Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection


  • This topic is locked This topic is locked
16 replies to this topic

#1 boddah98

boddah98

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 26 May 2008 - 11:45 AM

I've run Spybot S&D, Ad-Aware, Panda Scan, Spysweeper, Vundo Fix, & VirtumundeBeGone and I still cant get ride of the Virtumonde infection. Thanks in advance for any help provided.

Deckard's System Scanner v20071014.68
Run by Owner on 2008-05-26 12:22:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
23: 2008-05-26 16:23:21 UTC - RP79 - Deckard's System Scanner Restore Point
22: 2008-05-25 18:30:55 UTC - RP78 - Last known good configuration
21: 2008-05-25 18:30:42 UTC - RP77 - Software Distribution Service 3.0
20: 2008-05-25 18:30:41 UTC - RP76 - System Checkpoint
19: 2008-05-25 18:30:40 UTC - RP75 - Installed Ad-Aware


-- First Restore Point --
1: 2008-05-25 18:30:35 UTC - RP57 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

logfile has no content; running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-26 12:25:34
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PAVSRV51.EXE
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrlS.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\soundman.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\ApVxdWin.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\WebProxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fantasysports.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! Dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {0AAC82E9-CA9E-4F94-A80E-59CF9173AA85} - C:\WINDOWS\system32\xxywWmnM.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {6F55496E-A074-4689-ABE8-F5D8EC4D6F4D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\system32\smiehlp.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O2 - BHO: (no name) - {D16BF1FC-E7A4-46AA-9082-C294D118CAFA} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [f458ea1f] rundll32.exe "C:\WINDOWS\system32\ewrjkoug.dll",b
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-K2RGT.exe" /REG
O4 - HKCU\..\Run: [Windows Registry Repair Pro] "C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe" 4
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {33363249-0000-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/i263_32.cab
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/0/A...01F/wmvadvd.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.3.5.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179206684828
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/...B?37871.9759375
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: ddccd - C:\WINDOWS\system32\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj.exe -servicerunning=true -uninstall=hp deskjet 3600 series -product=
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrlS.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PAVSRV51.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Network Security Service (NSS) (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\addtw32.exe /s


--
End of file - 12781 bytes

-- File Associations -----------------------------------------------------------

.ini - GetDiz.Document - DefaultIcon - unable to read value
.ini - GetDiz.Document - shell\open\command - "C:\Program Files\GetDiz\GetDiz.exe" "%1"
.js - JSFile - shell\open\command - NOTEPAD.EXE %1
.reg - regfile - shell\open\command - NOTEPAD.EXE %1
.scr - scrfile - shell\open\command - NOTEPAD.EXE %1
.vbs - VBSFile - shell\open\command - NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 FileDisk - c:\windows\system32\drivers\filedisk.sys <Not Verified; iolo technologies, LLC (based on original work by Bo Brantén); filedisk (based on original work by Bo Brantén)>
R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>
R2 pavdrv (Panda Antivirus Filter Driver for x86) - c:\windows\system32\drivers\pavdrv51.sys <Not Verified; Panda Software International; Panda Residents>
R3 ltmodem5 (Agere Modem Driver) - c:\windows\system32\drivers\ltmdmnt.sys <Not Verified; Agere Systems; Agere V.92 Data+Fax Modem Version 8.30>

S2 PavProc (Panda Process Protection Driver) - c:\windows\system32\drivers\pavproc.sys (file missing)
S3 ADSFilter (ADSFilter - (Aluria Filter Driver)) - c:\windows\system32\drivers\adsfilter.sys (file missing)
S3 BW2NDIS5 - c:\windows\system32\drivers\bw2ndis5.sys (file missing)
S3 L2XPSR - e:\release\l2xpsr.sys (file missing)
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
S3 PCDRDRV (Pcdr Helper Driver) - c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys (file missing)
S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 FolderSize (Folder Size) - "c:\program files\foldersize\foldersizesvc.exe" <Not Verified; Brio; Folder Size for Windows>
R2 Panda Software Controller - "c:\program files\panda software\panda antivirus 2007\psctrls.exe" <Not Verified; Panda Software International; Panda Corporative Solutions>
R2 PAVSRV (Panda anti-virus service) - "c:\program files\panda software\panda antivirus 2007\pavsrv51.exe" <Not Verified; Panda Software International; Panda residents>
R2 PSIMSVC (Panda IManager Service) - "c:\program files\panda software\panda antivirus 2007\psimsvc.exe" <Not Verified; Panda Software International; Panda Interface Manager>
R2 RetroExpLauncher (Retrospect Express HD Launcher) - c:\progra~1\dantz\retros~1\retrorun.exe <Not Verified; Dantz Development Corporation; Retrospect>

S2 PavPrSrv (Panda Process Protection Service) - "c:\program files\common files\panda software\pavshld\pavprsrv.exe" (file missing)
S2 RetroExp Helper (Retrospect Express HD Restore Helper) - "c:\progra~1\dantz\retros~1\rthlpsvc.exe" <Not Verified; Dantz Development Corporation; Retrospect>
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon>
S4 hpdj - c:\docume~1\owner\locals~1\temp\hpdj.exe -servicerunning=true -uninstall=hp deskjet 3600 series -product= (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-25 18:42:28 1594 --a------ C:\WINDOWS\Tasks\wrSpySweeper_LA8EED1781A4B4BD985DC12E342D7119D.job
2008-05-25 18:30:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-03-30 19:25:00 334 --a------ C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#deskjet3600#CN36G3D2X06B.job


