Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c.coreservices & Virtumonde Won't Go Away


  • Please log in to reply
5 replies to this topic

#1 robertbible

robertbible

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 07 February 2008 - 01:11 AM

I can't get these to go away, and as soon as I enable internet I am immediately infected with a host of others. I have followed all the instructions I can find. nothing works they are always there after the final restart

Here is the HJT as system now sits.. thanks Robert

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:51 PM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\HLS32SVC.EXE
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\MSI\System Control Manager\MGSysCtrl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CorelDRAW Design Collectio1f] C:\Program Files\Corel\CorelDRAW Design Collection\Registration.exe /title="CorelDRAW Design Collection - 1" /date=101706 serial=DC01WRX-0000010-EME lang=EN
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\MSI\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [c4fe21a3] rundll32.exe "C:\WINDOWS\system32\bvgpdhhl.dll",b
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://171.64.22.130/main/Install/en/US/CentraDownloader.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HL-Server (HLServer) - Aladdin Knowledge Systems Germany - C:\WINDOWS\system32\HLS32SVC.EXE
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 6520 bytes

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 08 February 2008 - 09:30 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum robertbible
My name is Richie and i'll be helping you to fix your problems.

Please move HijackThis to a permanent folder on the hard drive such as C:\HJT.
Create a new folder and place HijackThis.exe inside that folder so that the backups of log changes it creates are saved in the same folder and can be used to reverse any line entry deletion if found to be necessary.
If you run Hijackthis from the desktop, the files it removes will not be backed up properly.

How to create a new folder named HJT
1. Click Start/My Computer,in the 'My Computer' window,open the window in which you want to create the new folder,click on Local Disk C:
2. From the 'File' menu choose 'New'.
3. From the 'New' menu choose 'Folder'.
4. Type the folder name: HJT
5. Then press Enter.

If you need help,follow the info in the link below:
http://russelltexas.com/malware/createhjtfolder.htm


Please download/install Avira AntiVir Personal Edition Classic[Free]:
http://www.free-av.com/
Perform a full scan with Avira and allow it to delete everything it detects.
Restart your pc when you've done.
After restart,open Avira Antivirus and select "Reports".
Then double click the report from the full scan you have just completed.
Click the "Report File" button,then copy and paste the report into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,NOT for private use.

Now download Combofix by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop

Do not run it just yet.

Now please go here and follow the instructions to install the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Now close any open browsers.
Double click on Combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window or do anything else on your pc while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 robertbible

robertbible
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 09 February 2008 - 12:07 PM

Richie,
prior to your email I ran, avg, adaware,microsoft defender,smitfraud fix; all in safemode and I was still infected. I also manually went and renamed ..\\system32\\command.com to *.old while in safe mode, since it was associated with some of the problems.

I followed your instructions and the system appears to be clean now. I have included the logs below. Is there anything else I need to do? Is there documentation on combofix, so I don't have to bother you in the future?

Robert

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:32 AM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\HLS32SVC.EXE
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\MSI\System Control Manager\MGSysCtrl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\hjt\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9E3FFE49-17F2-4283-9557-C262E51A6E9B} - C:\WINDOWS\system32\gebya.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CorelDRAW Design Collectio1f] C:\Program Files\Corel\CorelDRAW Design Collection\Registration.exe /title="CorelDRAW Design Collection - 1" /date=101706 serial=DC01WRX-0000010-EME lang=EN
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\MSI\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://171.64.22.130/main/Install/en/US/CentraDownloader.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HL-Server (HLServer) - Aladdin Knowledge Systems Germany - C:\WINDOWS\system32\HLS32SVC.EXE
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe


