Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.vundo Qommjjj.dll


  • This topic is locked This topic is locked
12 replies to this topic

#1 cpicardo

cpicardo

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 22 March 2008 - 01:34 PM

Hi Everyone,

First time posting. Got this stupid trojan that I just can't remove. Have Symantec Antivirus, absolutely useless in removal.
Virus seemed to enter through a backdoor in Java...I have since updated Java, so hopefully that won't happen again, but now I can't get rid of it.
Performed all tasked as requested by forum. Also used CCleaner. Please see HJT log. Currently using Firefox. Help is greatly appreciated.

CP



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:24:20 PM, on 22/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1721.0\en-ca\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [44b35f8f] rundll32.exe "C:\WINDOWS\system32\dhgtqguv.dll",b
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {217234FC-041F-4F27-84AB-8329440C4DED} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4ca.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/119d68d2258d65107320/...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94B6A838-7EA3-4C3C-B768-D260DDD685B6} (GetFQDN.ctlTrace) - http://www.rogershelp.com/help/content/how...ork/getfqdn.cab
O16 - DPF: {A6B13EE4-A974-11D2-8DB7-00C04FB6E8F6} - http://www.splashspot.com/ssviewer2/2.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9891 bytes

BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 22 March 2008 - 03:36 PM

Hi

As you've "Performed all tasked as requested by forum"

Please Copy & paste any of these logs you have :- ...

1. Housecall log (The Housecall log is saved to C:\Documents and Settings\UserName\.housecall\log\)

2. Panda Activescan report

3. Bit Defender report

I also see you've run SUPERAntiSpyware ... please post that log as well ...

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 cpicardo

cpicardo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 23 March 2008 - 11:30 AM

Hi Steam,

Sorry about that...thought I was only supposed to post HJT log.

Housecall Logs (3 of them):
engine0:
2008-03-22 12:19:20.781 INFO [java:hc.impl.lib.engine.CommonEngineImpl#Native] Version 6.51-1020
2008-03-22 12:19:21.262 WARNING [java:hc.impl.lib.engine.CommonEngineImpl#Native] Read ini: Failed to read threat values, set to default values.
2008-03-22 12:19:21.382 WARNING [java:hc.impl.lib.engine.CommonEngineImpl#Native] Read ini: Failed to read threat values, set to default values.
2008-03-22 12:19:25.518 INFO [java:hc.impl.lib.engine.CommonEngineImpl#Native] Spyware scanner initialized (threadid=cdc)
2008-03-22 12:21:58.779 WARNING [java:com.trendmicro.web.housecall.share.engine.BootSectorScanProcess] Scanning the bootsector 'D:\', caused a return value of '-33'
2008-03-22 12:24:45.418 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-27,
2008-03-22 12:24:45.428 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-27,
2008-03-22 12:25:17.444 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:26:16.850 SEVERE [java:com.trendmicro.web.housecall.share.engine.FileScanProcess] Scan failed on archive: C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusOverride.zip!
2008-03-22 12:26:16.870 SEVERE [java:com.trendmicro.web.housecall.share.engine.FileScanProcess] Scan failed on archive: C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RealDownloadExpress.zip!
2008-03-22 12:26:16.880 SEVERE [java:com.trendmicro.web.housecall.share.engine.FileScanProcess] Scan failed on archive: C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RealDownloadExpress1.zip!
2008-03-22 12:26:16.890 SEVERE [java:com.trendmicro.web.housecall.share.engine.FileScanProcess] Scan failed on archive: C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RealDownloadExpress2.zip!
2008-03-22 12:26:16.910 SEVERE [java:com.trendmicro.web.housecall.share.engine.FileScanProcess] Scan failed on archive: C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RealDownloadExpress3.zip!
2008-03-22 12:26:16.990 SEVERE [java:com.trendmicro.web.housecall.share.engine.FileScanProcess] Scan failed on archive: C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip!
2008-03-22 12:26:48.14 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:26:48.14 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:26:48.655 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:26:48.655 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:26:48.986 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:26:48.996 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:26:49.116 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:26:49.116 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:27:23.746 SEVERE [java:com.trendmicro.web.housecall.share.engine.FileScanProcess] Scan failed on archive: C:\Documents and Settings\Tania Rodrigues\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 03-22-2008 - 10-52-01.SBU!
2008-03-22 12:27:51.45 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:27:51.45 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:28:35.179 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:30:51.505 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:30:51.505 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:47:50.420 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:48:15.145 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:52:18.395 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:04:46.481 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:10:09.475 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:10:11.899 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:10:11.979 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:52.107 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:52.267 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:57.765 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:57.765 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:57.845 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:57.855 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:57.895 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:57.895 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:57.895 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:57.895 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:57.975 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:57.975 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:22:00.808 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:28:28.65 INFO [java:hc.impl.lib.engine.CommonEngineImpl#Native] Spyware scanner uninitialized (threadid=890)

