxxqqq.zip: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn1.zip/svchost.exe: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn1.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn2.zip/sbRecovery.reg: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn2.zip/sbRecovery.ini: is password protected.
2/4/2008 8:22:41 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn3.zip/sbRecovery.ini: is password protected.
2/4/2008 8:23:01 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\005504B1.exe//CryptFF: detected adware 'not-a-virus:AdWare.Win32.Altnet.b'.
2/4/2008 8:23:01 AM Security threats have been detected. You are advised to neutralize them immediately.
2/4/2008 8:23:01 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\005504B1.exe//CryptFF: is still infected, postponed.
2/4/2008 8:23:01 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1B511AA3.exe//CryptFF: detected adware 'not-a-virus:AdWare.Win32.Lop.bb'.
2/4/2008 8:23:01 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1B511AA3.exe//CryptFF: is still infected, postponed.
2/4/2008 8:23:02 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2FD6486A.cab//CryptFF/AltnetUninstall.exe: detected adware 'not-a-virus:AdWare.Win32.Altnet.g'.
2/4/2008 8:23:02 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2FD6486A.cab//CryptFF/AltnetUninstall.exe: is still infected, postponed.
2/4/2008 8:23:02 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3D153B7B.exe//CryptFF: detected Trojan program 'Trojan-Downloader.Win32.Small.jc'.
2/4/2008 8:23:02 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3D153B7B.exe//CryptFF: is still infected, postponed.
2/4/2008 8:23:02 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\48A31FE8.exe//CryptFF: detected Trojan program 'Trojan.Win32.Crypt.e'.
2/4/2008 8:23:02 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\48A31FE8.exe//CryptFF: is still infected, postponed.
2/4/2008 8:23:02 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\493C5277.dll//CryptFF: detected adware 'not-a-virus:AdWare.Win32.MySearch.e'.
2/4/2008 8:23:02 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\493C5277.dll//CryptFF: is still infected, postponed.
2/4/2008 8:23:02 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\52EA584F.exe//CryptFF//UPX: detected virus 'P2P-Worm.Win32.VB.dw'.
2/4/2008 8:23:02 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\52EA584F.exe//CryptFF//UPX: is still infected, postponed.
2/4/2008 8:23:03 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\576E6757.cab//CryptFF/asm.exe//Pex: detected adware 'not-a-virus:AdWare.Win32.Altnet.l'.
2/4/2008 8:23:03 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\576E6757.cab//CryptFF/asm.exe//Pex: is still infected, postponed.
2/4/2008 8:23:03 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\576E6757.cab//CryptFF/asmps.dll: detected adware 'not-a-virus:AdWare.Win32.Altnet.t'.
2/4/2008 8:23:03 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5E063215.dll//CryptFF: detected adware 'not-a-virus:AdWare.Win32.Altnet.t'.
2/4/2008 8:23:03 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5E063215.dll//CryptFF: is still infected, postponed.
2/4/2008 8:23:03 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5E1D57FC.dll//CryptFF: detected adware 'not-a-virus:AdWare.Win32.Altnet.d'.
2/4/2008 8:23:03 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5E1D57FC.dll//CryptFF: is still infected, postponed.
2/4/2008 8:23:03 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7F737284.exe//CryptFF: detected Trojan program 'Trojan-Downloader.Win32.VB.cgu'.
2/4/2008 8:23:03 AM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7F737284.exe//CryptFF: is still infected, postponed.
2/4/2008 8:40:00 AM File C:\Documents and Settings\Aric\My Documents\kitco_dais_2001.zip/kitco_dais_2001.aux: is password protected.
2/4/2008 8:40:00 AM File C:\Documents and Settings\Aric\My Documents\kitco_dais_2001.zip/kitco_dais_2001.htm: is password protected.
