Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumond, Win32, Popups, Red X...confused


  • Please log in to reply
13 replies to this topic

#1 the.lysha

the.lysha

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 04 March 2008 - 02:22 AM

I have run a disc cleanup, ad aware, spybot, and housecall antivirus and still cannot get rid of this thing. All of the scans show the same files and say they were deleted but then they come up on the next scan. I was finally to delete the 32,000 someodd pos.tmp files, but still have a red X where my C: logo should be and am getting popups every minute or so. I use mozilla firefox for normal internet use, but all the popups are internet explorer. Here is my hijack this report.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:24 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX6453
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX6453
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3BE74D8B-3604-4A59-A995-3B8B00099940} - C:\WINDOWS\system32\mlljg.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {e3c65d04-82b7-8a08-6034-683ddd0d589a} - {a985d0dd-d386-4306-80a8-7b2840d56c3e} - C:\WINDOWS\system32\xqiytpoq.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [5c24cd0d] rundll32.exe "C:\WINDOWS\system32\hrilqgan.dll",b
O4 - HKLM\..\Run: [BM5f17fe91] Rundll32.exe "C:\WINDOWS\system32\isvbcvor.dll",s
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: REALTEK RTL8187 Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\rteprej.html

--
End of file - 7769 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:01 PM

Posted 07 March 2008 - 11:40 PM

Hello the.lysha,

Before we start, you need to realize that you are missing one important program on that computer: An antivirus. :blink:

This is somewhat suicidal in today's digital world. :thumbsup:

You need to install an antivirus program as soon as you can and run a complete scan of the computer.

I recommend you download the free

Avast or
AntiVir or
AVG antivirus

Products from all three vendors received the Virus Bulletin's VB100% award and certification for virus detection from ICSA Labs.

Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

After you run the antivirus program, please post a fresh Hijackthis log and let me know what it found.

Edited by SifuMike, 08 March 2008 - 12:24 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 the.lysha

the.lysha
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 09 March 2008 - 05:57 PM

Wow... I guess I always just assumed one was there. Anyway here is my Avira antivirus scan results


AntiVir PersonalEdition Classic
Report file date: Sunday, March 09, 2008 12:44

Scanning for 1137479 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: LYSHA

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 21:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 20:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 23:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 20:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 22:27:15
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 3/7/2008 19:42:36
ANTIVIR2.VDF : 7.0.3.3 2048 Bytes 3/7/2008 19:42:36
ANTIVIR3.VDF : 7.0.3.5 6144 Bytes 3/7/2008 19:42:36
AVEWIN32.DLL : 7.6.0.73 3334656 Bytes 3/9/2008 19:42:37
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 18:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 15:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 21:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 3/9/2008 19:42:37
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 15:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 20:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 15:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 19:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 20:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 20:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 17:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, March 09, 2008 12:44

The scan of running processes will be started
Scan process 'avscan.exe' - '0' Module(s) have been scanned
Scan process 'avscan.exe' - '0' Module(s) have been scanned
Scan process 'guardgui.exe' - '0' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'CLI.exe' - '1' Module(s) have been scanned
Scan process 'CLI.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'lxcrcoms.exe' - '1' Module(s) have been scanned
Scan process 'SD Monitor.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'bigfix.exe' - '1' Module(s) have been scanned
Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned
Scan process 'btdna.exe' - '1' Module(s) have been scanned
Scan process 'aim6.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'CamTray.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'QTTask.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktopCrawl.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktopDisplay.exe' - '1' Module(s) have been scanned
Scan process 'ezprint.exe' - '1' Module(s) have been scanned
Scan process 'lxcrmon.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
Scan process 'apdproxy.exe' - '1' Module(s) have been scanned
Scan process 'WLTRAY.EXE' - '1' Module(s) have been scanned
Scan process 'sm56hlpr.exe' - '1' Module(s) have been scanned
Scan process 'stsystra.exe' - '1' Module(s) have been scanned
Scan process 'CLI.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktopIndex.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktop.exe' - '1' Module(s) have been scanned
Scan process 'ehtray.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'PRISMXL.SYS' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'ehrecvr.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'PhotoshopElementsFileAgent.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'BCMWLTRY.EXE' - '1' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
81 processes with 81 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!