error0:
2008-03-22 12:11:56.813 WARNING [java:hc.util.LocalProxy] 404 http://housecall65.trendmicro.com:80/house...ate/ini_xml.zip
2008-03-22 12:19:21.262 WARNING [java:hc.impl.lib.engine.CommonEngineImpl#Native] Read ini: Failed to read threat values, set to default values.
2008-03-22 12:19:21.382 WARNING [java:hc.impl.lib.engine.CommonEngineImpl#Native] Read ini: Failed to read threat values, set to default values.
2008-03-22 12:19:48.752 SEVERE [java:hc.applet.process.GetThreatInformation] Could not get vulnerability information for:MS08-009
2008-03-22 12:19:50.23 WARNING [java:hc.applet.process.GetThreatInformation] Multiple-Transfer failed for vulnerabilities! Need to transfer single packages
2008-03-22 12:19:50.434 SEVERE [java:hc.applet.process.GetThreatInformation] Could not get vulnerability information for:MS07-044
2008-03-22 12:21:58.779 WARNING [java:com.trendmicro.web.housecall.share.engine.BootSectorScanProcess] Scanning the bootsector 'D:\', caused a return value of '-33'
2008-03-22 12:24:45.418 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-27,
2008-03-22 12:24:45.428 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-27,
2008-03-22 12:25:17.444 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:26:16.850 SEVERE [java:com.trendmicro.web.housecall.share.engine.FileScanProcess] Scan failed on archive: C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusOverride.zip!
2008-03-22 12:26:16.870 SEVERE [java:com.trendmicro.web.housecall.share.engine.FileScanProcess] Scan failed on archive: C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RealDownloadExpress.zip!
2008-03-22 12:26:16.880 SEVERE [java:com.trendmicro.web.housecall.share.engine.FileScanProcess] Scan failed on archive: C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RealDownloadExpress1.zip!
2008-03-22 12:26:16.890 SEVERE [java:com.trendmicro.web.housecall.share.engine.FileScanProcess] Scan failed on archive: C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RealDownloadExpress2.zip!
2008-03-22 12:26:16.910 SEVERE [java:com.trendmicro.web.housecall.share.engine.FileScanProcess] Scan failed on archive: C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RealDownloadExpress3.zip!
2008-03-22 12:26:16.990 SEVERE [java:com.trendmicro.web.housecall.share.engine.FileScanProcess] Scan failed on archive: C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip!
2008-03-22 12:26:48.14 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:26:48.14 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:26:48.655 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:26:48.655 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:26:48.986 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:26:48.996 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:26:49.116 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:26:49.116 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:27:23.746 SEVERE [java:com.trendmicro.web.housecall.share.engine.FileScanProcess] Scan failed on archive: C:\Documents and Settings\Tania Rodrigues\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 03-22-2008 - 10-52-01.SBU!
2008-03-22 12:27:51.45 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:27:51.45 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:28:35.179 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:30:51.505 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:30:51.505 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:47:50.420 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:48:15.145 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 12:52:18.395 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:04:46.481 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:10:09.475 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:10:11.899 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:10:11.979 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:52.107 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:52.267 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:57.765 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:57.765 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:57.845 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:57.855 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:57.895 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:57.895 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:57.895 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:57.895 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:57.975 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:18:57.975 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:22:00.808 SEVERE [java:hc.impl.lib.engine.CommonEngineImpl#Native] File scanner error=-94,
2008-03-22 13:24:04.526 WARNING [java:hc.applet.process.GetThreatInformation] Multiple-Transfer failed for threat removal descriptions! Need to transfer single packages
2008-03-22 13:24:04.646 SEVERE [java:hc.applet.process.GetThreatInformation] Could not get removal description for:TROJ_VUNDO.ATM
2008-03-22 13:24:05.57 SEVERE [java:hc.applet.process.GetThreatInformation] Could not get removal description for:TROJ_VUNDO.XY

execution0:
2008-03-22 12:11:26.920 INFO [java:hc.applet.Implementation] Starting the java based HouseCall client with id:hc-impl-1
2008-03-22 12:11:30.715 INFO [java:hc.applet.Implementation] OS: WinXP - x86 - win32
2008-03-22 12:11:30.715 INFO [java:hc.applet.Implementation] Browser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12
2008-03-22 12:11:30.715 INFO [java:hc.applet.ResourceLoader] Bypass loading bindings in the initial context!
2008-03-22 12:11:30.735 INFO [java:hc.applet.Implementation] Switching the context to "initial"
2008-03-22 12:11:51.505 INFO [java:hc.applet.ResourceLoader] Loading all bindings now!
2008-03-22 12:11:51.646 INFO [java:hc.applet.ResourceLoader] Bindings loaded!
2008-03-22 12:11:51.646 INFO [java:hc.applet.Implementation] Switching the context to "preparing"
2008-03-22 12:11:51.696 INFO [java:hc.applet.process.UpdateActiveUpdate] Local-Version not found for ; updating-engine-engine
2008-03-22 12:11:56.312 INFO [java:hc.impl.lib.activeupdate.UpdateImpl] Setting the proxy configuration to: Host: 127.0.0.1:33233 Proxy-Type:http Login: "null" using Password: no
2008-03-22 12:11:56.312 INFO [java:hc.impl.lib.activeupdate.UpdateImpl] Using internal proxy transport
2008-03-22 12:11:56.322 INFO [java:hc.impl.lib.activeupdate.UpdateImpl] Setting the proxy configuration to: Host: 127.0.0.1:33233 Proxy-Type:http Login: "null" using Password: no
2008-03-22 12:11:56.322 INFO [java:hc.impl.lib.activeupdate.UpdateImpl] Using internal proxy transport
2008-03-22 12:11:56.813 WARNING [java:hc.util.LocalProxy] 404 http://housecall65.trendmicro.com:80/house...ate/ini_xml.zip
2008-03-22 12:11:57.394 INFO [java:hc.applet.process.UpdateActiveUpdate] Local-Version not found for ; updating-pattern-malware
2008-03-22 12:11:57.474 INFO [java:hc.applet.process.UpdateActiveUpdate] Local-Version not found for ; updating-pattern-grayware
2008-03-22 12:11:57.524 INFO [java:hc.applet.process.UpdateActiveUpdate] Local-Version not found for ; updating-engine-system-engine
2008-03-22 12:11:57.524 INFO [java:hc.applet.process.UpdateActiveUpdate] Local-Version not found for ; updating-engine-system-engine
2008-03-22 12:11:57.524 INFO [java:hc.applet.process.UpdateActiveUpdate] Local-Version not found for ; updating-engine-system-engine
2008-03-22 12:11:57.624 INFO [java:hc.applet.process.UpdateActiveUpdate] Local-Version not found for ; updating-pattern-system-malware
2008-03-22 12:11:57.654 INFO [java:hc.applet.process.UpdateActiveUpdate] Local-Version not found for ; updating-pattern-system-grayware
2008-03-22 12:11:57.674 INFO [java:hc.applet.process.UpdateActiveUpdate] Local-Version not found for ; updating-pattern-system-vulnerability
2008-03-22 12:12:49.949 INFO [java:hc.applet.Implementation] Switching the context to "checking"
2008-03-22 12:19:20.781 INFO [java:hc.impl.lib.engine.CommonEngineImpl#Native] Version 6.51-1020
2008-03-22 12:19:21.262 WARNING [java:hc.impl.lib.engine.CommonEngineImpl#Native] Read ini: Failed to read threat values, set to default values.
2008-03-22 12:19:21.382 WARNING [java:hc.impl.lib.engine.CommonEngineImpl#Native] Read ini: Failed to read threat values, set to default values.
2008-03-22 12:19:25.518 INFO [java:hc.impl.lib.engine.CommonEngineImpl#Native] Spyware scanner initialized (threadid=cdc)
2008-03-22 12:19:50.23 WARNING [java:hc.applet.process.GetThreatInformation] Multiple-Transfer failed for vulnerabilities! Need to transfer single packages
2008-03-22 12:21:44.87 INFO [java:hc.applet.process.UpdateActiveUpdate] Finalizing the Update-Session now
2008-03-22 13:22:09.871 INFO [java:hc.applet.Implementation] Switching the context to "resolving"
2008-03-22 13:24:04.526 WARNING [java:hc.applet.process.GetThreatInformation] Multiple-Transfer failed for threat removal descriptions! Need to transfer single packages
2008-03-22 13:28:21.285 INFO [java:hc.applet.Implementation] Stopping the java based HouseCall client with id:hc-impl-1
2008-03-22 13:28:28.65 INFO [java:hc.impl.lib.engine.CommonEngineImpl#Native] Spyware scanner uninitialized (threadid=890)
2008-03-22 13:28:28.405 INFO [java:hc.applet.Implementation] Stopped the client with id:hc-impl-1