2/4/2008 8:40:01 AM File C:\Documents and Settings\Aric\My Documents\kitco_dais_2001.zip/kitco_dais_2001.png: is password protected.
2/4/2008 8:40:01 AM File C:\Documents and Settings\Aric\My Documents\kitco_dais_2001.zip/kitco_dais_2001.sdw: is password protected.
2/4/2008 8:40:01 AM File C:\Documents and Settings\Aric\My Documents\kitco_dais_2001.zip/kitco_dais_2001.sid: is password protected.
2/4/2008 8:40:01 AM File C:\Documents and Settings\Aric\My Documents\kitco_dais_2001.zip/kitco_dais_2001.sid.xml: is password protected.
2/4/2008 10:00:21 AM File C:\QooBox\Quarantine\catchme2008-02-02_ 85303.70.zip/rgpgeime.dll: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/4/2008 10:00:21 AM File C:\QooBox\Quarantine\catchme2008-02-02_ 85303.70.zip/rgpgeime.dll: is still infected, postponed.
2/4/2008 10:00:21 AM File C:\QooBox\Quarantine\catchme2008-02-02_ 85303.70.zip/tuvwvuu.dll: detected Trojan program 'Trojan.Win32.BHO.auf'.
2/4/2008 10:00:21 AM File C:\QooBox\Quarantine\catchme2008-02-02_ 85303.70.zip/tuvwvuu.dll: is still infected, postponed.
2/4/2008 10:00:21 AM File C:\QooBox\Quarantine\catchme2008-02-02_143550.26.zip/rgpgeime.dll: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/4/2008 10:00:21 AM File C:\QooBox\Quarantine\catchme2008-02-02_143550.26.zip/rgpgeime.dll: is still infected, postponed.
2/4/2008 10:00:24 AM File C:\QooBox\Quarantine\C\VundoFix Backups\djnronqg.dll.bad.vir: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/4/2008 10:00:24 AM File C:\QooBox\Quarantine\C\VundoFix Backups\djnronqg.dll.bad.vir: is still infected, postponed.
2/4/2008 10:00:25 AM File C:\QooBox\Quarantine\C\VundoFix Backups\kttwflgw.dll.bad.vir: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/4/2008 10:00:25 AM File C:\QooBox\Quarantine\C\VundoFix Backups\kttwflgw.dll.bad.vir: is still infected, postponed.
2/4/2008 10:00:25 AM File C:\QooBox\Quarantine\C\VundoFix Backups\mptpcqgs.exe.bad.vir: detected Trojan program 'Trojan-Downloader.Win32.Agent.gwe'.
2/4/2008 10:00:25 AM File C:\QooBox\Quarantine\C\VundoFix Backups\mptpcqgs.exe.bad.vir: is still infected, postponed.
2/4/2008 10:00:25 AM File C:\QooBox\Quarantine\C\VundoFix Backups\okzmexiu.dll.bad.vir: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/4/2008 10:00:25 AM File C:\QooBox\Quarantine\C\VundoFix Backups\okzmexiu.dll.bad.vir: is still infected, postponed.
2/4/2008 10:00:25 AM File C:\QooBox\Quarantine\C\VundoFix Backups\pwpuerwp.dll.bad.vir: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/4/2008 10:00:25 AM File C:\QooBox\Quarantine\C\VundoFix Backups\pwpuerwp.dll.bad.vir: is still infected, postponed.
2/4/2008 10:00:25 AM File C:\QooBox\Quarantine\C\VundoFix Backups\rmlnweqy.dll.bad.vir: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/4/2008 10:00:25 AM File C:\QooBox\Quarantine\C\VundoFix Backups\rmlnweqy.dll.bad.vir: is still infected, postponed.
2/4/2008 10:00:26 AM File C:\QooBox\Quarantine\C\VundoFix Backups\yyqvrusj.dll.bad.vir: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/4/2008 10:00:26 AM File C:\QooBox\Quarantine\C\VundoFix Backups\yyqvrusj.dll.bad.vir: is still infected, postponed.
2/4/2008 10:00:26 AM File C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir/Crack.exe: detected Trojan program 'Trojan.Win32.Agent.cmn'.
2/4/2008 10:00:26 AM File C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir/Crack.exe: is still infected, postponed.
2/4/2008 10:00:27 AM File C:\QooBox\Quarantine\C\WINDOWS\Fonts\Crack.exe.vir: detected Trojan program 'Trojan.Win32.Agent.cmn'.
2/4/2008 10:00:27 AM File C:\QooBox\Quarantine\C\WINDOWS\Fonts\Crack.exe.vir: is still infected, postponed.
2/4/2008 10:00:27 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\pkyfvhpl.dll.vir: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/4/2008 10:00:27 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\pkyfvhpl.dll.vir: is still infected, postponed.
2/4/2008 10:00:27 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\rgpgeime.dll.vir: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/4/2008 10:00:27 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\rgpgeime.dll.vir: is still infected, postponed.