Starting to scan the registry.
C:\WINDOWS\system32\hrilqgan.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\hrilqgan.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen

The registry was scanned ( '46' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\b122.exe.bac_a02172
[DETECTION] Is the Trojan horse TR/Dldr.Agent.haq.4
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\bbxniksj.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\bmcyolyq.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\dlvhssht.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\Drmupgds.exe.bac_a02172
[DETECTION] Is the Trojan horse TR/Dldr.Adload.QY
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\feewhctu.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\fhrsnbtp.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\fmhikydw.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\gjjyyhfa.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\hrilqgan.dll.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\ihphevhc.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\isvbcvor.dll.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\jpgaqmgx.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\kluiclvf.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\ksfbnvxf.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\mjxdvhdq.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\mlljg.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\msnodvsi.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\oipfmmjw.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\olrkugti.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\pnppyndc.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\qlwvqdig.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\rcamhlqu.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\tcoetepm.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.DWB
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\tmwoanqf.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\turtrtnd.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\tyovjmju.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\ugoajfss.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\uilewwek.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\waahmvtb.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.DWB
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\windows.bac_a02172
[DETECTION] Is the Trojan horse TR/Zapchast.DT.1
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\xawrviti.dll.bad.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6\Quarantine\xqiytpoq.dll.bac_a02172
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-6030235b.zip
[0] Archive type: ZIP
--> vmain.class
[DETECTION] Contains detection pattern of the exploits EXP/Java.Gimsh.B.1
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\Local Settings\Temp\632iccnz.exe
[DETECTION] Is the Trojan horse TR/Crypt.CFI.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\Local Settings\Temp\sdexe.exe
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.FJ.2
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\Local Settings\Temporary Internet Files\Content.IE5\0LU38D63\good[1].htm
[DETECTION] Contains detection pattern of the HTML script virus HTML/Infected.WebPage.Gen
[INFO] The file was moved to '4843417e.qua'!
C:\Documents and Settings\Owner.Lyshalaptop\Local Settings\Temporary Internet Files\Content.IE5\296VOD6B\ptch[1]
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\Local Settings\Temporary Internet Files\Content.IE5\SHYF4XIR\2900229[1].htm
[DETECTION] Is the Trojan horse TR/Dldr.Agent.OM.3
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\Local Settings\Temporary Internet Files\Content.IE5\SHYF4XIR\index[2].htm
[DETECTION] Contains detection pattern of the HTML script virus HTML/Rce.Gen
[INFO] The file was moved to '483841b8.qua'!
C:\Documents and Settings\Owner.Lyshalaptop\Local Settings\Temporary Internet Files\Content.IE5\SHYF4XIR\setup[2].htm
[DETECTION] Contains detection pattern of the HTML script virus HTML/Rce.Gen
[INFO] The file was moved to '484841b3.qua'!
C:\Documents and Settings\Owner.Lyshalaptop\Local Settings\Temporary Internet Files\Content.IE5\U1OPA9KJ\movie[1].qtl
[DETECTION] Contains detection pattern of the exploits EXP/Multi.Qtp.B.1
[INFO] The file was deleted!
C:\Documents and Settings\Owner.Lyshalaptop\Local Settings\Temporary Internet Files\Content.IE5\WDYF4HIJ\CA0T6301.htm
[DETECTION] Contains detection pattern of the HTML script virus HTML/Infected.WebPage.Gen
[INFO] The file was moved to '4804419f.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP100\A0045485.exe
[DETECTION] Is the Trojan horse TR/Dldr.Adload.QY
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP100\A0045486.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.haq.4
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP90\A0030653.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '48044778.qua'!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP90\A0030660.exe
[DETECTION] Contains detection pattern of the dropper DR/PurityScan.GP
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP90\A0030661.exe
[DETECTION] Is the Trojan horse TR/Dldr.Purity.BV.7
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP90\A0031815.exe
[DETECTION] Is the Trojan horse TR/Dldr.Purity.BV.7
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP90\A0031816.exe
[DETECTION] Contains detection pattern of the dropper DR/PurityScan.GP
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP90\A0032880.exe
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.EN.1
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP90\A0032884.exe
[DETECTION] Contains detection pattern of the dropper DR/PurityScan.GP
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP90\A0032885.exe
[DETECTION] Is the Trojan horse TR/Dldr.Purity.BV.7
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP90\A0033069.exe
[DETECTION] Contains detection pattern of the dropper DR/PurityScan.GP
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP90\A0033070.exe
[DETECTION] Is the Trojan horse TR/Dldr.Purity.BV.7
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP90\A0033111.exe
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.EN.1
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP90\A0033217.exe
[DETECTION] Contains detection pattern of the dropper DR/Dldr.VB.cgu.5
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP90\A0033220.exe
[DETECTION] Is the Trojan horse TR/Dldr.VB.cgu.3
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP90\A0033222.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP90\A0033223.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP90\A0033248.exe
[DETECTION] Contains detection pattern of the dropper DR/Dldr.VB.cgu.5
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP90\A0033250.exe
[DETECTION] Contains detection pattern of the dropper DR/Dldr.PurityScan.FG
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP92\A0038541.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP92\A0038573.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP92\A0038588.exe
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.FJ.2
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP92\A0038589.exe
[DETECTION] Contains detection pattern of the dropper DR/PurityScan.GP.1
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP92\A0038592.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP94\A0039753.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP95\A0039854.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP97\A0040922.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP97\A0040943.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP97\A0040965.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP97\A0041033.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP97\A0041045.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP98\A0042165.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP98\A0043249.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP98\A0043268.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0044332.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0044359.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0044360.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045428.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045429.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045430.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045431.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045432.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045433.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045434.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045435.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045436.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045438.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045439.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045441.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045442.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045443.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045444.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045446.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045448.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045449.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045451.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045452.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045453.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045454.dll
[DETECTION] Is the Trojan horse TR/Vundo.DWB
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045455.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045456.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045458.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045459.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045460.dll
[DETECTION] Is the Trojan horse TR/Vundo.DWB
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045461.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045463.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045467.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045468.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP99\A0045481.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\VundoFix Backups\awtttsq.dll.bad
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\VundoFix Backups\efcaaab.dll.bad
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\VundoFix Backups\qommmnl.dll.bad
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\VundoFix Backups\tuvurst.dll.bad
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\WINDOWS\uninstall_nmon.vbs
[DETECTION] Is the Trojan horse TR/Small.WY
[INFO] The file was deleted!
C:\WINDOWS\system32\hrilqgan.dll
[WARNING] The file could not be opened!
C:\WINDOWS\system32\isvbcvor.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\xqiytpoq.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\drivers\Hdaudbuss.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\nGpxx07\nGpxx071084.exe
[DETECTION] Is the Trojan horse TR/Dldr.VB.cgu.3
[INFO] The file was deleted!
Begin scan in 'D:\'