ComboFix 08-02.05.3 - Administrator 2008-02-08 17:58:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.593 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awtttst.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\vdmindvdd.sys
C:\WINDOWS\system32\ssqrp.dll
C:\Program Files\Common Files\asks~1
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\awtttst.dll
C:\WINDOWS\system32\aybeg.ini
C:\WINDOWS\system32\aybeg.ini2
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\vdmindvdd.sys
C:\WINDOWS\system32\hddantid.dll
C:\WINDOWS\system32\icroso~1.net
C:\WINDOWS\system32\icroso~1.net\?icrosoft.NET\
C:\WINDOWS\system32\lhhdpgvb.ini
C:\WINDOWS\system32\m1
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlkkj.ini
C:\WINDOWS\system32\mlkkj.ini2
C:\WINDOWS\system32\ovtfdwmd.ini
C:\WINDOWS\system32\p4
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\prqss.ini
C:\WINDOWS\system32\prqss.ini2
C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\rstwa.ini2
C:\WINDOWS\system32\s5
C:\WINDOWS\system32\s5\advcomms3.exe
C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\tvvyijfs.ini
C:\WINDOWS\system32\vnrpvqxa.dll
C:\WINDOWS\system32\z6

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NPF
-------\LEGACY_VDMINDVDD
-------\vdmindvdd