2/4/2008 10:00:29 AM File C:\software\2 Microsoft Product Activation Crack All Products Office Windows Xp 2003 Pro Professional Home Server Enterprise(2).zip/microsoft.product.activation.crack.all.products.office.windows.xp.2003.pro.professional.home.server.enterprise.exe/instw32.exe: detected Trojan program 'Trojan-Dropper.Win32.DNet.b'.
2/4/2008 10:00:29 AM File C:\software\2 Microsoft Product Activation Crack All Products Office Windows Xp 2003 Pro Professional Home Server Enterprise(2).zip/microsoft.product.activation.crack.all.products.office.windows.xp.2003.pro.professional.home.server.enterprise.exe/instw32.exe: is still infected, postponed.
2/4/2008 10:26:29 AM Update completed successfully
2/4/2008 10:46:29 AM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\005504b1.exe//CryptFF: detected adware 'not-a-virus:AdWare.Win32.Altnet.b'.
2/4/2008 12:17:46 PM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\005504b1.exe//CryptFF: is still infected, skipped by user.
2/4/2008 12:17:46 PM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\1b511aa3.exe//CryptFF: detected adware 'not-a-virus:AdWare.Win32.Lop.bb'.
2/4/2008 12:17:52 PM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\1b511aa3.exe//CryptFF: is still infected, skipped by user.
2/4/2008 12:17:53 PM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\2fd6486a.cab//CryptFF/AltnetUninstall.exe: detected adware 'not-a-virus:AdWare.Win32.Altnet.g'.
2/4/2008 12:17:53 PM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\2fd6486a.cab//CryptFF/AltnetUninstall.exe: is still infected, skipped by user.
2/4/2008 12:17:53 PM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\3d153b7b.exe//CryptFF: detected Trojan program 'Trojan-Downloader.Win32.Small.jc'.
2/4/2008 12:17:53 PM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\3d153b7b.exe//CryptFF: is still infected, skipped by user.
2/4/2008 12:17:53 PM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\48a31fe8.exe//CryptFF: detected Trojan program 'Trojan.Win32.Crypt.e'.
2/4/2008 12:17:53 PM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\48a31fe8.exe//CryptFF: is still infected, skipped by user.
2/4/2008 12:17:53 PM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\493c5277.dll//CryptFF: detected adware 'not-a-virus:AdWare.Win32.MySearch.e'.
2/4/2008 12:17:53 PM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\493c5277.dll//CryptFF: is still infected, skipped by user.
2/4/2008 12:17:53 PM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\52ea584f.exe//CryptFF//UPX: detected virus 'P2P-Worm.Win32.VB.dw'.
2/4/2008 12:17:53 PM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\52ea584f.exe//CryptFF//UPX: is still infected, skipped by user.
2/4/2008 12:17:54 PM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\576e6757.cab//CryptFF/asm.exe//Pex: detected adware 'not-a-virus:AdWare.Win32.Altnet.l'.
2/4/2008 12:17:54 PM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\576e6757.cab//CryptFF/asm.exe//Pex: is still infected, skipped by user.
2/4/2008 12:17:54 PM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\576e6757.cab//CryptFF/asmps.dll: detected adware 'not-a-virus:AdWare.Win32.Altnet.t'.
2/4/2008 12:17:54 PM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\5e063215.dll//CryptFF: detected adware 'not-a-virus:AdWare.Win32.Altnet.t'.
2/4/2008 12:17:54 PM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\5e063215.dll//CryptFF: is still infected, skipped by user.
2/4/2008 12:17:54 PM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\5e1d57fc.dll//CryptFF: detected adware 'not-a-virus:AdWare.Win32.Altnet.d'.
2/4/2008 12:17:54 PM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\5e1d57fc.dll//CryptFF: is still infected, skipped by user.
2/4/2008 12:17:54 PM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\7f737284.exe//CryptFF: detected Trojan program 'Trojan-Downloader.Win32.VB.cgu'.