Unable to run Panda Activescan or Bit Defender, as IE kept closing.

SuperAntiSpyware:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/22/2008 at 10:51 AM

Application Version : 4.0.1154

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type : Quick Scan
Total Scan Time : 00:19:13

Memory items scanned : 484
Memory threats detected : 0
Registry items scanned : 453
Registry threats detected : 2
File items scanned : 866
File threats detected : 0

Trojan.Unknown Origin
HKLM\Software\xpre
HKLM\Software\xpre#execount


ComboFix Log
ComboFix 08-03-22.3 - Tania Rodrigues 2008-03-23 11:48:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.138 [GMT -4:00]
Running from: C:\Documents and Settings\Tania Rodrigues\Desktop\ComboFix.exe
.
-- Other TimeOuts --
CF21499.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot"

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\asembl~1
C:\WINDOWS\system32\byxxy.dll
C:\WINDOWS\system32\dhgtqguv.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\SYSTEM32\hghhk.ini
C:\WINDOWS\SYSTEM32\hghhk.ini2
C:\WINDOWS\system32\qommjjj.dll
C:\WINDOWS\SYSTEM32\vugqtghd.ini
C:\WINDOWS\system32\ystem3~1
C:\WINDOWS\SYSTEM32\yxxyb.ini
C:\WINDOWS\SYSTEM32\yxxyb.ini2

.
((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 )))))))))))))))))))))))))))))))
.

2008-03-22 14:21 . 2008-03-22 14:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-22 12:11 . 2008-03-22 13:28 <DIR> d-------- C:\Documents and Settings\Tania Rodrigues\.housecall6.6
2008-03-22 10:17 . 2008-03-22 10:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-22 10:16 . 2008-03-22 10:16 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-22 10:16 . 2008-03-22 10:16 <DIR> d-------- C:\Documents and Settings\Tania Rodrigues\Application Data\SUPERAntiSpyware.com
2008-03-22 10:14 . 2008-03-22 10:14 <DIR> d-------- C:\Program Files\CCleaner
2008-03-21 18:30 . 2008-03-21 18:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-21 18:30 . 2008-03-22 09:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-21 17:02 . 2008-03-21 17:02 0 --a------ C:\WINDOWS\vpc32.INI
2008-03-21 16:42 . 2006-09-18 17:55 109,744 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2008-03-21 16:42 . 2006-09-18 17:55 48,816 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2008-03-21 16:40 . 2008-03-23 12:02 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2008-03-21 15:46 . 2008-03-21 15:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-21 15:46 . 2008-03-21 15:46 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-21 15:33 . 2008-03-21 15:34 <DIR> d-------- C:\Program Files\Apple Software Update
2008-03-21 15:33 . 2008-03-21 15:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-03-21 15:29 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-03-21 15:10 . 2008-03-21 15:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-21 15:09 . 2008-03-22 10:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-20 18:58 . 2008-03-20 18:58 15,086 --a------ C:\WINDOWS\SYSTEM32\FreePokerBonus.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 16:06 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-03-21 20:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-21 20:44 --------- d-----w C:\Program Files\Symantec
2008-03-21 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-21 19:59 --------- d-----w C:\Program Files\QuickTime
2008-03-21 19:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-21 19:29 --------- d-----w C:\Program Files\Java
2008-03-21 19:11 --------- d-----w C:\Program Files\Lavasoft
2008-03-21 19:11 --------- d-----w C:\Documents and Settings\Tania Rodrigues\Application Data\Lavasoft
2008-03-04 01:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2007-04-24 00:21 53,032 ----a-w C:\Documents and Settings\Tania Rodrigues\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{963E2C03-2BC4-48C7-A427-7DD550AEA9D2}]
C:\WINDOWS\system32\khhgh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc2c1905-7237-4e54-8210-2fa80328b556}]
C:\WINDOWS\system32\mgsbgqgd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-06-11 01:07 147456]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-05 22:05 339968]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 03:04 114741]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 12:27 28672]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2004-07-01 13:15 53248]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01 110592]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 16:35 473928]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 21:52 483328]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-09 17:08 185632]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33 125168]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2005-04-23 17:51:49 25214]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qommjjj]
qommjjj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-06-14 16:24 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sprtsvc_dellsupportcenter"=2 (0x2)
"iPodService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23053:TCP"= 23053:TCP:BitComet 23053 TCP
"23053:UDP"= 23053:UDP:BitComet 23053 UDP