((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-08 17:53 . 2004-08-03 23:00 260,272 --a--c--- C:\cmldr
2008-02-08 14:01 . 2008-02-08 14:01 <DIR> d----c--- C:\Program Files\Avira
2008-02-08 14:01 . 2008-02-08 14:01 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-08 13:38 . 2008-02-08 13:39 <DIR> d----c--- C:\Program Files\hjt
2008-02-08 12:33 . 2007-09-05 23:22 289,144 --a--c--- C:\WINDOWS\system32\VCCLSID.exe
2008-02-08 12:33 . 2006-04-27 16:49 288,417 --a--c--- C:\WINDOWS\system32\SrchSTS.exe
2008-02-08 12:33 . 2008-02-06 00:03 85,504 --a--c--- C:\WINDOWS\system32\VACFix.exe
2008-02-08 12:33 . 2008-01-27 14:37 81,920 --a--c--- C:\WINDOWS\system32\IEDFix.exe
2008-02-08 12:33 . 2003-06-05 20:13 53,248 --a--c--- C:\WINDOWS\system32\Process.exe
2008-02-08 12:33 . 2004-07-31 17:50 51,200 --a--c--- C:\WINDOWS\system32\dumphive.exe
2008-02-08 12:33 . 2007-10-03 23:36 25,600 --a--c--- C:\WINDOWS\system32\WS2Fix.exe
2008-02-07 09:29 . 2008-02-07 09:29 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-07 09:28 . 2008-02-07 09:28 <DIR> d----c--- C:\Program Files\Windows Defender
2008-02-07 09:28 . 2008-02-07 09:28 <DIR> d----c--- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-06 20:17 . 2008-02-08 13:01 3,370 --a--c--- C:\WINDOWS\system32\tmp.reg
2008-02-06 19:08 . 2008-02-08 13:36 <DIR> d----c--- C:\Program Files\Enigma Software Group
2008-02-06 16:00 . 2008-02-06 16:00 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-06 15:59 . 2007-05-30 04:10 10,872 --a--c--- C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-06 15:58 . 2008-02-06 15:58 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-05 20:45 . 2008-02-05 20:52 <DIR> d----c--- C:\Program Files\Spybot - Search & Destroy
2008-02-05 20:45 . 2008-02-06 07:40 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-05 20:23 . 2008-02-08 13:35 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-05 13:58 . 2008-02-08 14:40 <DIR> d----c--- C:\Program Files\Drmupgds
2008-02-05 13:52 . 2008-02-07 09:41 <DIR> d--hsc--- C:\WINDOWS\VEVNUA
2008-02-05 13:52 . 2008-02-08 15:22 <DIR> d----c--- C:\WINDOWS\system32\nGpxx01
2008-02-05 13:52 . 2008-02-05 13:52 <DIR> d----c--- C:\TEMP\isgTi19
2008-01-24 10:23 . 2008-01-24 10:23 <DIR> d--h-c--- C:\WINDOWS\PIF
2008-01-24 10:02 . 2008-01-24 10:02 <DIR> d----c--- C:\Program Files\Microsoft Office2000
2008-01-24 10:02 . 2008-01-24 10:02 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Microsoft Web Folders
2008-01-23 09:58 . 2008-01-23 09:58 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-01-23 09:57 . 2007-03-28 14:01 118,272 --a--c--- C:\WINDOWS\system32\hpz3l5ha.dll
2008-01-15 11:29 . 2008-01-15 11:29 1,409 --a--c--- C:\WINDOWS\QTFont.for
2008-01-15 11:28 . 2008-01-15 11:28 <DIR> d----c--- C:\Program Files\iTunes
2008-01-15 11:27 . 2008-01-15 11:27 <DIR> d----c--- C:\Program Files\QuickTime
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a--c--- C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a--c--- C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 05:24 20,128 -c--a-w C:\WINDOWS\system32\MGHwTemp.sys
2008-02-07 17:30 --------- dc----w C:\Program Files\Lavasoft
2008-02-07 17:30 --------- dc----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-02-07 05:41 --------- dc----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-07 02:37 --------- dc----w C:\Program Files\Google
2008-02-06 00:29 37,680 -c--a-w C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
2008-01-24 18:01 --------- dc----w C:\Program Files\microsoft frontpage
2008-01-15 19:28 --------- dc----w C:\Program Files\iPod
2007-12-29 23:38 --------- dc----w C:\Documents and Settings\Administrator\Application Data\U3
2007-12-29 22:44 --------- dc----w C:\Program Files\Microsoft Device Emulator
2007-12-29 22:43 --------- dc----w C:\Program Files\Microsoft SQL Server 2005 Mobile Edition
2007-12-29 22:41 --------- dc----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-29 22:39 --------- dc----w C:\Program Files\EA GAMES
2007-12-29 22:37 --------- dc----w C:\Program Files\Microsoft Visual Studio 8
2007-12-29 22:36 --------- dc----w C:\Program Files\MSBuild
2007-12-29 22:36 --------- dc----w C:\Program Files\HTML Help Workshop
2007-12-29 22:28 --------- dc----w C:\Program Files\Microsoft.NET
2007-12-29 22:28 --------- dc----w C:\Program Files\CE Remote Tools
2007-12-29 22:20 --------- dc----w C:\Program Files\DAEMON Tools Lite
2007-12-29 22:20 --------- dc----w C:\Documents and Settings\Administrator\Application Data\DAEMON Tools
2007-12-29 22:16 715,248 -c--a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-14 19:32 12,632 -c--a-w C:\WINDOWS\system32\lsdelete.exe
2006-11-10 22:10 82,864 -c--a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2005-09-24 07:49 12,288 -c--a-w C:\WINDOWS\Fonts\RandFont.dll
2004-10-08 12:01 94,784 -csh--w C:\WINDOWS\twain.dll
2004-10-08 12:01 50,688 -csh--w C:\WINDOWS\twain_32.dll
2004-10-08 12:01 1,028,096 -csh--w C:\WINDOWS\system32\mfc42.dll
2004-10-08 12:01 54,784 -csh--w C:\WINDOWS\system32\msvcirt.dll
2004-10-08 12:01 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-10-08 12:01 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2004-10-08 12:01 553,472 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-10-08 12:01 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-10-08 12:01 11,776 -csh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E3FFE49-17F2-4283-9557-C262E51A6E9B}]
C:\WINDOWS\system32\gebya.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mozilla Quick Launch"="C:\Program Files\Netscape\Netscape\Netscp.exe" [2004-08-04 16:41 526224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-05 21:05 339968]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27 385024]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-08-23 03:24 196608]
"CorelDRAW Design Collectio1f"="C:\Program Files\Corel\CorelDRAW Design Collection\Registration.exe" [ ]
"CamMonitor"="C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 00:23 90112]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42 69632]
"HPHmon03"="C:\WINDOWS\system32\hphmon03.exe" [2001-08-23 03:24 311296]
"CXMon"="C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-09 16:06 45056]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-09-23 23:08 49152]
"MGSysCtrl"="C:\Program Files\MSI\System Control Manager\MGSysCtrl.exe" [2005-05-11 18:07 165888]
"SoundMan"="SOUNDMAN.EXE" [2004-11-30 23:54 77824 C:\WINDOWS\SOUNDMAN.EXE]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-08 14:03 249896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoStrCmpLogical"= 01000000
"NoUserNameInStartMenu"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 11:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