-- Files created between 2008-04-26 and 2008-05-26 -----------------------------

2008-05-25 20:39:08 680960 --a------ C:\WINDOWS\is-K2RGT.exe
2008-05-25 18:20:52 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-05-25 18:18:46 0 d--h----- C:\Documents and Settings\LocalService\SendTo
2008-05-25 18:17:13 0 dr-h----- C:\Documents and Settings\LocalService\Recent
2008-05-25 18:17:13 0 d--h----- C:\Documents and Settings\LocalService\NetHood
2008-05-25 18:17:13 0 dr------- C:\Documents and Settings\LocalService\My Documents
2008-05-25 18:17:09 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-25 18:17:09 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-05-25 18:11:07 115712 --a------ C:\WINDOWS\system32\ewrjkoug.dll
2008-05-25 18:10:40 136704 --a------ C:\WINDOWS\system32\gspfytky.dll
2008-05-25 14:31:58 2560 --a------ C:\WINDOWS\system32\qsnkhqgd.exe
2008-05-25 14:31:40 125440 --a------ C:\WINDOWS\system32\sygtggux.dll
2008-05-25 14:30:24 907596 --ahs---- C:\WINDOWS\system32\MnmWwyxx.ini2
2008-05-25 14:30:19 370688 --a------ C:\WINDOWS\system32\xxywWmnM.dll
2008-05-23 00:50:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-23 00:50:14 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-21 22:36:13 135680 --a------ C:\WINDOWS\system32\klsvnhhq.dll
2008-05-21 22:36:04 2560 --a------ C:\WINDOWS\system32\qbhoqqus.exe
2008-05-21 22:32:47 128000 --a------ C:\WINDOWS\system32\hwdutsyi.dll
2008-05-21 21:18:41 174592 --a------ C:\WINDOWS\system32\framedyn.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-21 21:15:13 37 --a------ C:\WINDOWS\X!Ü
2008-05-21 20:52:38 0 d-------- C:\Program Files\Exterminate It!
2008-05-21 20:05:36 0 d-------- C:\VundoFix Backups
2008-05-21 02:41:54 0 d-------- C:\Program Files\OpenAL
2008-05-21 02:41:53 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-05-21 02:41:51 114688 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>
2008-05-21 02:36:36 0 d-------- C:\Program Files\Puzzle Quest2
2008-05-21 02:25:17 9341 --a------ C:\WINDOWS\system32\drivers\filedisk.sys <Not Verified; iolo technologies, LLC (based on original work by Bo Brantén); filedisk (based on original work by Bo Brantén)>
2008-05-21 02:25:04 22528 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-05-21 02:25:04 34304 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2008-05-20 22:35:49 2560 --a------ C:\WINDOWS\system32\nxjsjrrt.exe
2008-05-20 02:31:54 71680 --a------ C:\WINDOWS\system32\drivers\PAVDRV51.SYS <Not Verified; Panda Software International; Panda Residents>
2008-05-20 02:31:30 248 --a------ C:\WINDOWS\system32\PavCPL.dat
2008-05-20 02:25:35 0 d-------- C:\WINDOWS\system32\PAV
2008-05-20 02:16:39 45056 --a------ C:\WINDOWS\system32\avldr.dll <Not Verified; Panda Software International; Panda residents>
2008-05-20 02:15:23 0 d-------- C:\Program Files\Panda Software
2008-05-19 19:24:51 2560 --a------ C:\WINDOWS\system32\romltkve.exe
2008-05-19 01:44:45 898620 --ahs---- C:\WINDOWS\system32\fOUBayay.ini2
2008-05-04 05:26:11 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-04 00:44:13 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-04 00:00:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-05-03 21:57:44 0 d-------- C:\Documents and Settings\Owner\Application Data\Download Manager
2008-04-26 17:41:22 0 dr-h----- C:\Documents and Settings\Owner\Recent


-- Find3M Report ---------------------------------------------------------------

2008-05-25 21:18:45 0 d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-05-25 20:35:08 0 d-------- C:\Program Files\iolo
2008-05-23 00:12:10 0 d-------- C:\Program Files\Lavasoft
2008-05-23 00:11:57 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-21 02:34:00 0 d--h----- C:\Program Files\WindowsUpdate
2008-05-21 02:17:09 37 --a------ C:\WINDOWS\X!Ä
2008-05-21 02:08:12 37 --a------ C:\WINDOWS\r007
2008-05-20 02:14:54 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-19 23:38:21 164 --a------ C:\install.dat
2008-05-19 09:02:49 0 d-------- C:\Program Files\Winamp2
2008-05-04 04:42:21 82208 --a------ C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-04 00:44:17 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-04 00:44:14 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-05-04 00:44:13 0 d-a------ C:\Program Files\Common Files
2008-04-29 21:00:40 4212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-04-09 01:36:53 0 d-------- C:\Documents and Settings\Owner\Application Data\R-Wipe&Clean
2008-04-08 01:52:41 0 d-------- C:\Program Files\Puzzle Quest
2008-04-06 15:14:26 0 d-------- C:\Program Files\ratDVD
2008-04-02 02:32:45 0 d-------- C:\Program Files\RotoWire2008MLBDraftSoftware
2008-03-28 00:18:06 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown



-- Hosts -----------------------------------------------------------------------

127.0.0.1 localhost.localdomain
127.0.0.1 sitefinder.Verisign.com
127.0.0.1 sitefinder-idn.Verisign.com
127.0.0.1
127.0.0.1 ad.doubleclick.net
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1 06272002-dbase.hitcountz.net

4564 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-26 12:27:40 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.40GHz
Percentage of Memory in Use: 58%
Physical Memory (total/avail): 758.98 MiB / 317.56 MiB
Pagefile Memory (total/avail): 1842.66 MiB / 1392.49 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1907.59 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 33.97 GiB total, 9.13 GiB free.
D: is Fixed (FAT32) - 3.28 GiB total, 0.11 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD400EB-11CPF0 - 37.27 GiB - 2 partitions
\PARTITION0 - Unknown - 3.29 GiB - D:
\PARTITION1 (bootable) - Installable File System - 33.97 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

FW: ZoneAlarm Firewall v7.0.470.000 (Check Point, LTD.) Disabled
AV: Panda Antivirus 2007 v2.01.00 (Panda Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\iMesh\\Client\\iMeshClient.exe"="C:\\Program Files\\iMesh\\Client\\iMeshClient.exe:*:Enabled:iMesh Client for PC platforms"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Installs\\utorrent.exe"="C:\\Installs\\utorrent.exe:*:Enabled:µTorrent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
COLLECTIONID=wuclient
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COMPUTER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HMSERVER=https://h30083.www3.hp.com/wuss/servlet/WUSSServlet
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
ITEMID=wuclienten
LANG=1033
LOGONSERVER=\\COMPUTER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
OSVER=winXPH
Path=C:\PROGRAM FILES\COMMON FILES\ULEAD SYSTEMS\MPEG;C:\PROGRAM FILES\QUICKTIME\QTSYSTEM\;C:\Program Files\Panda Software\Panda Antivirus 2007\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PCToolsDir=C:\Documents and Settings\All Users\Start Menu\Programs\Compaq\Compaq Presario PC Tools
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONID=1092867757889wuws07-l16ea269:feaaaa9525:-65b8
SESSIONNAME=Console
SWUTVER=1.0.1.1
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TIMEOUT=0
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=COMPUTER
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
VERSION=2.0.35
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type84 / Error
Event Submitted/Written: 05/25/2008 10:41:40 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application wmplayer.exe, version 9.0.0.3250, faulting module xebdec.ax, version 0.5.0.16, fault address 0x0000ba3d.
Processing media-specific event for [wmplayer.exe!ws!]