End of the scan: Sunday, March 09, 2008 13:46
Used time: 1:01:15 min

The scan has been done completely.

8414 Scanning directories
336320 Files were scanned
116 viruses and/or unwanted programs were found
5 Files were classified as suspicious:
115 files were deleted
0 files were repaired
5 files were moved to quarantine
0 files were renamed
4 Files cannot be scanned
336204 Files not concerned
7975 Archives were scanned
5 Warnings
10 Notes




And here is my hijack this log after running the antivirus program
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:52:16 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\BigFix\bigfix.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX6453
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX6453
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3BE74D8B-3604-4A59-A995-3B8B00099940} - C:\WINDOWS\system32\mlljg.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {e3c65d04-82b7-8a08-6034-683ddd0d589a} - {a985d0dd-d386-4306-80a8-7b2840d56c3e} - C:\WINDOWS\system32\xqiytpoq.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [5c24cd0d] rundll32.exe "C:\WINDOWS\system32\hrilqgan.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: REALTEK RTL8187 Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\rteprej.html

--
End of file - 9481 bytes


There is still a red x and I am still getting popups.

Thank you so much!!!

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:01 PM

Posted 09 March 2008 - 07:34 PM

Hi the.lysha,

Looks like you have a nasty vundo infections.

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your Avira AntiVir Antivirus before running ComboFix, as it will prevent it from running.

To disable Avira Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.




Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install the Windows XP Recovery Console in case you have not installed it yet. <== IMPORTANT

You do not need the Windows CD to install Recovery Console.

We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.


Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:01 PM

Posted 16 March 2008 - 02:46 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:01 PM

Posted 17 March 2008 - 02:14 PM

topic reopened :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 the.lysha

the.lysha
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 17 March 2008 - 02:37 PM

Thank you so much. Here is the Combofix log
ComboFix 08-03-14.4 - Owner 2008-03-17 12:29:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1420 [GMT -7:00]
Running from: C:\Documents and Settings\Owner.Lyshalaptop\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Owner.Lyshalaptop\Application Data\ECURIT~1
C:\Documents and Settings\Owner.Lyshalaptop\Application Data\RACLE~1
C:\Documents and Settings\Owner.Lyshalaptop\My Documents\YSTEM~1
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\ssembl~1
C:\Program Files\Drmupgds
C:\Program Files\outlook
C:\Program Files\Temporary
C:\temp\tn3
C:\WINDOWS\BM5f17fe91.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\IA
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\pskt.ini
C:\WINDOWS\smbols~1
C:\WINDOWS\system32\drivers\Hdaudbuss.sys
C:\WINDOWS\system32\grtanxtq.ini
C:\WINDOWS\system32\ilsvkcjd.ini
C:\WINDOWS\system32\iqgtabch.ini
C:\WINDOWS\system32\jjybbqft.ini
C:\WINDOWS\system32\knyvukcn.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nGpxx07
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\tsks~1
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_HDAUDBUSS
-------\LEGACY_NETWORK_MONITOR
-------\Hdaudbuss


((((((((((((((((((((((((( Files Created from 2008-02-17 to 2008-03-17 )))))))))))))))))))))))))))))))
.