S4 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-22 15:01:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-23 12:05:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-03-23 12:13:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-23 16:13:29
.
2008-03-14 00:44:29 --- E O F ---


Thanks Again.
CP

#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 23 March 2008 - 02:43 PM

HI

Sorry about that...thought I was only supposed to post HJT log.


That's OK .... some helpers may not want to see the additional logs ... I like to see them all ...

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\vpc32.INI

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{963E2C03-2BC4-48C7-A427-7DD550AEA9D2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc2c1905-7237-4e54-8210-2fa80328b556}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qommjjj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

-
I see you've disabled spybot's teatimer with msconfig, there's no need to do that, you can turn if of in the spybot control panel.

-

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt
steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 cpicardo

cpicardo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 24 March 2008 - 06:07 PM

Hi Steam,

Okay, did as you said...after ComboFix ran, no reboot, but system tray came back to life, and TeaTimer came back online (re-enabled in msconfig, but disabled in spybot, or so I thought)...said that a change had been made in the registry, asked if I wanted to accept or cancel the change...tried to close the box since I wasn't sure...ended up canceling the registry change...not sure if that is good or bad.
Here are the logs as per your request:

ComboFix:
ComboFix 08-03-22.3 - Tania Rodrigues 2008-03-24 17:12:14.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.125 [GMT -4:00]
Running from: C:\Documents and Settings\Tania Rodrigues\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tania Rodrigues\Desktop\CFScript.txt

FILE ::
C:\WINDOWS\vpc32.INI
.
-- Other TimeOuts --
CF6259.exe /c " VFind.exe -ltf -s-1300000 -d+2007-12-24 C:\WINDOWS\* >Windir.dat"
VFind.exe -ltf -s-1300000 -d+2007-12-24 C:\WINDOWS\*
CF6259.exe /c " VFind.exe -ltf -s-1000000 -d+2007-12-24 "C:\Program Files\*" >progfile.dat"
VFind.exe -ltf -s-1000000 -d+2007-12-24 "C:\Program Files\*"
CF6259.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot"

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\vpc32.INI

.
((((((((((((((((((((((((( Files Created from 2008-02-24 to 2008-03-24 )))))))))))))))))))))))))))))))
.

2008-03-22 14:21 . 2008-03-22 14:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-22 12:11 . 2008-03-22 13:28 <DIR> d-------- C:\Documents and Settings\Tania Rodrigues\.housecall6.6
2008-03-22 10:17 . 2008-03-22 10:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-22 10:16 . 2008-03-22 10:16 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-22 10:16 . 2008-03-22 10:16 <DIR> d-------- C:\Documents and Settings\Tania Rodrigues\Application Data\SUPERAntiSpyware.com
2008-03-22 10:14 . 2008-03-22 10:14 <DIR> d-------- C:\Program Files\CCleaner
2008-03-21 18:30 . 2008-03-21 18:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-21 18:30 . 2008-03-22 09:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-21 16:42 . 2006-09-18 17:55 109,744 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2008-03-21 16:42 . 2006-09-18 17:55 48,816 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2008-03-21 16:40 . 2008-03-24 16:50 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2008-03-21 15:46 . 2008-03-21 15:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-21 15:46 . 2008-03-21 15:46 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-21 15:33 . 2008-03-21 15:34 <DIR> d-------- C:\Program Files\Apple Software Update
2008-03-21 15:33 . 2008-03-21 15:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-03-21 15:29 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-03-21 15:10 . 2008-03-21 15:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-21 15:09 . 2008-03-22 10:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-20 18:58 . 2008-03-20 18:58 15,086 --a------ C:\WINDOWS\SYSTEM32\FreePokerBonus.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-24 20:50 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-03-21 20:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-21 20:44 --------- d-----w C:\Program Files\Symantec
2008-03-21 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-21 19:59 --------- d-----w C:\Program Files\QuickTime
2008-03-21 19:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-21 19:29 --------- d-----w C:\Program Files\Java
2008-03-21 19:11 --------- d-----w C:\Program Files\Lavasoft
2008-03-21 19:11 --------- d-----w C:\Documents and Settings\Tania Rodrigues\Application Data\Lavasoft
2008-03-04 01:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2007-04-24 00:21 53,032 ----a-w C:\Documents and Settings\Tania Rodrigues\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-06-11 01:07 147456]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-05 22:05 339968]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 03:04 114741]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 12:27 28672]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2004-07-01 13:15 53248]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01 110592]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 16:35 473928]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 21:52 483328]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-09 17:08 185632]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33 125168]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2004-08-04 03:56 158208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2005-04-23 17:51:49 25214]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-06-14 16:24 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sprtsvc_dellsupportcenter"=2 (0x2)
"iPodService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23053:TCP"= 23053:TCP:BitComet 23053 TCP
"23053:UDP"= 23053:UDP:BitComet 23053 UDP

