Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected W/ Virtumonde.dll Malware?


  • Please log in to reply
1 reply to this topic

#1 brkdrvr

brkdrvr

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 07 April 2008 - 06:25 AM

KASPERSKY ONLINE SCANNER REPORT
Monday, April 07, 2008 5:46:57 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/04/2008
Kaspersky Anti-Virus database records: 687522


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 118398
Number of viruses found 16
Number of infected objects 55
Number of suspicious objects 7
Duration of the scan process 02:26:12

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-04-06_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\B298FC92.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\DE2E60A2.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Desktop\emusic_setup_bundle.exe/stream/data0283/data0003 Infected: not-a-virus:AdWare.Win32.Comet.be skipped

C:\Documents and Settings\Owner\Desktop\emusic_setup_bundle.exe/stream/data0283 Infected: not-a-virus:AdWare.Win32.Comet.be skipped

C:\Documents and Settings\Owner\Desktop\emusic_setup_bundle.exe/stream Infected: not-a-virus:AdWare.Win32.Comet.be skipped

C:\Documents and Settings\Owner\Desktop\emusic_setup_bundle.exe NSIS: infected - 3 skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008040620080407\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\Old HP\HP_PAVILION (E)\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From vickie ][Date Wed, 16 Jul 2003 12:00:22 +0000 (GMT)]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From vickie ][Date Wed, 16 Jul 2003 12:00:22 +0000 (GMT)]/UNNAMED/bkcrd.pif Infected: Email-Worm.Win32.Klez.h skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From vickie ][Date Wed, 16 Jul 2003 12:00:22 +0000 (GMT)]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From breakers ][Date Mon, 30 Jun 2003 04:00:55 -0500]/UNNAMED/wtt.bat Infected: Email-Worm.Win32.Klez.h skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From breakers ][Date Mon, 30 Jun 2003 04:00:55 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From ][Date Thu, 26 Jun 2003 10:33:31 --0400]/your_details.zip/details.pif Infected: Email-Worm.Win32.Sobig.e skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From ][Date Thu, 26 Jun 2003 10:33:31 --0400]/your_details.zip Infected: Email-Worm.Win32.Sobig.e skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From ginskip ][Date Thu, 10 Jul 2003 20:05:16 +0000 (GMT)]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From ginskip ][Date Thu, 10 Jul 2003 20:05:16 +0000 (GMT)]/UNNAMED/2677tn[1].exe Infected: Email-Worm.Win32.Klez.h skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From ginskip ][Date Thu, 10 Jul 2003 20:05:16 +0000 (GMT)]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From bill ][Date Wed, 9 Jul 2003 09:08:39 +0000 (GMT)]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From bill ][Date Wed, 9 Jul 2003 09:08:39 +0000 (GMT)]/UNNAMED/arial,.pif Infected: Email-Worm.Win32.Klez.h skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From bill ][Date Wed, 9 Jul 2003 09:08:39 +0000 (GMT)]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From lheesters ][Date Sat, 5 Jul 2003 20:29:48 +0000 (GMT)]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From lheesters ][Date Sat, 5 Jul 2003 20:29:48 +0000 (GMT)]/UNNAMED/ljh.bat Infected: Email-Worm.Win32.Klez.h skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From lheesters ][Date Sat, 5 Jul 2003 20:29:48 +0000 (GMT)]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From ][Date Tue, 1 Jul 2003 15:44:25 --0500]/UNNAMED/your_details.zip/details.pif Infected: Email-Worm.Win32.Sobig.e skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From ][Date Tue, 1 Jul 2003 15:44:25 --0500]/UNNAMED/your_details.zip Infected: Email-Worm.Win32.Sobig.e skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From ][Date Tue, 1 Jul 2003 15:44:25 --0500]/UNNAMED Infected: Email-Worm.Win32.Sobig.e skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From ][Date Tue, 1 Jul 2003 11:43:16 --0400]/UNNAMED/your_details.zip/details.pif Infected: Email-Worm.Win32.Sobig.e skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From ][Date Tue, 1 Jul 2003 11:43:16 --0400]/UNNAMED/your_details.zip Infected: Email-Worm.Win32.Sobig.e skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From ][Date Tue, 1 Jul 2003 11:43:16 --0400]/UNNAMED Infected: Email-Worm.Win32.Sobig.e skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From ][Date Sun, 29 Jun 2003 16:51:52 --0400]/UNNAMED/your_details.zip/details.pif Infected: Email-Worm.Win32.Sobig.e skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From ][Date Sun, 29 Jun 2003 16:51:52 --0400]/UNNAMED/your_details.zip Infected: Email-Worm.Win32.Sobig.e skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From ][Date Sun, 29 Jun 2003 16:51:52 --0400]/UNNAMED Infected: Email-Worm.Win32.Sobig.e skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From scndsrce ][Date Thu, 26 Jun 2003 12:55:00 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From scndsrce ][Date Thu, 26 Jun 2003 12:55:00 -0500]/UNNAMED/use..exe Infected: Email-Worm.Win32.Klez.h skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From scndsrce ][Date Thu, 26 Jun 2003 12:55:00 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From Sabina Silkworth ][Date Fri, 18 Jul 2003 13:19:11 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From Sabina Silkworth ][Date Fri, 18 Jul 2003 13:19:11 -0400]/UNNAMED/dpe.dus.scr Infected: Email-Worm.Win32.Tanatos.a skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From Sabina Silkworth ][Date Fri, 18 Jul 2003 13:19:11 -0400]/UNNAMED Infected: Email-Worm.Win32.Tanatos.a skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From chadwickscs ][Date Sun, 27 Jul 2003 08:45:37 +0000 (GMT)]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From chadwickscs ][Date Sun, 27 Jul 2003 08:45:37 +0000 (GMT)]/UNNAMED/picacu.bat Infected: Email-Worm.Win32.Klez.h skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx/[From chadwickscs ][Date Sun, 27 Jul 2003 08:45:37 +0000 (GMT)]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped

C:\Old HP\HP_PAVILION (E)\WINDOWS\Application Data\Identities\{13775460-9B9B-11D3-9F00-8E4DC7ECCA1B}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 27, suspicious - 7 skipped

C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\yayyywt.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\catchme2008-04-06_205231.17.zip/Documents and Settings/Owner/Desktop/catchme.zip/ljjhfdb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\catchme2008-04-06_205231.17.zip/Documents and Settings/Owner/Desktop/catchme.zip Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\catchme2008-04-06_205231.17.zip ZIP: infected - 2 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP1006\A0132797.exe Infected: Trojan-Downloader.Win32.Agent.lbx skipped

C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP1008\A0133797.exe Infected: Trojan-Downloader.Win32.Agent.lbx skipped

C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP1026\A0135947.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP1031\A0136085.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lua skipped

C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP1031\A0136088.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lxl skipped

C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP1038\A0136542.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP1038\A0136575.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP1038\A0136575.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP1038\A0136575.exe RarSFX: infected - 2 skipped

C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP1038\A0136584.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP1038\change.log Object is locked skipped

C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP991\A0130523.dll Infected: not-a-virus:AdWare.Win32.Vapsup.cfo skipped

C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP991\A0130524.dll Infected: not-a-virus:AdWare.Win32.Vapsup.cfk skipped

C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP991\A0130525.dll Infected: Trojan-Downloader.Win32.Small.iuq skipped

C:\VundoFix Backups\pmkjg.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mxi skipped

C:\VundoFix Backups\ssqrr.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.mxi skipped

C:\WINDOWS\$_hpcst$.hpc Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\fqspogw.exe Infected: not-a-virus:AdWare.Win32.Vapsup.cfj skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\system32\vtuts.dll_old Infected: not-a-virus:AdWare.Win32.Virtumonde.mxi skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP1038\change.log Object is locked skipped

Scan process completed.

Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-07 05:52:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
176: 2008-04-07 10:52:23 UTC - RP1040 - Deckard's System Scanner Restore Point
175: 2008-04-07 08:03:34 UTC - RP1039 - Software Distribution Service 3.0
174: 2008-04-06 21:56:36 UTC - RP1038 - Software Distribution Service 3.0
173: 2008-04-06 21:41:33 UTC - RP1037 - ComboFix created restore point
172: 2008-04-05 22:27:20 UTC - RP1036 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-03-14 18:48:17 UTC - RP865 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-07 05:55:32
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AOOYDKAW\dss[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.2.1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBHO.dll
O2 - BHO: (no name) - {337BF021-AECA-4163-8283-DC83FACBE459} - C:\WINDOWS\system32\vtuts.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {F63B1DE7-3863-4BEB-9478-4C95534C654A} - C:\WINDOWS\system32\ddaya.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: enlfxgw - {6F935236-97C7-42A0-AD79-AD299EB60E83} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BM0fc81340] Rundll32.exe "C:\WINDOWS\system32\doggdmga.dll",s
O4 - HKLM\..\Run: [0cfb20dc] rundll32.exe "C:\WINDOWS\system32\euniroaf.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA5078] command /c del "C:\WINDOWS\system32\vtuts.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9474] cmd /c del "C:\WINDOWS\system32\vtuts.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2693] command /c del "C:\WINDOWS\system32\vtuts.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2125] cmd /c del "C:\WINDOWS\system32\vtuts.dll_old"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=18160e5b-c4e8-4e54-a5cd-cae1ed670db3
O4 - HKCU\..\RunOnce: [SpybotDeletingB1878] command /c del "C:\WINDOWS\system32\vtuts.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7467] cmd /c del "C:\WINDOWS\system32\vtuts.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2373] command /c del "C:\WINDOWS\system32\vtuts.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1929] cmd /c del "C:\WINDOWS\system32\vtuts.dll_old"
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://www.foxnews.com (HKCU)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://download.microsoft.com/download/e/7.../OGAControl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1172624174921
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp..._downloader.cab
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - C:\Program Files\Microsoft ActiveSync\AATP.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O21 - SSODL: PrxWin - {9d89ac75-0691-4ba6-b1b9-4ecc6181dc9b} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


--
End of file - 13284 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 BCM43XX (BCM 802.11g Network Adapter Driver) - c:\windows\system32\drivers\bcmwl5.sys <Not Verified; Belkin Corporation; Belkin 802.11 Wireless Network Adapter>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S4 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: USB Mass Storage Device
Device ID: USB\VID_058F&PID_9360\9205291
Manufacturer: Compatible USB storage device
Name: USB Mass Storage Device
PNP Device ID: USB\VID_058F&PID_9360\9205291
Service: USBSTOR

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Belkin 802.11g Network Adapter
Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_70001799&REV_02\4&1A671D0C&0&58F0
Manufacturer: Broadcom
Name: Belkin 802.11g Network Adapter
PNP Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_70001799&REV_02\4&1A671D0C&0&58F0
Service: BCM43XX


-- Scheduled Tasks -------------------------------------------------------------

2008-04-06 20:53:17 438 --a------ C:\WINDOWS\Tasks\RegCure Program Check.job
2008-04-06 12:58:04 372 --a------ C:\WINDOWS\Tasks\RegCure.job
2008-04-01 19:37:05 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-03-31 20:00:00 622 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job


-- Files created between 2008-03-07 and 2008-04-07 -----------------------------

2008-04-06 22:02:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-06 22:02:28 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-06 22:02:26 0 d-------- C:\WINDOWS\LastGood
2008-04-06 21:00:30 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-06 16:39:11 68096 --a------ C:\WINDOWS\zip.exe
2008-04-06 16:39:11 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-06 16:39:11 98816 --a------ C:\WINDOWS\sed.exe
2008-04-06 16:39:11 80412 --a------ C:\WINDOWS\grep.exe
2008-04-06 16:39:11 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-06 16:39:10 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-06 16:39:10 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-06 16:39:10 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-06 12:57:49 0 d-------- C:\Program Files\RegCure
2008-04-06 10:20:44 0 d-------- C:\VundoFix Backups
2008-04-06 10:13:04 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-06 10:13:04 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-06 10:13:04 86016 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-06 10:13:04 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-06 10:13:03 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-06 10:13:03 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-06 10:13:03 51200 --a------ C:\WINDOWS\system32\dumphive.exe