Event Record #/Type82 / Error
Event Submitted/Written: 05/25/2008 10:07:08 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module FolderSizeColumn.dll, version 1.4.0.0, fault address 0x0000d8b0.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type79 / Error
Event Submitted/Written: 05/25/2008 07:15:16 PM
Event ID/Source: 1802 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

Event Record #/Type74 / Error
Event Submitted/Written: 05/25/2008 06:36:41 PM / 05/25/2008 06:36:42 PM
Event ID/Source: 1802 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

Event Record #/Type68 / Error
Event Submitted/Written: 05/25/2008 06:02:51 PM
Event ID/Source: 1802 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type607 / Warning
Event Submitted/Written: 05/26/2008 10:13:54 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type606 / Error
Event Submitted/Written: 05/26/2008 02:47:26 AM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_39049d00\MFC80U.DLL.
Reference error message: The operation completed successfully.
.

Event Record #/Type605 / Error
Event Submitted/Written: 05/26/2008 02:47:26 AM
Event ID/Source: 59 / SideBySide
Event Description:
Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC.
Reference error message: The referenced assembly is not installed on your system.
.

Event Record #/Type604 / Error
Event Submitted/Written: 05/26/2008 02:47:26 AM
Event ID/Source: 32 / SideBySide
Event Description:
Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.

Event Record #/Type603 / Error
Event Submitted/Written: 05/25/2008 09:25:47 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_39049d00\MFC80U.DLL.
Reference error message: The operation completed successfully.
.



-- End of Deckard's System Scanner: finished at 2008-05-26 12:27:40 ------------

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 26, 2008 12:21:17 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/05/2008
Kaspersky Anti-Virus database records: 800416
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: false

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 97248
Number of viruses found: 23
Number of infected objects: 41
Number of suspicious objects: 12
Duration of the scan process: 06:27:09

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\iolo\FileInfoList\IOLOFIL.FDB Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller.zip/crjb32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy16.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy16.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy20.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy20.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy34.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy34.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy7.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy7.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\v0lxcdgr.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\v0lxcdgr.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\v0lxcdgr.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\v0lxcdgr.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\v0lxcdgr.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\v0lxcdgr.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\v0lxcdgr.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Desktop\System Mechanic Pro v7.5.10.5 +Serial\SystemMechanic7Pro.exe/data0000.cab/is153891.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.rji skipped
C:\Documents and Settings\Owner\Desktop\System Mechanic Pro v7.5.10.5 +Serial\SystemMechanic7Pro.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.rji skipped
C:\Documents and Settings\Owner\Desktop\System Mechanic Pro v7.5.10.5 +Serial\SystemMechanic7Pro.exe Rsrc-Package: infected - 2 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\v0lxcdgr.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\v0lxcdgr.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\v0lxcdgr.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\v0lxcdgr.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_c74.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\hp\region\EN_US-ie.reg Infected: Trojan.WinREG.StartPage skipped
C:\Installs\AoA DVD Ripper v5.12 & Crack\AoADVDRipper.EXE/data0000.cab/nzm3.exe Infected: Backdoor.Win32.Rbot.bll skipped
C:\Installs\AoA DVD Ripper v5.12 & Crack\AoADVDRipper.EXE/data0000.cab Infected: Backdoor.Win32.Rbot.bll skipped
C:\Installs\AoA DVD Ripper v5.12 & Crack\AoADVDRipper.EXE Rsrc-Package: infected - 2 skipped
C:\Installs\areslite181.exe/data0017/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\Installs\areslite181.exe/data0017/v2.0.2.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\Installs\areslite181.exe/data0017/v2.0.2.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\Installs\areslite181.exe/data0017/v2.0.2.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Installs\areslite181.exe/data0017/v2.0.2.cab Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Installs\areslite181.exe/data0017 Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Installs\areslite181.exe NSIS: infected - 6 skipped
C:\Installs\freeripmp3.exe/data0012 Infected: not-a-virus:AdWare.Win32.MyWay.ac skipped
C:\Installs\freeripmp3.exe Inno: infected - 1 skipped
C:\Installs\iMeshV3.exe/WISE0021.BIN Infected: not-a-virus:AdWare.Win32.SideStep.j skipped
C:\Installs\iMeshV3.exe/WISE0022.BIN Infected: not-a-virus:AdWare.Win32.CommonName.p skipped
C:\Installs\iMeshV3.exe/WISE0025.BIN/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\Installs\iMeshV3.exe/WISE0025.BIN/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\Installs\iMeshV3.exe/WISE0025.BIN Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\Installs\iMeshV3.exe/WISE0026.BIN Infected: not-a-virus:AdWare.Win32.EZula.d skipped
C:\Installs\iMeshV3.exe/WISE0028.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Installs\iMeshV3.exe WiseSFX: infected - 7 skipped
C:\Installs\iMeshV4.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet.d skipped
C:\Installs\iMeshV4.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Gator.4104 skipped
C:\Installs\iMeshV4.exe/WISE0020.BIN/data0008/lsp_.dll Infected: not-a-virus:AdWare.Win32.Sahat.av skipped
C:\Installs\iMeshV4.exe/WISE0020.BIN/data0008/SAHAgent_.exe Infected: not-a-virus:AdWare.Win32.Sahat.bb skipped
C:\Installs\iMeshV4.exe/WISE0020.BIN/data0008/SAHDownloader_.exe Infected: not-a-virus:AdWare.Win32.Sahat.e skipped
C:\Installs\iMeshV4.exe/WISE0020.BIN/data0008/SAHUninstall_.exe Infected: not-a-virus:AdWare.Win32.Sahat.cf skipped
C:\Installs\iMeshV4.exe/WISE0020.BIN/data0008/WEBInstaller.dll Infected: not-a-virus:AdWare.Win32.Sahat.bw skipped
C:\Installs\iMeshV4.exe/WISE0020.BIN/data0008 Infected: not-a-virus:AdWare.Win32.Sahat.bw skipped
C:\Installs\iMeshV4.exe/WISE0020.BIN Infected: not-a-virus:AdWare.Win32.Sahat.bw skipped
C:\Installs\iMeshV4.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\Installs\iMeshV4.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.Gator.4104 skipped
C:\Installs\iMeshV4.exe WiseSFX: infected - 11 skipped
C:\Installs\kazaalite202.exe/data0014 Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
C:\Installs\kazaalite202.exe Inno: infected - 1 skipped
C:\Installs\klr0075.zip/KLR0075.exe Infected: not-a-virus:AdWare.Win32.EShoper.k skipped
C:\Installs\klr0075.zip ZIP: infected - 1 skipped
C:\Program Files\Panda Software\Panda Antivirus 2007\cace2423dfb97c58fe7dd9f120557063PSK_NAMES Object is locked skipped
C:\Program Files\Panda Software\Panda Antivirus 2007\cace2423dfb97c58fe7dd9f120557063PSK_NAMES2 Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP73\A0012352.dll Object is locked skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP75\A0012824.dll Object is locked skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP78\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\COMPUTER.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\noknirfl.dll-virus Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\fb_412.lck Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_124.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT064d3.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT064d7.TMP Object is locked skipped
D:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP78\change.log Object is locked skipped