S4 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-22 15:01:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-24 17:16:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-24 17:18:35
ComboFix-quarantined-files.txt 2008-03-24 21:18:24
ComboFix2.txt 2008-03-23 16:13:36
.
2008-03-14 00:44:29 --- E O F ---

HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:21:12 PM, on 24/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {91223DE9-F8E6-4FFD-8889-BE6784C18696} - (no file)
O2 - BHO: (no name) - {963E2C03-2BC4-48C7-A427-7DD550AEA9D2} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1721.0\en-ca\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {217234FC-041F-4F27-84AB-8329440C4DED} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4ca.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/119d68d2258d65107320/...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94B6A838-7EA3-4C3C-B768-D260DDD685B6} (GetFQDN.ctlTrace) - http://www.rogershelp.com/help/content/how...ork/getfqdn.cab
O16 - DPF: {A6B13EE4-A974-11D2-8DB7-00C04FB6E8F6} - http://www.splashspot.com/ssviewer2/2.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: qommjjj - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10987 bytes

KAV:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, March 24, 2008 7:01:44 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/03/2008
Kaspersky Anti-Virus database records: 659498
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 81946
Number of viruses found: 6
Number of infected objects: 48
Number of suspicious objects: 27
Duration of the scan process: 01:20:28

Infected Object Name / Virus Name / Last Action
C:\Backup\Outlook.pst/Personal Folders/Deleted Items/23 Oct 2004 23:04 from lemons_limes@hotmail.com:[Bulk] Failure (.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Backup\Outlook.pst/Personal Folders/Deleted Items/23 Oct 2004 23:04 from lemons_limes@hotmail.com:[Bulk] Failure (/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Backup\Outlook.pst/Personal Folders/Deleted Items/24 Oct 2004 03:33 from deepke@rediffmail.com:[Bulk] Unknown Exce.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Backup\Outlook.pst/Personal Folders/Deleted Items/24 Oct 2004 03:33 from deepke@rediffmail.com:[Bulk] Unknown Exce/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Backup\Outlook.pst/Personal Folders/Deleted Items/27 Oct 2004 14:49 from chitra_mv@yahoo.com:[Bulk] Unknown Except.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Backup\Outlook.pst/Personal Folders/Deleted Items/27 Oct 2004 14:49 from chitra_mv@yahoo.com:[Bulk] Unknown Except/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Backup\Outlook.pst/Personal Folders/Deleted Items/05 Dec 2004 21:02 from sonix_007@rediffmail.com:[Bulk] Mail Deli.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Backup\Outlook.pst/Personal Folders/Deleted Items/05 Dec 2004 21:02 from sonix_007@rediffmail.com:[Bulk] Mail Deli/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Backup\Outlook.pst/Personal Folders/Deleted Items/29 Nov 2004 23:22 from pmartin24@rogers.com:[Bulk] Mail Delivery.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Backup\Outlook.pst/Personal Folders/Deleted Items/29 Nov 2004 23:22 from pmartin24@rogers.com:[Bulk] Mail Delivery/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Backup\Outlook.pst/Personal Folders/Deleted Items/22 Nov 2004 01:00 from deepsi_doodle@hotmail.com:[Bulk] Delivery.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Backup\Outlook.pst/Personal Folders/Deleted Items/22 Nov 2004 01:00 from deepsi_doodle@hotmail.com:[Bulk] Delivery/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Backup\Outlook.pst/Personal Folders/Deleted Items/19 Nov 2004 09:02 from ketank1@hotmail.com:[Bulk] Failure (tania.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Backup\Outlook.pst/Personal Folders/Deleted Items/19 Nov 2004 09:02 from ketank1@hotmail.com:[Bulk] Failure (tania/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Backup\Outlook.pst/Personal Folders/Deleted Items/03 Dec 2004 02:36 from tasha_ahmed@hotmail.com:[Bulk] Unknown Ex.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Backup\Outlook.pst/Personal Folders/Deleted Items/03 Dec 2004 02:36 from tasha_ahmed@hotmail.com:[Bulk] Unknown Ex/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Backup\Outlook.pst/Personal Folders/Inbox/28 Oct 2004 07:53 from harveykalsi@hotmail.com:[Bulk] Error (tan.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Backup\Outlook.pst/Personal Folders/Inbox/28 Oct 2004 07:53 from harveykalsi@hotmail.com:[Bulk] Error (tan/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Backup\Outlook.pst/Personal Folders/Jokes/10 Sep 2003 13:00 to Adrian & Ruby Fraser:Keep smiling!!!.html Infected: Virus.JS.Fortnight.f skipped
C:\Backup\Outlook.pst Mail MS Mail: infected - 10, suspicious - 9 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01840000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01840005.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\.housecall6.6\Quarantine\byxxy.dll.bac_a02492 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Tania Rodrigues\.housecall6.6\Quarantine\CAREO3Z9.bac_a02492 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Tania Rodrigues\.housecall6.6\Quarantine\dhgtqguv.dll.bac_a02492 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Tania Rodrigues\.housecall6.6\Quarantine\mgsbgqgd.dll.bac_a02492 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Tania Rodrigues\.housecall6.6\Quarantine\qommjjj.dll.bac_a02492 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Tania Rodrigues\.housecall6.6\Quarantine\xxyawwv.dll.bac_a02492 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Tania Rodrigues\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\cert8.db Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\history.dat Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\key3.db Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\parent.lock Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-3-24-2008( 17-0-55 ).LOG Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\ApplicationHistory\sprtcmd.exe.63e7480d.ini.inuse Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Jokes.dbx/[From "Kenneth. J. Richards" <KJRichards@sympatico.ca>][Date Wed, 10 Sep 2003 08:02:45 -0500]/html Infected: Virus.JS.Fortnight.f skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Jokes.dbx Mail MS Outlook 5: infected - 1 skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/23 Oct 2004 23:04 from lemons_limes@hotmail.com:[Bulk] Failure (.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/23 Oct 2004 23:04 from lemons_limes@hotmail.com:[Bulk] Failure (/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/24 Oct 2004 03:33 from deepke@rediffmail.com:[Bulk] Unknown Exce.