R1 SEQFWAPI;Sequoia 1394 API Driver;C:\WINDOWS\system32\Drivers\seqfwapi.sys [2000-10-16 12:00]
R2 HLServer;HL-Server;C:\WINDOWS\system32\HLS32SVC.EXE [2002-10-21 17:13]
R3 MGHwCtrl;MGHwCtrl;C:\WINDOWS\System32\Drivers\MGHwCtrl.sys [2007-03-08 13:04]
S2 DriverX;DriverX;C:\WINDOWS\system32\Drivers\driverx.sys []
S3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys [2001-08-23 03:24]
S3 TIDCam;1394 PC Camera CF2000;C:\WINDOWS\system32\drivers\tidcam.sys [2001-02-09 10:46]
S4 Intuit Fuse Service;Intuit Fuse Service;"C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe" [2006-01-17 15:24]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2005-09-23 07:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13de214e-b65a-11dc-bd8f-001500104f16}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13de214f-b65a-11dc-bd8f-001500104f16}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 05:19:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-08 22:19:59 C:\WINDOWS\Tasks\daily mail.job"
- C:\WINDOWS\system32\ntbackup.exegbackup
"2008-02-09 02:10:37 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 21:25:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
.
**************************************************************************
.
Completion time: 2008-02-08 21:29:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-09 05:29:12

2000-10-27 17:23 50688 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\BSZIP.DLL.vir
2007-09-23 17:05 279600 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\pac.txt.vir
2008-01-05 13:48 126976 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\s5\advcomms3.exe.vir
2008-01-08 21:44 28747 --a--c--- C:\Qoobox\Quarantine\C\TEMP\1cb\syscheck.log.vir
2008-02-05 14:03 94272 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\vnrpvqxa.dll.vir
2008-02-06 08:36 355187 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\rstwa.ini2.vir
2008-02-06 08:39 355187 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\rstwa.ini.vir
2008-02-06 15:37 605 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir
2008-02-06 16:20 1194900 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\tvvyijfs.ini.vir
2008-02-06 17:00 306335 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\mlkkj.ini2.vir
2008-02-06 17:02 306335 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\mlkkj.ini.vir
2008-02-06 18:31 1200686 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\ovtfdwmd.ini.vir
2008-02-06 18:35 92224 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\hddantid.dll.vir
2008-02-06 19:20 143 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\mcrh.tmp.vir
2008-02-06 22:11 327623 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\aybeg.ini2.vir
2008-02-06 22:14 327963 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\aybeg.ini.vir
2008-02-07 09:45 1200353 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\lhhdpgvb.ini.vir
2008-02-08 13:41 167545 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.cache.dsk.vir
2008-02-08 17:59 617 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\prqss.ini.vir
2008-02-08 17:59 617 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\prqss.ini2.vir
2008-02-08 18:03 1036 --a--c--- C:\Qoobox\Quarantine\Registry_backups\services_vdmindvdd.reg.dat
2008-02-08 18:03 1290 --a--c--- C:\Qoobox\Quarantine\Registry_backups\LEGACY_VDMINDVDD.reg.dat
2008-02-08 18:03 338432 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\ssqrp.dll.vir
2008-02-08 18:03 40960 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\awtttst.dll.vir
2008-02-08 18:03 570960 --a--c--- C:\Qoobox\Quarantine\catchme2008-02-08_212442.10.zip
2008-02-08 18:03 738 --a--c--- C:\Qoobox\Quarantine\catchme.log
2008-02-08 18:03 758 --a--c--- C:\Qoobox\Quarantine\Registry_backups\LEGACY_NPF.reg.dat
2008-02-08 18:03 86016 --a--c--- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\vdmindvdd.sys.vir
2008-02-08 18:03 862 --a--c--- C:\Qoobox\Quarantine\Registry_backups\LEGACY_NETWORK_MONITOR.reg.dat