2008-03-09 23:22 . 2008-03-09 23:22 <DIR> d-------- C:\Documents and Settings\Owner.Lyshalaptop\Application Data\CyberLink
2008-03-09 23:22 . 2008-03-09 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-03-09 12:35 . 2008-03-09 12:35 <DIR> d-------- C:\Program Files\Avira
2008-03-09 12:35 . 2008-03-09 12:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-03 15:14 . 2008-03-03 15:11 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-03 15:11 . 2008-03-03 15:15 <DIR> d-------- C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6
2008-03-03 14:31 . 2008-03-09 11:42 1,304,014 ---hs---- C:\WINDOWS\system32\nagqlirh.ini
2008-03-03 14:04 . 2008-03-09 13:24 <DIR> d-------- C:\VundoFix Backups
2008-03-02 14:27 . 2008-03-03 14:28 1,302,862 ---hs---- C:\WINDOWS\system32\fqnaowmt.ini
2008-03-02 14:16 . 2008-03-02 14:16 294 ---hs---- C:\WINDOWS\system32\ifjsfvqm.ini
2008-02-29 01:55 . 2008-03-01 12:26 1,952 ---hs---- C:\WINDOWS\system32\qvumxsjq.ini
2008-02-27 18:55 . 2008-02-29 00:54 1,412 ---hs---- C:\WINDOWS\system32\usdnnmbj.ini
2008-02-25 19:08 . 2008-02-27 18:26 1,232 ---hs---- C:\WINDOWS\system32\qmiwbmiw.ini
2008-02-23 19:30 . 2008-02-27 22:39 <DIR> d-------- C:\Program Files\DivX
2008-02-23 19:15 . 2008-02-23 19:15 <DIR> d---s---- C:\Documents and Settings\Owner.Lyshalaptop\UserData
2008-02-23 13:19 . 2008-02-25 19:08 452 ---hs---- C:\WINDOWS\system32\mgwmskef.ini
2008-02-23 00:40 . 2008-02-23 12:14 4,854 ---hs---- C:\WINDOWS\system32\ctohahmh.ini
2008-02-21 01:48 . 2008-02-21 01:48 <DIR> d-------- C:\Documents and Settings\Owner.Lyshalaptop\Saved Games
2008-02-21 01:40 . 2008-02-21 01:40 <DIR> d-------- C:\Program Files\Dream Day - First Home
2008-02-20 22:27 . 2008-02-23 00:32 4,734 ---hs---- C:\WINDOWS\system32\mchhjfvr.ini
2008-02-19 22:32 . 2008-02-20 21:46 4,314 ---hs---- C:\WINDOWS\system32\iustlpfc.ini
2008-02-19 19:16 . 2008-02-19 22:05 4,134 ---hs---- C:\WINDOWS\system32\aoiuihct.ini
2008-02-18 18:37 . 2008-02-18 18:38 <DIR> d-------- C:\Program Files\Home Sweet Home
2008-02-18 01:57 . 2008-02-19 19:15 4,014 ---hs---- C:\WINDOWS\system32\rsohnsmi.ini
2008-02-17 23:26 . 2008-02-17 23:28 <DIR> d-------- C:\Program Files\Winamp
2008-02-17 23:26 . 2008-02-17 23:28 <DIR> d-------- C:\Documents and Settings\Owner.Lyshalaptop\Application Data\Winamp
2008-02-17 23:26 . 2007-03-07 16:51 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-02-17 01:57 . 2008-02-18 01:57 3,414 ---hs---- C:\WINDOWS\system32\ydordgel.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 19:31 --------- d-----w C:\Documents and Settings\Owner.Lyshalaptop\Application Data\DNA
2008-03-14 08:38 --------- d-----w C:\Documents and Settings\Owner.Lyshalaptop\Application Data\BitTorrent
2008-03-12 23:27 --------- d-----w C:\Program Files\BitTorrent
2008-02-27 00:23 --------- d-----w C:\Program Files\lx_cats
2008-02-18 06:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-16 10:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-16 10:06 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-02-16 10:06 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-02-15 20:00 --------- d-----w C:\Program Files\DNA
2008-02-11 22:43 --------- d-----w C:\Program Files\Shockwave.com
2008-02-11 19:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-11 08:59 --------- d-----w C:\Program Files\Common Files\kzwf
2008-02-11 08:02 --------- d-----w C:\Documents and Settings\Owner.Lyshalaptop\Application Data\Gaijin Ent
2008-02-10 18:43 289 ----a-w C:\Documents and Settings\Owner.Lyshalaptop\4868.bat