2/4/2008 12:17:54 PM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\7f737284.exe//CryptFF: is still infected, skipped by user.
2/4/2008 12:17:54 PM File c:\qoobox\quarantine\catchme2008-02-02_ 85303.70.zip/rgpgeime.dll: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/4/2008 12:18:01 PM File c:\qoobox\quarantine\catchme2008-02-02_ 85303.70.zip/rgpgeime.dll: deleted.
2/4/2008 12:18:01 PM File c:\qoobox\quarantine\catchme2008-02-02_ 85303.70.zip/tuvwvuu.dll: detected Trojan program 'Trojan.Win32.BHO.auf'.
2/4/2008 12:18:04 PM File c:\qoobox\quarantine\catchme2008-02-02_ 85303.70.zip/tuvwvuu.dll: deleted.
2/4/2008 12:18:04 PM File c:\qoobox\quarantine\catchme2008-02-02_143550.26.zip/rgpgeime.dll: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/4/2008 12:18:06 PM File c:\qoobox\quarantine\catchme2008-02-02_143550.26.zip/rgpgeime.dll: deleted.
2/4/2008 12:18:06 PM File c:\qoobox\quarantine\c\vundofix backups\djnronqg.dll.bad.vir: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/4/2008 12:18:17 PM File c:\qoobox\quarantine\c\vundofix backups\djnronqg.dll.bad.vir: deleted.
2/4/2008 12:18:17 PM File c:\qoobox\quarantine\c\vundofix backups\kttwflgw.dll.bad.vir: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/4/2008 12:18:20 PM File c:\qoobox\quarantine\c\vundofix backups\kttwflgw.dll.bad.vir: deleted.
2/4/2008 12:18:20 PM File c:\qoobox\quarantine\c\vundofix backups\mptpcqgs.exe.bad.vir: detected Trojan program 'Trojan-Downloader.Win32.Agent.gwe'.
2/4/2008 12:18:21 PM File c:\qoobox\quarantine\c\vundofix backups\mptpcqgs.exe.bad.vir: deleted.
2/4/2008 12:18:21 PM File c:\qoobox\quarantine\c\vundofix backups\okzmexiu.dll.bad.vir: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/4/2008 12:18:22 PM File c:\qoobox\quarantine\c\vundofix backups\okzmexiu.dll.bad.vir: deleted.
2/4/2008 12:18:22 PM File c:\qoobox\quarantine\c\vundofix backups\pwpuerwp.dll.bad.vir: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/4/2008 12:18:23 PM File c:\qoobox\quarantine\c\vundofix backups\pwpuerwp.dll.bad.vir: deleted.
2/4/2008 12:18:23 PM File c:\qoobox\quarantine\c\vundofix backups\rmlnweqy.dll.bad.vir: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/4/2008 12:18:24 PM File c:\qoobox\quarantine\c\vundofix backups\rmlnweqy.dll.bad.vir: deleted.
2/4/2008 12:18:24 PM File c:\qoobox\quarantine\c\vundofix backups\yyqvrusj.dll.bad.vir: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/4/2008 12:18:25 PM File c:\qoobox\quarantine\c\vundofix backups\yyqvrusj.dll.bad.vir: deleted.
2/4/2008 12:18:25 PM File c:\qoobox\quarantine\c\windows\fonts\a.zip.vir/Crack.exe: detected Trojan program 'Trojan.Win32.Agent.cmn'.
2/4/2008 12:18:41 PM File c:\qoobox\quarantine\c\windows\fonts\a.zip.vir/Crack.exe: deleted.
2/4/2008 12:18:42 PM File c:\qoobox\quarantine\c\windows\fonts\crack.exe.vir: detected Trojan program 'Trojan.Win32.Agent.cmn'.
2/4/2008 12:18:43 PM File c:\qoobox\quarantine\c\windows\fonts\crack.exe.vir: deleted.
2/4/2008 12:18:43 PM File c:\qoobox\quarantine\c\windows\system32\pkyfvhpl.dll.vir: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/4/2008 12:18:44 PM File c:\qoobox\quarantine\c\windows\system32\pkyfvhpl.dll.vir: deleted.
2/4/2008 12:18:44 PM File c:\qoobox\quarantine\c\windows\system32\rgpgeime.dll.vir: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/4/2008 12:18:45 PM File c:\qoobox\quarantine\c\windows\system32\rgpgeime.dll.vir: deleted.
2/4/2008 12:18:45 PM File c:\software\2 microsoft product activation crack all products office windows xp 2003 pro professional home server enterprise(2).zip/microsoft.product.activation.crack.all.products.office.windows.xp.2003.pro.professional.home.server.enterprise.exe/instw32.exe: detected Trojan program 'Trojan-Dropper.Win32.DNet.b'.
2/4/2008 12:18:46 PM File c:\software\2 microsoft product activation crack all products office windows xp 2003 pro professional home server enterprise(2).zip/microsoft.product.activation.crack.all.products.office.windows.xp.2003.pro.professional.home.server.enterprise.exe: deleted.
2/4/2008 12:45:31 PM Update completed successfully