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/24 Oct 2004 03:33 from deepke@rediffmail.com:[Bulk] Unknown Exce/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/27 Oct 2004 14:49 from chitra_mv@yahoo.com:[Bulk] Unknown Except.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/27 Oct 2004 14:49 from chitra_mv@yahoo.com:[Bulk] Unknown Except/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/05 Dec 2004 21:02 from sonix_007@rediffmail.com:[Bulk] Mail Deli.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/05 Dec 2004 21:02 from sonix_007@rediffmail.com:[Bulk] Mail Deli/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/29 Nov 2004 23:22 from pmartin24@rogers.com:[Bulk] Mail Delivery.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/29 Nov 2004 23:22 from pmartin24@rogers.com:[Bulk] Mail Delivery/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/22 Nov 2004 01:00 from deepsi_doodle@hotmail.com:[Bulk] Delivery.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/22 Nov 2004 01:00 from deepsi_doodle@hotmail.com:[Bulk] Delivery/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/19 Nov 2004 09:02 from ketank1@hotmail.com:[Bulk] Failure (tania.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/19 Nov 2004 09:02 from ketank1@hotmail.com:[Bulk] Failure (tania/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/03 Dec 2004 02:36 from tasha_ahmed@hotmail.com:[Bulk] Unknown Ex.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/03 Dec 2004 02:36 from tasha_ahmed@hotmail.com:[Bulk] Unknown Ex/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/28 Oct 2004 07:53 from harveykalsi@hotmail.com:[Bulk] Error (tan.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/28 Oct 2004 07:53 from harveykalsi@hotmail.com:[Bulk] Error (tan/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Jokes/10 Sep 2003 13:00 to Adrian & Ruby Fraser:Keep smiling!!!.html Infected: Virus.JS.Fortnight.f skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Mail MS Mail: infected - 10, suspicious - 9 skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\SupportSoft\DellSupportCenter\Tania Rodrigues\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Temp\~DF2FA2.tmp Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/23 Oct 2004 23:04 from lemons_limes@hotmail.com:[Bulk] Failure (.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/23 Oct 2004 23:04 from lemons_limes@hotmail.com:[Bulk] Failure (/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/24 Oct 2004 03:33 from deepke@rediffmail.com:[Bulk] Unknown Exce.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/24 Oct 2004 03:33 from deepke@rediffmail.com:[Bulk] Unknown Exce/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/27 Oct 2004 14:49 from chitra_mv@yahoo.com:[Bulk] Unknown Except.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/27 Oct 2004 14:49 from chitra_mv@yahoo.com:[Bulk] Unknown Except/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/05 Dec 2004 21:02 from sonix_007@rediffmail.com:[Bulk] Mail Deli.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/05 Dec 2004 21:02 from sonix_007@rediffmail.com:[Bulk] Mail Deli/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/29 Nov 2004 23:22 from pmartin24@rogers.com:[Bulk] Mail Delivery.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/29 Nov 2004 23:22 from pmartin24@rogers.com:[Bulk] Mail Delivery/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/22 Nov 2004 01:00 from deepsi_doodle@hotmail.com:[Bulk] Delivery.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/22 Nov 2004 01:00 from deepsi_doodle@hotmail.com:[Bulk] Delivery/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/19 Nov 2004 09:02 from ketank1@hotmail.com:[Bulk] Failure (tania.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/19 Nov 2004 09:02 from ketank1@hotmail.com:[Bulk] Failure (tania/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/03 Dec 2004 02:36 from tasha_ahmed@hotmail.com:[Bulk] Unknown Ex.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/03 Dec 2004 02:36 from tasha_ahmed@hotmail.com:[Bulk] Unknown Ex/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/28 Oct 2004 07:53 from harveykalsi@hotmail.com:[Bulk] Error (tan.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/28 Oct 2004 07:53 from harveykalsi@hotmail.com:[Bulk] Error (tan/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Jokes/10 Sep 2003 13:00 to Adrian & Ruby Fraser:Keep smiling!!!.html Infected: Virus.JS.Fortnight.f skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Mail MS Mail: infected - 10, suspicious - 9 skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\Clive on Bike.JPG Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\DSC00426.JPG Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\DSC00481.JPG Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\Early Valentine.doc Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\From The Heart___.htm Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\Thumbs.db Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\Valentine Card.gif Object is locked skipped
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dhgtqguv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-23_120534.05.zip/byxxy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-23_120534.05.zip/qommjjj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-23_120534.05.zip ZIP: infected - 2 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallQ329115$\reg00003 Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9550B624-1591-4F5F-A4C5-7E1E2F74021B}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Thanks,

Clive

#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 25 March 2008 - 02:01 PM

HI

Okay, did as you said...after ComboFix ran, no reboot, but system tray came back to life, and TeaTimer came back online (re-enabled in msconfig, but disabled in spybot, or so I thought)...said that a change had been made in the registry, asked if I wanted to accept or cancel the change...tried to close the box since I wasn't sure...ended up canceling the registry change...not sure if that is good or bad.


OK ... let me try and explain ... the entry you unchecked in msconfig was a registry run key for teatimer, all you did by unchecking it was to make the run key inactive ... when you checked the box again on msconfig, you made it active again ...

When you turned it off in spybot itself, spybot attempted to delete the run key ... so you should have accepted the change, by refusing it, you left the run key in place, so that teatimer would run again next boot... each time you enable/disable teatimer, or any other program started by a run key, teatimer (if enabled) would warn you, so if you are running a genuine program, you should accept the change, but if you are just surfing the net and a box from spybot pops up ... disallow it.