AntiVir PersonalEdition Classic
Report file date: Friday, February 08, 2008 14:07

Scanning for 1096761 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: JOHANNACYBERPOW

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 22:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 21:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/15/2007 00:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 21:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 23:27:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 22:03:55
ANTIVIR2.VDF : 7.0.2.113 1673728 Bytes 2/8/2008 22:03:55
ANTIVIR3.VDF : 7.0.2.114 2048 Bytes 2/8/2008 22:03:55
AVEWIN32.DLL : 7.6.0.62 3240448 Bytes 2/8/2008 22:03:57
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 19:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 16:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 22:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 2/8/2008 22:03:57
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 16:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 21:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 16:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 20:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 21:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 21:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 18:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Friday, February 08, 2008 14:07

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'avnotify.exe' - '1' Module(s) have been scanned
Scan process 'hpgs2wnf.exe' - '1' Module(s) have been scanned
Scan process 'Netscp.exe' - '1' Module(s) have been scanned
Scan process 'MSASCui.exe' - '1' Module(s) have been scanned
Scan process 'SOUNDMAN.EXE' - '1' Module(s) have been scanned
Scan process 'MGSysCtrl.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'Hpi_monitor.exe' - '1' Module(s) have been scanned
Scan process 'hphmon03.exe' - '1' Module(s) have been scanned
Scan process 'hpgs2wnd.exe' - '1' Module(s) have been scanned
Scan process 'HpqCmon.exe' - '1' Module(s) have been scanned
Scan process 'hpztsb04.exe' - '1' Module(s) have been scanned
Scan process 'iFrmewrk.exe' - '1' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'UAService7.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'OProtSvc.exe' - '1' Module(s) have been scanned
Scan process 'HLS32SVC.EXE' - '1' Module(s) have been scanned
Scan process 'GoogleUpdaterService.exe' - '1' Module(s) have been scanned
Scan process '1XConfig.exe' - '1' Module(s) have been scanned
Scan process 'guard.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MsMpEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
47 processes with 47 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
C:\WINDOWS\system32\awtttst.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\awtttst.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen

The registry was scanned ( '34' files ).


Starting the file scan:

Begin scan in 'C:\' <JohannaC>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Administrator\Application Data\mozilla_problems\Profiles\aei@home\gwupgl8b.slt\Mail\pop.gmail.com\Trash
[DETECTION] Contains detection pattern of the Phish-File/Email PHISH/Bankfraud.5
[WARNING] This file is a mailbox. To avoid damaging your emails this file will not be repaired or deleted!
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe
[DETECTION] Contains detection pattern of the dropper DR/Tool.Reboot.F.30
[INFO] The file was deleted!
C:\Documents and Settings\Administrator\Desktop\backups\backup-20080206-183741-745.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdSpyTTC4.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[INFO] The file was moved to '47ffd4c2.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[INFO] The file was moved to '4826d4c1.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[INFO] The file was moved to '494de23a.qua'!
C:\Program Files\Drmupgds\Drmupgds.exe
[DETECTION] Is the Trojan horse TR/Dldr.Adload.QY
[INFO] The file was deleted!
C:\Program Files\Temporary\kernInst.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.ipm
[INFO] The file was deleted!
C:\System Volume Information\_restore{3A60DFB5-5A77-44B2-AFDC-93790B5F957B}\RP350\A0187112.exe
[DETECTION] Contains detection pattern of the dropper DR/PurityScan.GP
[INFO] The file was deleted!
C:\System Volume Information\_restore{3A60DFB5-5A77-44B2-AFDC-93790B5F957B}\RP350\A0187114.dll
[DETECTION] Is the Trojan horse TR/Vundo.DWB
[INFO] The file was deleted!
C:\System Volume Information\_restore{3A60DFB5-5A77-44B2-AFDC-93790B5F957B}\RP350\A0187118.dll
[DETECTION] Is the Trojan horse TR/Vundo.DWB
[INFO] The file was deleted!
C:\System Volume Information\_restore{3A60DFB5-5A77-44B2-AFDC-93790B5F957B}\RP350\A0187126.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{3A60DFB5-5A77-44B2-AFDC-93790B5F957B}\RP351\A0188219.dll
[DETECTION] Is the Trojan horse TR/Vundo.DWB
[INFO] The file was deleted!
C:\System Volume Information\_restore{3A60DFB5-5A77-44B2-AFDC-93790B5F957B}\RP355\A0194439.exe
[DETECTION] Contains detection pattern of the dropper DR/Tool.Reboot.F.30
[INFO] The file was deleted!
C:\System Volume Information\_restore{3A60DFB5-5A77-44B2-AFDC-93790B5F957B}\RP355\A0194440.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{3A60DFB5-5A77-44B2-AFDC-93790B5F957B}\RP355\A0194441.exe
[DETECTION] Is the Trojan horse TR/Dldr.Adload.QY
[INFO] The file was deleted!
C:\System Volume Information\_restore{3A60DFB5-5A77-44B2-AFDC-93790B5F957B}\RP355\A0194442.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.ipm
[INFO] The file was deleted!
C:\WINDOWS\b122.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.haq.4
[INFO] The file was deleted!
C:\WINDOWS\mrofinu1000106.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\WINDOWS\mrofinu572.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\awtttst.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\bvgpdhhl.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\dmwdftvo.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\mcxdteey.dll
[DETECTION] Is the Trojan horse TR/Vundo.DWB
[INFO] The file was deleted!
C:\WINDOWS\system32\ruxxnhyt.dll
[DETECTION] Is the Trojan horse TR/Vundo.DWB
[INFO] The file was deleted!
C:\WINDOWS\system32\sfjiyvvt.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\vdmindvdd.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
[DETECTION] Is the Trojan horse TR/Dldr.VB.cgu.2
[INFO] The file was deleted!


End of the scan: Friday, February 08, 2008 15:27
Used time: 1:19:37 min

The scan has been done completely.

14041 Scanning directories
815321 Files were scanned
25 viruses and/or unwanted programs were found
3 Files were classified as suspicious:
22 files were deleted
0 files were repaired
3 files were moved to quarantine
0 files were renamed
4 Files cannot be scanned
815296 Files not concerned
15878 Archives were scanned
7 Warnings
10 Notes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 09 February 2008 - 02:39 PM

Disable Windows Defender's real-time protection,as it may interfere.
* Open Microsoft Windows Defender. Click Start>All Programs>Windows Defender.
* Click on 'Tools'>'Options'.
* Under 'Real-time protection options', unselect the 'Turn on real-time protection' check box
* Click 'Save'.


Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\nGpxx01
C:\TEMP\isgTi19


Return to OTMoveIt, right click on the "Paste Custom List of Files/Folders to Move" window under the "yellow" bar at the bottom,and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt by clicking on the "Exit" button.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {9E3FFE49-17F2-4283-9557-C262E51A6E9B} - C:\WINDOWS\system32\gebya.dll (file missing)
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://171.64.22.130/main/Install/en/US/CentraDownloader.cab

Exit Hijackthis.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#5 robertbible

robertbible
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 09 February 2008 - 10:27 PM

followed all your instructions. the centra stuff I took out but it is used for my daughter's virtual classroom. I can reinstall it later. here are the logs..