Scan process completed.

BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 26 May 2008 - 03:03 PM

Hi

You've been downloading illegal cracks, you think you are getting something for nothing, well you certainly have ...

Your Virtumonde infection came from running this file :-

C:\Documents and Settings\Owner\Desktop\System Mechanic Pro v7.5.10.5 +Serial\SystemMechanic7Pro.exe

You have a lot more similar files infected with virus/trojans ...

Including this one which opened up a backdoor on your computer, & possibly allowed a hacker access to all your passwords and bank/creditcard details ...

C:\Installs\AoA DVD Ripper v5.12 & Crack\AoADVDRipper.EXE

You must have a good idea which are all the illegal files on your computer, the first thing I suggest you do is remove them, then decide whether you want to format (due to the severity of the infection) or clean your computer ...

Should you decide to clean, follow these directions :-

1. Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

2. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

3. Reboot into Safe Mode`:-

Reboot into >>>safe mode

4. Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum.

THEN ...

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Then ...

run & post a new Kaspersky Online Scanner report

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 boddah98

boddah98
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 27 May 2008 - 06:34 PM

yes I definately should've known better, guess I learned a lesson the hard way, thanks for your help, here are the logs that you asked for:


SDFix: Version 1.185
Run by Owner on Mon 05/26/2008 at 08:40 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\ADDNV32.DLL - Deleted
C:\WINDOWS\SYSTEM32\IPAU.DLL - Deleted
C:\WINDOWS\SYSTEM32\MFCOY32.DLL - Deleted
C:\WINDOWS\SYSTEM32\WINLW.DLL - Deleted
C:\Program Files\TMPGENC\TMPGEnc.exe - Deleted
C:\WINDOWS\system32\TFTP3732 - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 21:46:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\iMesh\\Client\\iMeshClient.exe"="C:\\Program Files\\iMesh\\Client\\iMeshClient.exe:*:Enabled:iMesh Client for PC platforms"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Installs\\utorrent.exe"="C:\\Installs\\utorrent.exe:*:Enabled:æTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 7 Sep 2003 196 A.SHR --- "C:\BOOT.BAK"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sun 29 Feb 2004 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Fri 27 Jul 2007 1,760,957 A.SH. --- "C:\WINDOWS\system32\dccdd.bak1"
Mon 30 Jul 2007 1,776,595 A.SH. --- "C:\WINDOWS\system32\dccdd.bak2"
Fri 9 Jul 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 13 Oct 2004 1,694,208 A.SH. --- "C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe"

Finished!

Malwarebytes' Anti-Malware 1.12
Database version: 789

Scan type: Quick Scan
Objects scanned: 46758
Time elapsed: 16 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 9
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ewrjkoug.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\xxywWmnM.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3c594594-df41-498a-8333-3dd2f06fff40} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{3c594594-df41-498a-8333-3dd2f06fff40} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\CAC (Malware.Trace) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f458ea1f (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMf76bd983 (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxywwmnm -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxywwmnm -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ewrjkoug.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\guokjrwe.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\xxywWmnM.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\MnmWwyxx.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\MnmWwyxx.ini2 (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\sygtggux.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\cookies.ini (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\wptqdlyi.dll (Trojan.Agent) -> No action taken.