2008-02-08 17:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-02-08 08:50 --------- d-----w C:\Documents and Settings\Owner.Lyshalaptop\Application Data\iWin
2008-02-08 08:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\iWin
2008-02-08 07:54 --------- d-----w C:\Documents and Settings\Owner.Lyshalaptop\Application Data\Home Sweet Home
2008-02-07 07:12 --------- d-----w C:\Documents and Settings\Owner.Lyshalaptop\Application Data\Gamelab
2008-02-05 01:04 --------- d-----w C:\Documents and Settings\Owner.Lyshalaptop\Application Data\PlayFirst
2008-02-04 23:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-02-04 22:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-04 21:59 --------- d-----w C:\Program Files\ReflexiveArcade
2008-01-27 03:26 --------- d-----w C:\Program Files\Gateway Games
2008-01-27 01:01 --------- d-----w C:\Documents and Settings\Owner.Lyshalaptop\Application Data\WildTangent
2008-01-23 23:39 167,545 ----a-w C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-23 23:27 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-01-23 23:24 --------- d-----w C:\Documents and Settings\Owner.Lyshalaptop\Application Data\Azureus
2008-01-02 04:45 144 ----a-w C:\Documents and Settings\Owner.Lyshalaptop\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3BE74D8B-3604-4A59-A995-3B8B00099940}]
C:\WINDOWS\system32\mlljg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a985d0dd-d386-4306-80a8-7b2840d56c3e}]
C:\WINDOWS\system32\xqiytpoq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CamTray.exe" [2005-10-27 11:00 299008]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 14:17 50736]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-02-15 13:00 287040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 20:56 64512]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-11-04 05:37 169984]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 08:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 08:47 688218]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 18:41 45056]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 11:20 413696 C:\WINDOWS\stsystra.exe]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-23 20:22 573440]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-11-11 22:40 1236992]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 01:18 57344]
"PD0620 STISvc"="P0620Pin.dll" [2005-05-10 10:03 36864 C:\WINDOWS\system32\P0620Pin.dll]
"lxcrmon.exe"="C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" [2006-03-06 10:48 286720]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [2006-02-06 22:10 98304]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 01:11 290816]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-02-24 04:54 65536]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 14:49 1121280]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 10:00 267064]
"Blubster"="C:\Program Files\Blubster\Blubster.exe" [ ]
"5c24cd0d"="C:\WINDOWS\system32\hrilqgan.dll" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-03-09 12:42 249896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2006-11-04 05:41:04 2168360]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-01-04 21:07:31 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Messenger\rteprej.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21519:UDP"= 21519:UDP:utorrent
"21519:TCP"= 21519:TCP:utorrent
"21591:TCP"= 21591:TCP:utorrent
"1660:UDP"= 1660:UDP:Windows Media Format SDK (iexplore.exe)
"1661:UDP"= 1661:UDP:Windows Media Format SDK (iexplore.exe)
"1699:UDP"= 1699:UDP:Windows Media Format SDK (iexplore.exe)


