Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan.Vundo and Downloader Virus [Resolved]


  • This topic is locked This topic is locked

#1
ppny

ppny

    New Member

  • Member
  • Pip
  • 9 posts
Hi All! Any help anyone can give me on this would be greatly appreciated. I am in the clutches of some bad viruses.

Started with two messages from Symantec Anti Virus...one for "Trojan.Vundo" and the other for "Downloader".

Symantec Antivirus Warning
Scan type: Auto-Protect Scan
Event: Security Risk Found!
Threat: Trojan.Vundo
File: C:\DOCUME~1\Potter\LOCALS~1\TEMPOR~1\Content.IE5\WOE9RT9C\LKJH_1~1
Location: Quarantine
Computer: POTTER-BOP6U9C8
User: POTTER-BOP6U9C8\Potter
Action taken: Reboot Required
Date found: Thursday, October 18, 2007 2:41:01 AM

Symantec Antivirus Warning
Scan type: Auto-Protect Scan
Event: Security Risk Found!
Threat: Downloader
File: C:\DOCUME~1\Potter\LOCALS~1\TEMPOR~1\Content.IE5\OH6JGXEF.valena[1]
Location: Unknown Storage
Computer: POTTER-BOP6U9C8
User: POTTER-BOP6U9C8\Potter
Action taken: Quaranteened Failed, Delete Failed, Access Denied
Date found: Thursday, October 18, 2007 2:42:01 AM

I first ran the scan provided on Symantec and it Quaranteened 105 episodes of Vundo and one Downloader. I deleted these.

I then ran the "Fix Vundo" tool provided by Symantec. It ran for a bit and then ran into an issue and posted a Runtime Error that stated "App has made an attempt to load the C runtime library incorrectly". I had to click OK on this about 5 times to get the message to go away and then it continued.

Of note, when it came to scannning Skype, it had all sortes of issues so after the scan I actually uninstalled Skype completely.

I ran the Fix Vundo tool once in my regular settings and then tried to run it in safe mode but the PC would not let me so I ran it again in Administrator. Running it a second time said the PC was clear of Vundo.

Immediately upon opening Internet Explorer however, I started getting redirected to similar websites to what I was looking at. (Was looking at Budget rent a car and it redirected me to Hertz). I also started getting pop up warnings on my pcs that various Spyware and backdoor trojans had been found....

I came to Geeks to go and followed the steps in "must read before..." and followed the steps.

* AFT Cleaner
* System Restore
* Disk Cleanup
* AGV Anti Spyware (did not let me run in Safe mode - ran in Administrator)
* Super AntiSpyware
* Online Panda
* Did not run Hijack This. (I installed it, ran it and nothing happened. Was not sure if it posted a dialoge box anywhere)

Below are the log files from AGV, Super AntiSpyware and Online Panda


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:44:49 AM 10/17/2007

+ Scan result:



HKLM\SOFTWARE\Classes\WR -> Adware.Generic : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1547161642-436374069-1343024091-500\Dc27.txt -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\S-1-5-21-1547161642-436374069-1343024091-500\Dc28.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Potter\Cookies\[email protected][2].txt -> TrackingCookie.Netflame : Cleaned.
C:\RECYCLER\S-1-5-21-1547161642-436374069-1343024091-500\Dc17.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\RECYCLER\S-1-5-21-1547161642-436374069-1343024091-500\Dc23.txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end


SUPER ANTISPYWARE

SUPERAntiSpyware Scan Log
Generated 10/18/2007 at 06:57 AM

Application Version : 3.6.1000

Core Rules Database Version : 3190
Trace Rules Database Version: 1200

Scan type : Complete Scan
Total Scan Time : 01:06:08

Memory items scanned : 452
Memory threats detected : 0
Registry items scanned : 5118
Registry threats detected : 0
File items scanned : 61918
File threats detected : 180

Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO10.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO11.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO12.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO13.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO14.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO15.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO16.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO17.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO18.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO19.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO19E.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO19F.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO1A.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO1A0.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO1A1.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO1A2.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO1B.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO1C.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO1D.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO1E.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO1F.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO2.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO20.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO21.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO22.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO23.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO24.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO25.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO26.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO27.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO271.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO272.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO273.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO274.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO275.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO28.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO29.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO2A.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO2B.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO2C.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO2D.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO2E.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO2F.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO3.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO30.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO31.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO32.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO33.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO34.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO348.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO349.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO34A.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO34B.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO34C.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO35.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO36.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO37.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO38.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO39.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO3A.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO3B.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO3C.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO3D.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO3E.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO3F.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO4.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO40.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO41.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO42.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO43.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO44.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO45.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO46.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO47.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO48.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO49.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO4A.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO4B.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO4C.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO4D.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO4E.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO4F.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO5.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO50.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO51.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO52.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO53.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO54.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO55.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO56.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO57.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO58.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO59.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO5A.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO5B.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO5C.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO5D.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO5E.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO5F.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO6.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO60.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO61.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO618.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO619.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO61A.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO61B.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO61C.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO62.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO63.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO64.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO65.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO66.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO67.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO68.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO69.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO6A.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO6C.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO6D.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO6E.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO6F.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO7.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO70.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO76.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO77.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO78.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO79.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO7A.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO7B.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO7C.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO7D.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO7E.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO7F.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO8.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO9.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO95.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO96.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO97.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO98.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO99.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO9A.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO9B.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO9C.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO9D.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICO9E.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOA.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOA8.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOA9.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOAA.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOAB.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOAC.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOB.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOB2.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOB3.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOB4.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOB5.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOB6.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOBD.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOBE.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOBF.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOC.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOC0.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOC1.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOC3.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOC4.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOC5.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOC6.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOC7.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOC8.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOC9.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOCA.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOCB.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOCC.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOCD.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOCE.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOCF.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOD.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOD0.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOD1.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOE.TMP
C:\DOCUMENTS AND SETTINGS\POTTER\LOCAL SETTINGS\TEMP\ICOF.TMP



PANDA
___________________________________________________
Incident Status
Location

Virus:Trj/Downloader.OZB Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\nkxpvmtx.exe
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Potter\Cookies\potter@doubleclick[1].txt
Virus:Trj/Downloader.OZB Disinfected C:\Documents and Settings\Potter\Local Settings\Temp\irabbuvr.exe
Virus:Trj/Downloader.OZB Disinfected C:\Documents and Settings\Potter\Local Settings\Temp\lggqopwc.exe
Virus:Trj/Downloader.OZB Disinfected C:\Documents and Settings\Potter\Local Settings\Temp\lrferspy.exe
Adware:Adware/SecurityToolbar Not disinfected C:\Program Files\Hammer.dll
Adware:Adware/SecurityToolbar Not disinfected C:\VundoFix Backups\fvclhbmt.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\paxyecfm.dll.bad
Adware:Adware/SecurityToolbar Not disinfected C:\VundoFix Backups\rdikabfx.dll.bad
Adware:Adware/SecurityToolbar Not disinfected C:\WINDOWS\system32\hqvqlexa.exe
Adware:Adware/SecurityToolbar Not disinfected C:\WINDOWS\system32\ilpfhcgv.exe
Adware:Adware/SecurityToolbar Not disinfected C:\WINDOWS\system32\jisndvyc.dll
Adware:Adware/SecurityToolbar Not disinfected C:\WINDOWS\system32\jqnekhlp.dll
Adware:Adware/SecurityToolbar Not disinfected C:\WINDOWS\system32\nixutdob.exe
Adware:Adware/SecurityToolbar Not disinfected C:\WINDOWS\system32\qfvfootg.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\qgmjdjpd.exe
Adware:Adware/SecurityToolbar Not disinfected C:\WINDOWS\system32\rvwwoeoh.dll
Adware:Adware/SecurityToolbar Not disinfected C:\WINDOWS\system32\ukxtbhib.exe
Adware:Adware/SecurityToolbar Not disinfected C:\WINDOWS\system32\vjxaoahm.exe
Adware:Adware/SecurityToolbar Not disinfected C:\WINDOWS\system32\vrpbtlue.dll


Here at the end of all this, I am still getting hammered with pop ups. Malware virus warnings, Trojan-Spy-win32@mx. Appreciate any help or guidance
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello ppny


Welcome to G2Go. :)
I will be helping you with your Malware problem.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
ppny

ppny

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Kahdah! Thanks for the fast response....