You have infected e-mails/ files all over your computer, so do this please :-

Empty the folders or delete the specific e-mails listed below ...

Go to C:\Backup\Outlook.pst/Personal Folders/Deleted Items & empty the Deleted Items folder ...

Go to C:\Backup\Outlook.pst/Personal Folders/Inbox ... delete this e-mail from the folder :-

28 Oct 2004 07:53 from harveykalsi@hotmail.com (it contains a worm/virus)

Go to C:\Backup\Outlook.pst/Personal Folders/Jokes delete these from the jokes folder :-

10 Sep 2003 13:00 to Adrian & Ruby Fraser:Keep smiling!!!.html (it contains a worm/virus)

C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Jokes.dbx :- another infected e-mail

delete this :- [From "Kenneth. J. Richards" <KJRichards@sympatico.ca>][Date Wed, 10 Sep 2003 08:02:45 -0500]/html (it contains a worm/virus)

C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items < empty the Deleted Items folder

C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/28 Oct 2004 07:53 from harveykalsi@hotmail.com (it contains a worm/virus)

C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Jokes/10 Sep 2003 13:00 to Adrian & Ruby Fraser:Keep smiling!!!.html (it contains a worm/virus)

C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items < empty this folder

C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/28 Oct 2004 07:53 from harveykalsi@hotmail.com:

C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Jokes/10 Sep 2003 13:00 to Adrian & Ruby Fraser:Keep smiling!!!.html


Empty your Symantec AntiVirus Corporate Edition Quarantine folder

Empty your \.housecall6.6\Quarantine folder

Then run a new KASPERSKY ONLINE SCAN and post the log so that I can see if either of us missed anything

Also....

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {91223DE9-F8E6-4FFD-8889-BE6784C18696} - (no file)
O2 - BHO: (no name) - {963E2C03-2BC4-48C7-A427-7DD550AEA9D2} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O20 - Winlogon Notify: qommjjj - C:\WINDOWS\


Then post a new hijackthis log as well...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#7 cpicardo

cpicardo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 25 March 2008 - 09:05 PM

Hi Steam,

Thanks for the explanation about Tea Timer.

KAV log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, March 25, 2008 9:14:26 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/03/2008
Kaspersky Anti-Virus database records: 663509
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 82176
Number of viruses found: 6
Number of infected objects: 18
Number of suspicious objects: 9
Duration of the scan process: 01:21:27

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01840000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01840005.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\cert8.db Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\history.dat Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\key3.db Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\parent.lock Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\ApplicationHistory\sprtcmd.exe.63e7480d.ini.inuse Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\SupportSoft\DellSupportCenter\Tania Rodrigues\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Temp\2111.tmp Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Temp\AVP1A49.tmp Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Temp\AVP1A4A.tmp Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Temp\~DF4740.tmp Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Temp\~DF924E.tmp Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/23 Oct 2004 23:04 from lemons_limes@hotmail.com:[Bulk] Failure (.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/23 Oct 2004 23:04 from lemons_limes@hotmail.com:[Bulk] Failure (/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/24 Oct 2004 03:33 from deepke@rediffmail.com:[Bulk] Unknown Exce.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/24 Oct 2004 03:33 from deepke@rediffmail.com:[Bulk] Unknown Exce/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/27 Oct 2004 14:49 from chitra_mv@yahoo.com:[Bulk] Unknown Except.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/27 Oct 2004 14:49 from chitra_mv@yahoo.com:[Bulk] Unknown Except/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/05 Dec 2004 21:02 from sonix_007@rediffmail.com:[Bulk] Mail Deli.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/05 Dec 2004 21:02 from sonix_007@rediffmail.com:[Bulk] Mail Deli/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/29 Nov 2004 23:22 from pmartin24@rogers.com:[Bulk] Mail Delivery.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/29 Nov 2004 23:22 from pmartin24@rogers.com:[Bulk] Mail Delivery/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/22 Nov 2004 01:00 from deepsi_doodle@hotmail.com:[Bulk] Delivery.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/22 Nov 2004 01:00 from deepsi_doodle@hotmail.com:[Bulk] Delivery/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/19 Nov 2004 09:02 from ketank1@hotmail.com:[Bulk] Failure (tania.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/19 Nov 2004 09:02 from ketank1@hotmail.com:[Bulk] Failure (tania/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/03 Dec 2004 02:36 from tasha_ahmed@hotmail.com:[Bulk] Unknown Ex.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/03 Dec 2004 02:36 from tasha_ahmed@hotmail.com:[Bulk] Unknown Ex/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/28 Oct 2004 07:53 from harveykalsi@hotmail.com:[Bulk] Error (tan.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/28 Oct 2004 07:53 from harveykalsi@hotmail.com:[Bulk] Error (tan/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Jokes/10 Sep 2003 13:00 to Adrian & Ruby Fraser:Keep smiling!!!.html Infected: Virus.JS.Fortnight.f skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Mail MS Mail: infected - 10, suspicious - 9 skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\Clive on Bike.JPG Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\DSC00426.JPG Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\DSC00481.JPG Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\Early Valentine.doc Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\From The Heart___.htm Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\Thumbs.db Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\Valentine Card.gif Object is locked skipped
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dhgtqguv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-23_120534.05.zip/byxxy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-23_120534.05.zip/qommjjj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-23_120534.05.zip ZIP: infected - 2 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallQ329115$\reg00003 Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9550B624-1591-4F5F-A4C5-7E1E2F74021B}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:57 PM, on 25/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1721.0\en-ca\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {217234FC-041F-4F27-84AB-8329440C4DED} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4ca.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/119d68d2258d65107320/...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94B6A838-7EA3-4C3C-B768-D260DDD685B6} (GetFQDN.ctlTrace) - http://www.rogershelp.com/help/content/how...ork/getfqdn.cab
O16 - DPF: {A6B13EE4-A974-11D2-8DB7-00C04FB6E8F6} - http://www.splashspot.com/ssviewer2/2.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10705 bytes


Clive

#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 26 March 2008 - 02:29 PM

HI

Your hijackthis log is now clean ...