ComboFix 08-05-25.5 - Owner 2008-05-26 23:15:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.423 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMf76bd983.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dccdd.bak1
C:\WINDOWS\system32\dccdd.bak2
C:\WINDOWS\system32\dccdd.ini
C:\WINDOWS\system32\dccdd.ini2
C:\WINDOWS\system32\fOUBayay.ini
C:\WINDOWS\system32\fOUBayay.ini2
C:\WINDOWS\system32\guokjrwe.ini
C:\WINDOWS\system32\hwdutsyi.dll
C:\WINDOWS\system32\jxqwicwe.ini
C:\WINDOWS\system32\klsvnhhq.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\meilfhvx.ini
C:\WINDOWS\system32\MnmWwyxx.ini
C:\WINDOWS\system32\MnmWwyxx.ini2
C:\WINDOWS\system32\muwrtwjq.exe
C:\WINDOWS\system32\nxjsjrrt.exe
C:\WINDOWS\system32\qbhoqqus.exe
C:\WINDOWS\system32\qsnkhqgd.exe
C:\WINDOWS\system32\romltkve.exe
C:\WINDOWS\system32\wtrafgpx.ini
C:\WINDOWS\system32\xmqdqmcs.ini
C:\WINDOWS\system32\xxywWmnM.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-26 23:30 . 2008-05-26 23:30 294 ---hs---- C:\WINDOWS\system32\guokjrwe.ini
2008-05-26 23:28 . 2008-05-26 23:30 109,807 --a------ C:\WINDOWS\BMf76bd983.xml
2008-05-26 23:28 . 2008-05-26 23:28 22 --a------ C:\WINDOWS\pskt.ini
2008-05-26 22:16 . 2008-05-26 22:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-26 22:15 . 2008-05-26 22:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-26 22:15 . 2008-05-26 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-26 22:15 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-26 22:15 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-26 20:28 . 2008-05-26 20:28 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-26 20:11 . 2008-05-26 21:56 <DIR> d-------- C:\SDFix
2008-05-26 14:45 . 2008-05-26 14:45 134,144 --a------ C:\WINDOWS\system32\gxetertc.dll
2008-05-26 14:33 . 2008-05-26 14:33 124,928 --a------ C:\WINDOWS\system32\wptqdlyi.dll
2008-05-26 12:22 . 2008-05-26 12:22 <DIR> d-------- C:\Deckard
2008-05-25 18:11 . 2008-05-25 18:11 115,712 --a------ C:\WINDOWS\system32\ewrjkoug.dll
2008-05-25 18:10 . 2008-05-25 18:10 136,704 --a------ C:\WINDOWS\system32\gspfytky.dll
2008-05-25 14:31 . 2008-05-25 14:31 125,440 --a------ C:\WINDOWS\system32\sygtggux.dll
2008-05-23 00:50 . 2008-05-23 00:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-23 00:50 . 2008-05-23 00:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-21 22:53 . 2008-05-22 00:20 152 --a------ C:\WINDOWS\wininit.ini
2008-05-21 21:18 . 2003-10-03 13:21 174,592 --a------ C:\WINDOWS\system32\framedyn.dll
2008-05-21 21:15 . 2008-05-25 12:02 37 --a------ C:\WINDOWS\X!š
2008-05-21 20:52 . 2008-05-21 20:57 <DIR> d-------- C:\Program Files\Exterminate It!
2008-05-21 20:05 . 2008-05-21 20:05 <DIR> d-------- C:\VundoFix Backups
2008-05-21 02:41 . 2008-05-21 02:41 <DIR> d-------- C:\Program Files\OpenAL
2008-05-21 02:41 . 2008-05-21 02:41 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-05-21 02:41 . 2008-05-21 02:41 114,688 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-05-21 02:36 . 2008-05-21 02:40 <DIR> d-------- C:\Program Files\Puzzle Quest2
2008-05-21 02:23 . 2008-05-21 02:23 57,344 --a------ C:\WINDOWS\system32\khfDTlJA.dll.vir
2008-05-20 22:32 . 2008-05-20 22:32 126,976 --a------ C:\WINDOWS\system32\noknirfl.dll-virus
2008-05-20 02:31 . 2007-01-23 12:49 71,680 --a------ C:\WINDOWS\system32\drivers\PAVDRV51.SYS
2008-05-20 02:31 . 2008-05-20 02:31 248 --a------ C:\WINDOWS\system32\PavCPL.dat
2008-05-20 02:25 . 2008-05-20 08:45 <DIR> d-------- C:\WINDOWS\system32\PAV
2008-05-20 02:22 . 2006-05-02 09:40 49,152 --a------ C:\WINDOWS\system32\pavcpl.cpl
2008-05-20 02:16 . 2006-07-14 13:46 45,056 --a------ C:\WINDOWS\system32\avldr.dll
2008-05-20 02:15 . 2008-05-20 02:15 <DIR> d-------- C:\Program Files\Panda Software
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-04 05:26 . 2008-05-04 05:26 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-05-04 00:44 . 2008-05-04 00:44 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-03 21:57 . 2008-05-04 04:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Download Manager
2008-04-29 11:20 . 2008-04-29 11:20 15,648 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 11:19 . 2008-04-29 11:19 15,648 --a------ C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 11:19 . 2008-04-29 11:19 12,960 --a------ C:\WINDOWS\system32\drivers\Awrtpd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 03:25 362,120 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-27 03:25 32,122,912 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-27 00:50 --------- d-----w C:\Program Files\TMPGENC
2008-05-26 01:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-05-23 04:12 --------- d-----w C:\Program Files\Lavasoft
2008-05-23 04:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-23 04:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-22 03:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-22 01:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-22 01:20 8,136,192 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-05-21 06:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2008-05-20 06:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-20 03:38 164 ----a-w C:\install.dat
2008-05-19 13:02 --------- d-----w C:\Program Files\Winamp2
2008-05-04 08:42 82,208 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-04 04:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-09 05:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\R-Wipe&Clean
2008-04-08 05:52 --------- d-----w C:\Program Files\Puzzle Quest
2008-04-06 19:14 --------- d-----w C:\Program Files\ratDVD
2008-04-02 06:32 --------- d-----w C:\Program Files\RotoWire2008MLBDraftSoftware
2008-03-28 04:18 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-03-28 04:18 249,856 ------w C:\WINDOWS\Setup1.exe
2008-03-14 03:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2006-02-27 02:49 24,192 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2006-02-27 02:48 22,768 ----a-w C:\Documents and Settings\Owner\usbsermpt.sys
2005-01-14 06:37 5,358 ----a-w C:\Documents and Settings\Owner\m00.exe
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2004-10-13 16:21 1,694,208 --sha-w C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe
2004-03-01 03:30 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

------- Sigcheck -------

2004-08-04 03:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f9af082d-ad41-4f12-bb05-33b3931e0eae}]
2008-05-26 14:45 134144 --a------ C:\WINDOWS\system32\gxetertc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Registry Repair Pro"="C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe" [2005-09-07 16:01 1358336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 09:03 155648]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-22 22:40 176128]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 20:38 437008]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 20:39 461584]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]
"APVXDWIN"="C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.exe" [2007-01-25 18:50 321072]
"f458ea1f"="C:\WINDOWS\system32\ewrjkoug.dll" [2008-05-25 18:11 115712]
"BMf76bd983"="C:\WINDOWS\system32\wptqdlyi.dll" [2008-05-26 14:33 124928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2006-07-14 13:46 45056 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"VIDC.I263"= i263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files\SBC Yahoo!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files\SBC Yahoo!\Connection Manager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe]


[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iMesh\\Client\\iMeshClient.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

S2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe []
S2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe []
S2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys []
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);C:\WINDOWS\system32\DRIVERS\ADSFilter.sys []
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys []
S3 L2XPSR;L2XPSR;E:\Release\L2XPSR.SYS []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 17:10]
S3 PCDRDRV;Pcdr Helper Driver;C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-05-25 22:30:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-30 23:25:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#deskjet3600#CN36G3D2X06B.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe+/#Hewlett-Packard#deskjet3600#CN36G3D2X06B
"2008-05-25 22:42:28 C:\WINDOWS\Tasks\wrSpySweeper_LA8EED1781A4B4BD985DC12E342D7119D.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_LA8EED1781A4B4BD985DC12E342D7119D
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 23:28:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\guokjrwe.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\ewrjkoug.dll
-> C:\WINDOWS\system32\wptqdlyi.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Panda Software\Panda Antivirus 2007\PAVSRV51.EXE
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrlS.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-05-26 23:42:10 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-05-27 03:41:54