.
Contents of the 'Scheduled Tasks' folder
"2008-03-09 07:35:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-01-03 20:17:56 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 12:33:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-17 12:35:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-17 19:35:32
.
2008-03-12 00:29:54 --- E O F ---

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:01 PM

Posted 17 March 2008 - 05:05 PM

Hello the.lysha,


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\nagqlirh.ini
C:\WINDOWS\system32\fqnaowmt.ini
C:\WINDOWS\system32\ifjsfvqm.ini
C:\WINDOWS\system32\qvumxsjq.ini
C:\WINDOWS\system32\usdnnmbj.ini
C:\WINDOWS\system32\qmiwbmiw.ini
C:\WINDOWS\system32\mgwmskef.ini
C:\WINDOWS\system32\ctohahmh.ini
C:\WINDOWS\system32\mchhjfvr.ini
C:\WINDOWS\system32\iustlpfc.ini
C:\WINDOWS\system32\aoiuihct.ini
C:\WINDOWS\system32\rsohnsmi.ini
C:\WINDOWS\system32\ydordgel.ini
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\hrilqgan.dll
C:\Documents and Settings\Owner.Lyshalaptop\4868.bat

Folder:: 
C:\VundoFix Backups

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3BE74D8B-3604-4A59-A995-3B8B00099940}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a985d0dd-d386-4306-80a8-7b2840d56c3e}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"5c24cd0d"=-  

DirLook:: 
C:\Program Files\Common Files\kzwf


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 the.lysha

the.lysha
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 19 March 2008 - 02:00 PM