Reports
-------
Component Status Start Finish Size
--------- ------ ----- ------ ----
Scan completed 2/4/2008 8:12:39 AM 2/4/2008 12:18:46 PM 100.2 MB
Scan startup objects completed 2/4/2008 8:13:54 AM 2/4/2008 8:21:30 AM 563.5 KB
Update completed 2/4/2008 10:24:51 AM 2/4/2008 10:26:29 AM 19.9 KB
Scan completed 2/4/2008 12:26:29 PM 2/4/2008 12:27:06 PM 163.7 KB
Update completed 2/4/2008 12:44:57 PM 2/4/2008 12:45:31 PM 15.8 KB
Scan startup objects running 2/4/2008 1:56:54 PM 234.0 KB


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----
Infected: Trojan program Trojan.Win32.Agent.cmn c:\qoobox\quarantine\c\windows\fonts\a.zip.vir 623.0 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.dnn c:\qoobox\quarantine\c\vundofix backups\djnronqg.dll.bad.vir 160 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.dnn c:\qoobox\quarantine\catchme2008-02-02_ 85303.70.zip 469.8 KB
Infected: Trojan program Trojan-Downloader.Win32.Agent.gwe c:\qoobox\quarantine\c\vundofix backups\mptpcqgs.exe.bad.vir 72.6 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.dnn c:\qoobox\quarantine\c\vundofix backups\yyqvrusj.dll.bad.vir 160 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.dnn c:\qoobox\quarantine\c\vundofix backups\pwpuerwp.dll.bad.vir 160 KB
Infected: Trojan program Trojan.Win32.Agent.cmn c:\qoobox\quarantine\c\windows\fonts\crack.exe.vir 820 KB
Infected: Trojan program Trojan-Dropper.Win32.DNet.b c:\software\2 microsoft product activation crack all products office windows xp 2003 pro professional home server enterprise(2).zip 333.2 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.dnn c:\qoobox\quarantine\c\vundofix backups\kttwflgw.dll.bad.vir 160 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.dnn c:\qoobox\quarantine\c\windows\system32\rgpgeime.dll.vir 160 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.dnn c:\qoobox\quarantine\c\vundofix backups\rmlnweqy.dll.bad.vir 160 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.dnn c:\qoobox\quarantine\catchme2008-02-02_143550.26.zip 300.6 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.dnn c:\qoobox\quarantine\c\windows\system32\pkyfvhpl.dll.vir 160 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.dnn c:\qoobox\quarantine\c\vundofix backups\okzmexiu.dll.bad.vir 160 KB

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:47 AM

Posted 05 February 2008 - 09:30 AM

Nothing active, that's good. Now let's get rid of that red x for you.

First let's make a backup of your registry.

Click Start -> Run -> regedit /e c:\registrybackup.reg

then...

Click Start -> Run -> cmd /c Reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons

You should get a message that asks you if you want to permanently delete the registry key. Hit Y.
Reboot and the red x should be gone.


Let me know how it goes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:47 AM

Posted 22 February 2008 - 07:40 AM

Unfortunately there has been no response. :thumbsup:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users