Pre-Run: 9,802,260,480 bytes free
Post-Run: 9,810,944,000 bytes free

223 --- E O F --- 2008-05-16 12:39:11


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 27, 2008 7:23:43 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/05/2008
Kaspersky Anti-Virus database records: 801185
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: false

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 88039
Number of viruses found: 24
Number of infected objects: 41
Number of suspicious objects: 12
Duration of the scan process: 02:13:15

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller.zip/crjb32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy16.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy16.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy20.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy20.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy34.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy34.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy7.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy7.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008052620080527\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\hp\region\EN_US-ie.reg Infected: Trojan.WinREG.StartPage skipped
C:\Program Files\Panda Software\Panda Antivirus 2007\cace2423dfb97c58fe7dd9f120557063PSK_NAMES Object is locked skipped
C:\Program Files\Panda Software\Panda Antivirus 2007\cace2423dfb97c58fe7dd9f120557063PSK_NAMES2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0015997.exe/data0000.cab/is153891.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.rji skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0015997.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.rji skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0015997.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016815.exe/data0017/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016815.exe/data0017/v2.0.2.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016815.exe/data0017/v2.0.2.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016815.exe/data0017/v2.0.2.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016815.exe/data0017/v2.0.2.cab Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016815.exe/data0017 Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016815.exe NSIS: infected - 6 skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016850.exe/data0012 Infected: not-a-virus:AdWare.Win32.MyWay.ac skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016850.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016859.exe/WISE0021.BIN Infected: not-a-virus:AdWare.Win32.SideStep.j skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016859.exe/WISE0022.BIN Infected: not-a-virus:AdWare.Win32.CommonName.p skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016859.exe/WISE0025.BIN/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016859.exe/WISE0025.BIN/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016859.exe/WISE0025.BIN Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016859.exe/WISE0026.BIN Infected: not-a-virus:AdWare.Win32.EZula.d skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016859.exe/WISE0028.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016859.exe WiseSFX: infected - 7 skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet.d skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Gator.4104 skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe/WISE0020.BIN/data0008/lsp_.dll Infected: not-a-virus:AdWare.Win32.Sahat.av skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe/WISE0020.BIN/data0008/SAHAgent_.exe Infected: not-a-virus:AdWare.Win32.Sahat.bb skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe/WISE0020.BIN/data0008/SAHDownloader_.exe Infected: not-a-virus:AdWare.Win32.Sahat.e skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe/WISE0020.BIN/data0008/SAHUninstall_.exe Infected: not-a-virus:AdWare.Win32.Sahat.cf skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe/WISE0020.BIN/data0008/WEBInstaller.dll Infected: not-a-virus:AdWare.Win32.Sahat.bw skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe/WISE0020.BIN/data0008 Infected: not-a-virus:AdWare.Win32.Sahat.bw skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe/WISE0020.BIN Infected: not-a-virus:AdWare.Win32.Sahat.bw skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.Gator.4104 skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe WiseSFX: infected - 11 skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016866.exe/data0014 Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016866.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016965.EXE/data0000.cab/nzm3.exe Infected: Backdoor.Win32.Rbot.bll skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016965.EXE/data0000.cab Infected: Backdoor.Win32.Rbot.bll skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016965.EXE Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP80\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{D093D4BB-466F-4E1C-B74C-E9CE3BD58401}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\ewrjkoug.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsk skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\noknirfl.dll-virus Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\sygtggux.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsm skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP80\change.log Object is locked skipped

Scan process completed.

#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 28 May 2008 - 02:30 PM

Hi

You've done well :thumbsup:

Before we clean up what's left, I want you to run Malwarebytes' Anti-Malware again ... this time I want you let it delete all it finds ...

* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 boddah98

boddah98
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 28 May 2008 - 08:12 PM

here is the malware bytes log:
Malwarebytes' Anti-Malware 1.12
Database version: 789

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 125709
Time elapsed: 55 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ewrjkoug.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f458ea1f (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMf76bd983 (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ewrjkoug.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\guokjrwe.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP78\A0015702.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP80\A0017618.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sygtggux.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wptqdlyi.dll (Trojan.Agent) -> Delete on reboot.

#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 29 May 2008 - 03:40 PM

HI

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\guokjrwe.ini
C:\WINDOWS\BMf76bd983.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\gxetertc.dll
C:\WINDOWS\system32\wptqdlyi.dll
C:\WINDOWS\system32\ewrjkoug.dll
C:\WINDOWS\system32\gspfytky.dll
C:\WINDOWS\system32\sygtggux.dll
C:\WINDOWS\system32\khfDTlJA.dll.vir
C:\WINDOWS\system32\noknirfl.dll-virus

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f9af082d-ad41-4f12-bb05-33b3931e0eae}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"f458ea1f"=-
"BMf76bd983"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccd]


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#7 boddah98

boddah98
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 01 June 2008 - 07:48 PM

here you go:

ComboFix 08-05-25.5 - Owner 2008-06-01 20:26:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.402 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMf76bd983.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ewrjkoug.dll
C:\WINDOWS\system32\gspfytky.dll
C:\WINDOWS\system32\guokjrwe.ini
C:\WINDOWS\system32\gxetertc.dll
C:\WINDOWS\system32\khfDTlJA.dll.vir
C:\WINDOWS\system32\noknirfl.dll-virus
C:\WINDOWS\system32\sygtggux.dll
C:\WINDOWS\system32\wptqdlyi.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMf76bd983.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\gspfytky.dll
C:\WINDOWS\system32\gxetertc.dll
C:\WINDOWS\system32\khfDTlJA.dll.vir
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\noknirfl.dll-virus

.
((((((((((((((((((((((((( Files Created from 2008-05-02 to 2008-06-02 )))))))))))))))))))))))))))))))
.