-- Find3M Report ---------------------------------------------------------------

2008-04-06 20:53:12 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-06 10:14:19 3402 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-25 13:47:44 0 d-------- C:\Documents and Settings\Owner\Application Data\Real
2008-03-06 16:22:24 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-05 16:06:06 2540 --a------ C:\WINDOWS\unins000.dat
2008-03-05 16:04:02 691545 --a------ C:\WINDOWS\unins000.exe
2008-03-05 13:12:26 94208 --a------ C:\WINDOWS\fqspogw.exe
2008-02-13 09:49:08 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{337BF021-AECA-4163-8283-DC83FACBE459}]
C:\WINDOWS\system32\vtuts.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F63B1DE7-3863-4BEB-9478-4C95534C654A}]
C:\WINDOWS\system32\ddaya.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 12:59 AM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [01/14/2007 02:11 AM]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [05/20/2002 07:36 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 11:09 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12/28/2005 11:23 AM]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [01/23/2007 03:44 PM C:\WINDOWS\KHALMNPR.Exe]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [05/02/2007 07:00 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/28/2007 07:51 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/10/2008 03:27 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/15/2008 03:22 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"BM0fc81340"="C:\WINDOWS\system32\doggdmga.dll" []
"0cfb20dc"="C:\WINDOWS\system32\euniroaf.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/11/2007 12:17 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [02/03/2004 12:42 AM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"CheckNetworkConnection"="C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=18160e5b-c4e8-4e54-a5cd-cae1ed670db3
"SpybotDeletingB1878"=command /c del "C:\WINDOWS\system32\vtuts.dll_old"
"SpybotDeletingD7467"=cmd /c del "C:\WINDOWS\system32\vtuts.dll_old"
"SpybotDeletingB2373"=command /c del "C:\WINDOWS\system32\vtuts.dll_old"
"SpybotDeletingD1929"=cmd /c del "C:\WINDOWS\system32\vtuts.dll_old"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingA5078"=command /c del "C:\WINDOWS\system32\vtuts.dll_old"
"SpybotDeletingC9474"=cmd /c del "C:\WINDOWS\system32\vtuts.dll_old"
"SpybotDeletingA2693"=command /c del "C:\WINDOWS\system32\vtuts.dll_old"
"SpybotDeletingC2125"=cmd /c del "C:\WINDOWS\system32\vtuts.dll_old"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 11/15/2007 10:10 AM 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
backup=C:\WINDOWS\pss\IMStart.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALUAlert]
C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CheckNetworkConnection]
"C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=18160e5b-c4e8-4e54-a5cd-cae1ed670db3

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"C:\Program Files\Norton Internet Security\osCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingA756]
command /c del "C:\WINDOWS\system32\vtuts.dll_old"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB4305]
command /c del "C:\WINDOWS\system32\jkklj.dll_old"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB9232]
command /c del "C:\WINDOWS\system32\vtuts.dll_old"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingC3995]
cmd /c del "C:\WINDOWS\system32\vtuts.dll_old"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD8394]
cmd /c del "C:\WINDOWS\system32\vtuts.dll_old"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
"C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
C:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=0 (0x0)
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"SymAppCore"=2 (0x2)
"Symantec Core LC"=3 (0x3)
"ose"=3 (0x3)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"ISPwdSvc"=3 (0x3)
"iPodService"=3 (0x3)
"gusvc"=3 (0x3)
"comHost"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)

*Newly Created Service* - COMHOST



-- Hosts -----------------------------------------------------------------------

127.0.0.1 .supercocklol.com
127.0.0.1 www..webloyalty.com
127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com

8118 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-07 05:57:59 ------------

Edited by brkdrvr, 07 April 2008 - 08:54 AM.


BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 07 April 2008 - 02:58 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Post that in your next reply with a fresh HijackThis log.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users