I can see you've deleted some of the infected e-mails, but you still have a lot left ...

This folder deleted items...

C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/deleted items

Contains a lot of mails infected with Email-Worm.Win32.NetSky.r

These mails date back to Oct\Nov\Dec 2004 ... I suggest you delete everything in that folder ...

Also from ...Sep 2003 & Oct 2004 you have the following in these folders, which you need to delete :-

C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/28 Oct 2004 07:53 from harveykalsi@hotmail.com:[Bulk] Error
>>>>>(tan.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/28 Oct 2004 07:53 from harveykalsi@hotmail.com:[Bulk] Error
>>>>>(tan/message.pif Infected: Email-Worm.Win32.NetSky.r skipped

C:\Documents and Settings\TRodrigues\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Jokes/10 Sep 2003 13:00 to Adrian & Ruby Fraser:Keep smiling!!!.html
>>>>>Infected: Virus.JS.Fortnight.f skipped

Then do this please ...


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.
Post the DrWeb.cvs report

& a new KASPERSKY ONLINE SCAN and post the log


steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#9 cpicardo

cpicardo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 27 March 2008 - 09:49 PM

Hi Steam,

Dr Web Log:
RegUBP2b-Tania Rodrigues.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
RealBar.dll;C:\Program Files\Common Files\Real\Toolbar;Adware.MegaSearch.origin;Incurable.Moved.;
A0000024.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1;Probably SCRIPT.Virus;Incurable.Moved.;
A0000085.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2;Probably BATCH.Virus;Incurable.Moved.;
A0000091.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2;Probably SCRIPT.Virus;Incurable.Moved.;
A0000130.reg;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2;Trojan.StartPage.1505;Deleted.;
A0000219.reg;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2;Trojan.StartPage.1505;Deleted.;

KAV Log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, March 27, 2008 10:43:00 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/03/2008
Kaspersky Anti-Virus database records: 667680
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 82142
Number of viruses found: 2
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 01:18:01

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01840000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01840005.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\DoctorWeb\Quarantine\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\ApplicationHistory\sprtcmd.exe.63e7480d.ini.inuse Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\SupportSoft\DellSupportCenter\Tania Rodrigues\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Temp\~DF52E0.tmp Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\Clive on Bike.JPG Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\DSC00426.JPG Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\DSC00481.JPG Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\Early Valentine.doc Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\From The Heart___.htm Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\Thumbs.db Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\Valentine Card.gif Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dhgtqguv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-23_120534.05.zip/byxxy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-23_120534.05.zip/qommjjj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-23_120534.05.zip ZIP: infected - 2 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000437.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallQ329115$\reg00003 Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Clive

#10 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 28 March 2008 - 04:55 PM

HI

Nearly there

Everything left is in quarantine or system restore ...

Let's finish it off ...

1. Somewhere in your Symantec AntiVirus Corporate Edition there must be a button to Empty your Symantec AntiVirus Corporate Edition Quarantine folder

these 2 files are vundo :-

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01840000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01840005.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

If you can't find how to empty the quarantine folder (I can't help you there) then it will do no harm to leave them, as they are no problem whilst in that folder, just DON'T reinstall them from quarantine ...

-
2. Dr.Web Cureit is a stand-alone program ... so to delete it & what it quarantined, please do this :-

Delete the drweb-cureit.exe file from your desktop ...

Delete the %userprofile%\DoctorWeb\quarantaine-folder ...

that's this folder :-

C:\Documents and Settings\Tania Rodrigues\DoctorWeb\Quarantine

-
3. Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

Posted Image

-
4. This will clear all your infected restore points...

Turn off (Disable) System Restore in XP :-

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

Then...

Turn on (enable) System Restore :-

Follow the same procedure, but this time uncheck Turn off System Restore

if you have any problem with this... here's a link to instructions :-


Disabling or enabling Windows XP System Restore >

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

THEN ... Run a new KASPERSKY ONLINE SCAN and post the log

steam

Edited by steamwiz, 28 March 2008 - 04:56 PM.

MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#11 cpicardo

cpicardo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 28 March 2008 - 10:40 PM

Hi Steam,

Hopefully this is the last one.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, March 28, 2008 11:38:53 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/03/2008
Kaspersky Anti-Virus database records: 670089
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 81277
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:23:35

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\cert8.db Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\history.dat Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\key3.db Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\parent.lock Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\ApplicationHistory\sprtcmd.exe.63e7480d.ini.inuse Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\Mozilla\Firefox\Profiles\60bpx41j.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Application Data\SupportSoft\DellSupportCenter\Tania Rodrigues\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\History\History.IE5\MSHist012008032820080329\index.dat Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Temp\~DFE9C4.tmp Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tania Rodrigues\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\Clive on Bike.JPG Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\DSC00426.JPG Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\DSC00481.JPG Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\Early Valentine.doc Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\From The Heart___.htm Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\Thumbs.db Object is locked skipped
C:\Documents and Settings\TRodrigues\My Documents\My Pictures\Clive\Valentine Card.gif Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0404NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0791NAV~.TMP Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallQ329115$\reg00003 Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Clive

#12 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 29 March 2008 - 09:04 AM

HI

Excellent ... :blink:

Your logs are now clean, so if you have no further problems or questions ....

Happy surfing :thumbsup:

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#13 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 22 June 2008 - 04:31 PM

As this thread is resolved, :thumbsup: it is now locked.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users