Thank You! Here is the ComboFix report
ComboFix 08-03-14.4 - Owner 2008-03-19 11:53:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1424 [GMT -7:00]
Running from: C:\Documents and Settings\Owner.Lyshalaptop\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.Lyshalaptop\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Owner.Lyshalaptop\4868.bat
C:\WINDOWS\system32\aoiuihct.ini
C:\WINDOWS\system32\ctohahmh.ini
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\fqnaowmt.ini
C:\WINDOWS\system32\hrilqgan.dll
C:\WINDOWS\system32\ifjsfvqm.ini
C:\WINDOWS\system32\iustlpfc.ini
C:\WINDOWS\system32\mchhjfvr.ini
C:\WINDOWS\system32\mgwmskef.ini
C:\WINDOWS\system32\nagqlirh.ini
C:\WINDOWS\system32\qmiwbmiw.ini
C:\WINDOWS\system32\qvumxsjq.ini
C:\WINDOWS\system32\rsohnsmi.ini
C:\WINDOWS\system32\usdnnmbj.ini
C:\WINDOWS\system32\ydordgel.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner.Lyshalaptop\4868.bat
C:\VundoFix Backups
C:\VundoFix Backups\gjllm.ini.bad
C:\VundoFix Backups\gjllm.ini2.bad
C:\VundoFix Backups\waahmvtb.dllbox.bad
C:\WINDOWS\system32\aoiuihct.ini
C:\WINDOWS\system32\ctohahmh.ini
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\fqnaowmt.ini
C:\WINDOWS\system32\ifjsfvqm.ini
C:\WINDOWS\system32\iustlpfc.ini
C:\WINDOWS\system32\mchhjfvr.ini
C:\WINDOWS\system32\mgwmskef.ini
C:\WINDOWS\system32\nagqlirh.ini
C:\WINDOWS\system32\qmiwbmiw.ini
C:\WINDOWS\system32\qvumxsjq.ini
C:\WINDOWS\system32\rsohnsmi.ini
C:\WINDOWS\system32\usdnnmbj.ini
C:\WINDOWS\system32\ydordgel.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-19 to 2008-03-19 )))))))))))))))))))))))))))))))
.

2008-03-09 23:22 . 2008-03-09 23:22 <DIR> d-------- C:\Documents and Settings\Owner.Lyshalaptop\Application Data\CyberLink
2008-03-09 23:22 . 2008-03-09 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-03-09 12:35 . 2008-03-09 12:35 <DIR> d-------- C:\Program Files\Avira
2008-03-09 12:35 . 2008-03-09 12:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-03 15:14 . 2008-03-03 15:11 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-03 15:11 . 2008-03-03 15:15 <DIR> d-------- C:\Documents and Settings\Owner.Lyshalaptop\.housecall6.6
2008-02-23 19:30 . 2008-02-27 22:39 <DIR> d-------- C:\Program Files\DivX
2008-02-23 19:15 . 2008-02-23 19:15 <DIR> d---s---- C:\Documents and Settings\Owner.Lyshalaptop\UserData
2008-02-21 01:48 . 2008-02-21 01:48 <DIR> d-------- C:\Documents and Settings\Owner.Lyshalaptop\Saved Games
2008-02-21 01:40 . 2008-02-21 01:40 <DIR> d-------- C:\Program Files\Dream Day - First Home