2008-06-01 20:36 . 2007-01-17 09:45 15,408 --a------ C:\WINDOWS\system32\pfdnnt.exe
2008-05-26 22:16 . 2008-05-26 22:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-26 22:15 . 2008-05-26 22:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-26 22:15 . 2008-05-26 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-26 22:15 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-26 22:15 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-26 20:28 . 2008-05-26 20:28 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-26 20:11 . 2008-05-26 21:56 <DIR> d-------- C:\SDFix
2008-05-26 12:22 . 2008-05-26 12:22 <DIR> d-------- C:\Deckard
2008-05-23 00:50 . 2008-05-23 00:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-23 00:50 . 2008-05-23 00:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-21 22:53 . 2008-05-22 00:20 152 --a------ C:\WINDOWS\wininit.ini
2008-05-21 21:18 . 2003-10-03 13:21 174,592 --a------ C:\WINDOWS\system32\framedyn.dll
2008-05-21 21:15 . 2008-05-25 12:02 37 --a------ C:\WINDOWS\X!Ü
2008-05-21 20:52 . 2008-05-21 20:57 <DIR> d-------- C:\Program Files\Exterminate It!
2008-05-21 20:05 . 2008-05-21 20:05 <DIR> d-------- C:\VundoFix Backups
2008-05-21 02:41 . 2008-05-21 02:41 <DIR> d-------- C:\Program Files\OpenAL
2008-05-21 02:41 . 2008-05-21 02:41 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-05-21 02:41 . 2008-05-21 02:41 114,688 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-05-21 02:36 . 2008-05-21 02:40 <DIR> d-------- C:\Program Files\Puzzle Quest2
2008-05-20 02:31 . 2007-01-23 12:49 71,680 --a------ C:\WINDOWS\system32\drivers\PAVDRV51.SYS
2008-05-20 02:31 . 2008-05-20 02:31 248 --a------ C:\WINDOWS\system32\PavCPL.dat
2008-05-20 02:25 . 2008-05-20 08:45 <DIR> d-------- C:\WINDOWS\system32\PAV
2008-05-20 02:22 . 2006-05-02 09:40 49,152 --a------ C:\WINDOWS\system32\pavcpl.cpl
2008-05-20 02:16 . 2006-07-14 13:46 45,056 --a------ C:\WINDOWS\system32\avldr.dll
2008-05-20 02:15 . 2008-05-20 02:15 <DIR> d-------- C:\Program Files\Panda Software
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-04 05:26 . 2008-05-04 05:26 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-05-04 00:44 . 2008-05-04 00:44 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-03 21:57 . 2008-05-04 04:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 12:28 376,280 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-30 12:28 32,122,912 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-27 00:50 --------- d-----w C:\Program Files\TMPGENC
2008-05-26 01:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-05-23 04:12 --------- d-----w C:\Program Files\Lavasoft
2008-05-23 04:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-23 04:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-22 03:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-22 01:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-22 01:20 8,136,192 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-05-21 06:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2008-05-20 06:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-20 03:38 164 ----a-w C:\install.dat
2008-05-19 13:02 --------- d-----w C:\Program Files\Winamp2
2008-05-04 08:42 82,208 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-04 04:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-09 05:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\R-Wipe&Clean
2008-04-08 05:52 --------- d-----w C:\Program Files\Puzzle Quest
2008-04-06 19:14 --------- d-----w C:\Program Files\ratDVD
2008-04-02 06:32 --------- d-----w C:\Program Files\RotoWire2008MLBDraftSoftware
2008-03-28 04:18 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-03-28 04:18 249,856 ------w C:\WINDOWS\Setup1.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 03:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-03-14 03:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2006-02-27 02:49 24,192 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2006-02-27 02:48 22,768 ----a-w C:\Documents and Settings\Owner\usbsermpt.sys
2005-01-14 06:37 5,358 ----a-w C:\Documents and Settings\Owner\m00.exe
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2004-10-13 16:21 1,694,208 --sha-w C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe
2004-03-01 03:30 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

------- Sigcheck -------

2004-08-04 03:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-05-26_23.41.10.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-27 03:26:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 21:44:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Registry Repair Pro"="C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe" [2005-09-07 16:01 1358336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 09:03 155648]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-22 22:40 176128]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 20:38 437008]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 20:39 461584]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]
"APVXDWIN"="C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.exe" [2007-01-25 18:50 321072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2006-07-14 13:46 45056 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"VIDC.I263"= i263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files\SBC Yahoo!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files\SBC Yahoo!\Connection Manager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe]


[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iMesh\\Client\\iMeshClient.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

S2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe []
S2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe []
S2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys []
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);C:\WINDOWS\system32\DRIVERS\ADSFilter.sys []
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys []
S3 L2XPSR;L2XPSR;E:\Release\L2XPSR.SYS []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 17:10]
S3 PCDRDRV;Pcdr Helper Driver;C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-01 22:30:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-30 23:25:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#deskjet3600#CN36G3D2X06B.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
"2008-05-25 22:42:28 C:\WINDOWS\Tasks\wrSpySweeper_LA8EED1781A4B4BD985DC12E342D7119D.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 20:36:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-01 20:40:38
ComboFix-quarantined-files.txt 2008-06-02 00:40:24
ComboFix2.txt 2008-05-27 03:42:15

Pre-Run: 10,438,209,536 bytes free
Post-Run: 10,483,544,064 bytes free

186 --- E O F --- 2008-05-16 12:39:11

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:37 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\avciman.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fantasysports.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\system32\smiehlp.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [Windows Registry Repair Pro] "C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe" 4
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.3.5.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179206684828
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9819 bytes

#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 02 June 2008 - 01:48 PM

Hi

Looking pretty good now :thumbsup:

Still some things to do, but are your problems resolved ?

Do you know what this is ?

C:\WINDOWS\X!Ü

At first glance it looks like a folder, but I believe it's a file ?

Please do this now :-

Please Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's
(leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's
(leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm

...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#9 boddah98

boddah98
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 08 June 2008 - 09:54 PM

Hi Steam,
thank you for all of your help, I am still experiencing some issues, particularly lag tim ewhile surfing the net. The C:\WINDOWS\X!Ü & C:\WINDOWS\X!Ä are both files but they have no extension. They are 1kb each. Spysweeper is still showing a Virtumonde infection. Here are the hijackthis logs & the Kaspersky log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:05 PM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp2\Winamp.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fantasysports.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\system32\smiehlp.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [Windows Registry Repair Pro] "C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe" 4
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.3.5.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179206684828
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9297 bytes

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 08, 2008 9:50:04 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/06/2008
Kaspersky Anti-Virus database records: 839368
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: false

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 88719
Number of viruses found: 23
Number of infected objects: 43
Number of suspicious objects: 12
Duration of the scan process: 05:29:18