Robert

Custom Input]
< C:\WINDOWS\system32\nGpxx01 >
C:\WINDOWS\system32\nGpxx01 moved successfully.
< C:\TEMP\isgTi19 >
C:\TEMP\isgTi19 moved successfully.

OTMoveIt2 v1.0.19 log created on 02092008_154004

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:12 PM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\HLS32SVC.EXE
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\MSI\System Control Manager\MGSysCtrl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\hjt\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CorelDRAW Design Collectio1f] C:\Program Files\Corel\CorelDRAW Design Collection\Registration.exe /title="CorelDRAW Design Collection - 1" /date=101706 serial=DC01WRX-0000010-EME lang=EN
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\MSI\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HL-Server (HLServer) - Aladdin Knowledge Systems Germany - C:\WINDOWS\system32\HLS32SVC.EXE
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 6339 bytes

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/09/2008 at 05:05 PM

Application Version : 3.9.1008

Core Rules Database Version : 3399
Trace Rules Database Version: 1391

Scan type : Complete Scan
Total Scan Time : 01:10:46

Memory items scanned : 512
Memory threats detected : 0
Registry items scanned : 7575
Registry threats detected : 1
File items scanned : 59534
File threats detected : 16

Adware.VXGame-Trace
HKU\S-1-5-21-1409082233-920026266-839522115-500\Software\kernelexe

Adware.Vundo-Variant/Small-A
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\DESKTOP\BACKUPS\BACKUP-20080206-183741-442.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A60DFB5-5A77-44B2-AFDC-93790B5F957B}\RP351\A0188239.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A60DFB5-5A77-44B2-AFDC-93790B5F957B}\RP355\A0194446.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A60DFB5-5A77-44B2-AFDC-93790B5F957B}\RP355\A0194447.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A60DFB5-5A77-44B2-AFDC-93790B5F957B}\RP355\A0194450.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A60DFB5-5A77-44B2-AFDC-93790B5F957B}\RP356\A0194545.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A60DFB5-5A77-44B2-AFDC-93790B5F957B}\RP356\A0194546.DLL

Adware.WebBuying Assistant
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\DESKTOP\BACKUPS\BACKUP-20080206-183741-452.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A60DFB5-5A77-44B2-AFDC-93790B5F957B}\RP351\A0188236.DLL

Adware.WebBuying Assistant-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A60DFB5-5A77-44B2-AFDC-93790B5F957B}\RP349\A0184773.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A60DFB5-5A77-44B2-AFDC-93790B5F957B}\RP350\A0187115.EXE

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A60DFB5-5A77-44B2-AFDC-93790B5F957B}\RP351\A0188216.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A60DFB5-5A77-44B2-AFDC-93790B5F957B}\RP351\A0190310.DLL

Adware.Vundo Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A60DFB5-5A77-44B2-AFDC-93790B5F957B}\RP353\A0191347.DLL

Trojan.Downloader-Gen/MROFIN
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A60DFB5-5A77-44B2-AFDC-93790B5F957B}\RP355\A0194444.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3A60DFB5-5A77-44B2-AFDC-93790B5F957B}\RP355\A0194445.EXE

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 10 February 2008 - 04:24 AM

Your log is clean :thumbsup: ,please do the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.
This will uninstall Combofix,delete its related folders and files,reset your clock settings,hide file extensions,hide the system/hidden files and resets System Restore again.

Posted Image


Please double-click OTMoveIt.exe again to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm

Hardening Windows Security - Part 1:
http://www.malwarehelp.org/Malware-Prevent...-Security1.html

Hardening Windows Security - Part 2:
http://www.malwarehelp.org/malware-prevent...-security2.html
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users