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 08:22 --------- d-----w C:\Documents and Settings\Owner.Lyshalaptop\Application Data\DNA
2008-03-17 20:01 --------- d-----w C:\Documents and Settings\Owner.Lyshalaptop\Application Data\BitTorrent
2008-03-12 23:27 --------- d-----w C:\Program Files\BitTorrent
2008-02-27 00:23 --------- d-----w C:\Program Files\lx_cats
2008-02-19 01:38 --------- d-----w C:\Program Files\Home Sweet Home
2008-02-18 06:28 --------- d-----w C:\Program Files\Winamp
2008-02-18 06:28 --------- d-----w C:\Documents and Settings\Owner.Lyshalaptop\Application Data\Winamp
2008-02-18 06:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-16 10:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-16 10:06 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-02-16 10:06 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-02-16 10:06 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-15 20:00 --------- d-----w C:\Program Files\DNA
2008-02-11 22:43 --------- d-----w C:\Program Files\Shockwave.com
2008-02-11 19:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-11 08:59 --------- d-----w C:\Program Files\Common Files\kzwf
2008-02-11 08:02 --------- d-----w C:\Documents and Settings\Owner.Lyshalaptop\Application Data\Gaijin Ent
2008-02-08 17:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-02-08 08:50 --------- d-----w C:\Documents and Settings\Owner.Lyshalaptop\Application Data\iWin
2008-02-08 08:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\iWin
2008-02-08 07:54 --------- d-----w C:\Documents and Settings\Owner.Lyshalaptop\Application Data\Home Sweet Home
2008-02-07 07:12 --------- d-----w C:\Documents and Settings\Owner.Lyshalaptop\Application Data\Gamelab
2008-02-05 01:04 --------- d-----w C:\Documents and Settings\Owner.Lyshalaptop\Application Data\PlayFirst
2008-02-04 23:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-02-04 22:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-04 21:59 --------- d-----w C:\Program Files\ReflexiveArcade
2008-01-27 03:26 --------- d-----w C:\Program Files\Gateway Games
2008-01-27 01:01 --------- d-----w C:\Documents and Settings\Owner.Lyshalaptop\Application Data\WildTangent
2008-01-23 23:27 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-01-23 23:24 --------- d-----w C:\Documents and Settings\Owner.Lyshalaptop\Application Data\Azureus
2008-01-16 13:09 24,626 ----a-w C:\WINDOWS\system32\ScrrnES.dll
2008-01-16 13:09 1,376,528 -c--a-w C:\WINDOWS\system32\msvbvm60.dll
2008-01-02 04:45 144 ----a-w C:\Documents and Settings\Owner.Lyshalaptop\Application Data\wklnhst.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\Common Files\kzwf ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CamTray.exe" [2005-10-27 11:00 299008]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 14:17 50736]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-02-15 13:00 287040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 20:56 64512]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-11-04 05:37 169984]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 08:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 08:47 688218]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 18:41 45056]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 11:20 413696 C:\WINDOWS\stsystra.exe]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-23 20:22 573440]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-11-11 22:40 1236992]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 01:18 57344]
"PD0620 STISvc"="P0620Pin.dll" [2005-05-10 10:03 36864 C:\WINDOWS\system32\P0620Pin.dll]
"lxcrmon.exe"="C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" [2006-03-06 10:48 286720]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [2006-02-06 22:10 98304]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 01:11 290816]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-02-24 04:54 65536]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 14:49 1121280]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 10:00 267064]
"Blubster"="C:\Program Files\Blubster\Blubster.exe" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-03-09 12:42 249896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2006-11-04 05:41:04 2168360]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-01-04 21:07:31 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Messenger\rteprej.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21519:UDP"= 21519:UDP:utorrent
"21519:TCP"= 21519:TCP:utorrent
"21591:TCP"= 21591:TCP:utorrent
"1660:UDP"= 1660:UDP:Windows Media Format SDK (iexplore.exe)
"1661:UDP"= 1661:UDP:Windows Media Format SDK (iexplore.exe)
"1699:UDP"= 1699:UDP:Windows Media Format SDK (iexplore.exe)


.
Contents of the 'Scheduled Tasks' folder
"2008-03-09 07:35:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-01-03 20:17:56 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-19 11:55:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-19 11:56:23
ComboFix-quarantined-files.txt 2008-03-19 18:56:21
ComboFix2.txt 2008-03-17 19:35:35
.
2008-03-12 00:29:54 --- E O F ---


AND here is the hijackthis report
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:52 AM, on 3/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX6453
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: REALTEK RTL8187 Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\rteprej.html

--
End of file - 7965 bytes

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:01 PM

Posted 19 March 2008 - 02:10 PM

Hi the.lysha,

Please tell me how the computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 the.lysha

the.lysha
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 19 March 2008 - 02:28 PM

everything seems to be running great so far, I haven't had any popups in a while and things are running faster. The only thing that is still there is the red X.

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:01 PM

Posted 19 March 2008 - 03:00 PM

Hi the.lysha,

Click Start > Run > copy and paste the following into the box and hit enter/ok


cmd /c Reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons


If it asks you are you sure....choose Y

Let me know if the red X is gone. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 the.lysha

the.lysha
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 20 March 2008 - 02:35 PM

YAY!!! It is gone. Thank you so much for everything

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:01 PM

Posted 20 March 2008 - 03:15 PM

Hi the.lysha,

You are very welcome. :thumbsup:

Your log looks clean! :blink: Good job on the cleanup!

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, Deckard, _OTMoveIt), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users