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller.zip/crjb32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy16.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy16.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy20.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy20.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy34.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy34.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy7.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy7.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_b40.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\hp\region\EN_US-ie.reg Infected: Trojan.WinREG.StartPage skipped
C:\Program Files\Panda Software\Panda Antivirus 2007\cace2423dfb97c58fe7dd9f120557063PSK_NAMES Object is locked skipped
C:\Program Files\Panda Software\Panda Antivirus 2007\cace2423dfb97c58fe7dd9f120557063PSK_NAMES2 Object is locked skipped
C:\Program Files\Panda Software\Panda Antivirus 2007\PSK_NAMES Object is locked skipped
C:\Program Files\Panda Software\Panda Antivirus 2007\PSK_NAMES2 Object is locked skipped
C:\Program Files\PC-Doctor for Windows\Java\jre\bin\jinstall.exe Infected: Trojan-Downloader.Win32.CWS.dd skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\khfDTlJA.dll.vir.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\catchme2008-05-26_232419.03.zip/xxywWmnM.dll Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\catchme2008-05-26_232419.03.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP78\A0015701.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0015997.exe/data0000.cab/is153891.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.rji skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0015997.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.rji skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0015997.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016815.exe/data0017/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016815.exe/data0017/v2.0.2.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016815.exe/data0017/v2.0.2.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016815.exe/data0017/v2.0.2.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016815.exe/data0017/v2.0.2.cab Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016815.exe/data0017 Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016815.exe NSIS: infected - 6 skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016850.exe/data0012 Infected: not-a-virus:AdWare.Win32.MyWay.ac skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016850.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016859.exe/WISE0021.BIN Infected: not-a-virus:AdWare.Win32.SideStep.j skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016859.exe/WISE0022.BIN Infected: not-a-virus:AdWare.Win32.CommonName.p skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016859.exe/WISE0025.BIN/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016859.exe/WISE0025.BIN/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016859.exe/WISE0025.BIN Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016859.exe/WISE0026.BIN Infected: not-a-virus:AdWare.Win32.EZula.d skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016859.exe/WISE0028.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016859.exe WiseSFX: infected - 7 skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet.d skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Gator.4104 skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe/WISE0020.BIN/data0008/lsp_.dll Infected: not-a-virus:AdWare.Win32.Sahat.av skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe/WISE0020.BIN/data0008/SAHAgent_.exe Infected: not-a-virus:AdWare.Win32.Sahat.bb skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe/WISE0020.BIN/data0008/SAHDownloader_.exe Infected: not-a-virus:AdWare.Win32.Sahat.e skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe/WISE0020.BIN/data0008/SAHUninstall_.exe Infected: not-a-virus:AdWare.Win32.Sahat.cf skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe/WISE0020.BIN/data0008/WEBInstaller.dll Infected: not-a-virus:AdWare.Win32.Sahat.bw skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe/WISE0020.BIN/data0008 Infected: not-a-virus:AdWare.Win32.Sahat.bw skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe/WISE0020.BIN Infected: not-a-virus:AdWare.Win32.Sahat.bw skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.Gator.4104 skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016860.exe WiseSFX: infected - 11 skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016866.exe/data0014 Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016866.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016965.EXE/data0000.cab/nzm3.exe Infected: Backdoor.Win32.Rbot.bll skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016965.EXE/data0000.cab Infected: Backdoor.Win32.Rbot.bll skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP79\A0016965.EXE Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{84385F41-106C-4862-86C4-CE41F08F6FCF}\RP89\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\COMPUTER.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{68787A69-3AB5-4A32-9C3A-6F6E88487DAA}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\ZLT041c4.TMP Object is locked skipped
C:\WINDOWS\TEMP\ZLT041c7.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Edited by boddah98, 08 June 2008 - 09:55 PM.


#10 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 09 June 2008 - 04:16 PM

Hi

RE: C:\WINDOWS\X!Ü & C:\WINDOWS\X!Ä ... they are not even 1k ... just a few bytes, so we are going to delete them ...

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\X!Ü
C:\WINDOWS\X!Ä
C:\hp\region\EN_US-ie.reg
C:\Program Files\PC-Doctor for Windows\Java\jre\bin\jinstall.exe


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

After you have done this & have the report ...

1. I want you to empty spybot's quarantine ... let me know if you need directions ?

2. You are running an out-of-date version of java

Go to add/remove programs and uninstall any earlier versions ... in your case :-

at least this :- jre1.5.0_06

Then You can go here and install the latest version of Java.

http://java.sun.com/javase/downloads/index.jsp

Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 6' and press the 'Download' button.


Running an out-of-date version of java is an infection risk.


3. RE: "Spysweeper is still showing a Virtumonde infection." ... name & location of files/registry keys please ? (whatever Spysweeper is telling you)

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#11 boddah98

boddah98
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 11 June 2008 - 11:48 PM

Your guidence has been amazing. Those last steps have improved performance greatly. Virtumonde is no longer showing up in spysweeper scan once the quarentine was cleared. Kaspersky scan now only showing 3 incidents:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, June 12, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, June 11, 2008 12:06:09
Records in database: 851604
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 89368
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 02:21:35


File name / Threat name / Threats count
C:\QooBox\Quarantine\C\hp\region\EN_US-ie.reg.vir Infected: Trojan.WinREG.StartPage 1
C:\QooBox\Quarantine\C\WINDOWS\system32\khfDTlJA.dll.vir.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\catchme2008-05-26_232419.03.zip Infected: Trojan.Win32.Monder.gen 1

The selected area was scanned.

#12 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 12 June 2008 - 02:43 PM

HI

Please Go to > Start > Run > copy and paste ComboFix /u into the Open: box & press OK

Posted Image

Then post a new KASPERSKY ONLINE SCANNER REPORT :thumbsup:

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#13 boddah98

boddah98
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 13 June 2008 - 08:02 AM

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 89883
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 03:22:44

No malware has been detected. The scan area is clean.

The selected area was scanned.

Think we're done, what do you think?

#14 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 13 June 2008 - 02:05 PM

HI

Yes indeed :thumbsup:

Before you leave the site ...

Please Have a look here at ways to keep your computer safe :-

Simple steps to keep your computer secure! By Grinler > http://www.bleepingcomputer.com/forums/t/1628/simple-steps-to-keep-your-computer-secure/

& here :-

So how did I get infected in the first place? By TonyKlein > http://forums.spybot.info/showthread.php?t=279

Happy surfing :)

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#15 boddah98

boddah98
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 13 June 2008 - 03:10 PM

Thank you for all of your help. I definately wouldve had to wipe my entire comp if it wasnt for you. I've sent you a little something for your hard work, Im sorry its not more, the American dollar isnt what it used to be.

Best Regards!
DK




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users