Deckard's System Scanner v20071014.68
Run by Potter on 2007-10-18 14:11:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2007-10-18 01:11:22 UTC - RP4 - Deckard's System Scanner Restore Point
1: 2007-10-17 15:44:53 UTC - RP3 - wed noon


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Potter.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:12:42 PM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Documents and Settings\Potter\Desktop\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Documents and Settings\Potter\Desktop\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Potter\Local Settings\Temporary Internet Files\Content.IE5\C67L0IW0\dss[1].exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Potter.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\KesenjanganSosial.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {45A43EDF-FDB0-44C9-80B4-0DD31524CFA5} - C:\WINDOWS\system32\ljjjh.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\pewpbumi.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\cfwbryhi.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\cfwbryhi.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Documents and Settings\Potter\Desktop\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\pjwwsnew.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Tok-Cirrhatus] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Tok-Cirrhatus] (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.co.../AttachMail.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cfwbryhi - C:\WINDOWS\SYSTEM32\cfwbryhi.dll
O20 - Winlogon Notify: opnoopq - opnoopq.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\Potter\Desktop\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network DDE NetDDEMSDTC (NetDDEMSDTC) - Unknown owner - C:\WINDOWS\system32\3076d.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8402 bytes

-- File Associations -----------------------------------------------------------

.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 ENECBPTH (ENE Cardbus Patch Driver) - c:\windows\system32\drivers\enecbpth.sys <Not Verified; EnE Technology Inc.; EnE Cardbus Patch Driver for Windows ® 2000/XP>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 U3sHlpDr - c:\windows\system32\drivers\u3shlpdr.sys
R3 aeaudio - c:\windows\system32\drivers\aeaudio.sys <Not Verified; Andrea Electronics Corporation; Andrea Audio Driver>
R3 AgereSoftModem (Agere Systems Soft Modem) - c:\windows\system32\drivers\agrsm.sys <Not Verified; Agere Systems; Agere SoftModem Driver>
R3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>
R3 w29n51 (Intel® PRO/Wireless 2200BG Network Connection Driver for Windows XP) - c:\windows\system32\drivers\w29n51.sys <Not Verified; Intel® Corporation; Intel® Wireless LAN Adapter>

S3 MidiSyn - c:\windows\system32\drivers\midisyn.sys <Not Verified; Analog Devices, Inc.; SoundMAX Wavetable Synthesizer>
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 NetDDEMSDTC (Network DDE NetDDEMSDTC) - c:\windows\system32\3076d.exe srv


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\4A40186723F47
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\4A40186723F47
Service: NIC1394

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\WEC0518\4&61F3B4B&0
Manufacturer:
Name:
PNP Device ID: ACPI\WEC0518\4&61F3B4B&0
Service:


-- Scheduled Tasks -------------------------------------------------------------

2007-10-18 11:03:00 426 --a------ C:\WINDOWS\Tasks\At2.job
2007-10-17 17:08:00 426 --a------ C:\WINDOWS\Tasks\At1.job
2007-09-30 12:14:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-09-18 and 2007-10-18 -----------------------------

2007-10-18 14:12:32 0 d-------- C:\Program Files\Trend Micro
2007-10-18 11:10:10 83008 --a------ C:\WINDOWS\system32\pjwwsnew.dll
2007-10-18 11:09:09 339968 --a------ C:\WINDOWS\system32\cfwbryhi.dll
2007-10-18 11:08:46 389184 --a------ C:\WINDOWS\system32\fbakmxsq.exe
2007-10-18 08:24:41 78400 --a------ C:\WINDOWS\system32\pewpbumi.dll
2007-10-18 08:21:29 83008 --a------ C:\WINDOWS\system32\vyafbjga.dll
2007-10-18 03:32:12 0 d-------- C:\WINDOWS\pss
2007-10-18 03:14:33 83008 --a------ C:\WINDOWS\system32\thqitpja.dll
2007-10-18 03:06:04 83008 --a------ C:\WINDOWS\system32\lqsfcuji.dll
2007-10-18 02:43:33 83008 --a------ C:\WINDOWS\system32\ybbuclxc.dll
2007-10-18 01:19:12 83008 --a------ C:\WINDOWS\system32\ndbyxsbx.dll
2007-10-18 01:09:29 389184 --a------ C:\WINDOWS\system32\vjxaoahm.exe
2007-10-17 13:19:48 86080 --a------ C:\WINDOWS\system32\mdwebchc.dll
2007-10-17 13:11:16 339968 --a------ C:\WINDOWS\system32\jisndvyc.dll
2007-10-17 13:10:48 389184 --a------ C:\WINDOWS\system32\qfvfootg.exe
2007-10-17 12:57:10 339968 --a------ C:\WINDOWS\system32\rvwwoeoh.dll
2007-10-17 12:56:51 86080 --a------ C:\WINDOWS\system32\chthfvxo.dll
2007-10-17 12:56:42 389184 --a------ C:\WINDOWS\system32\ukxtbhib.exe
2007-10-17 11:52:01 0 d-------- C:\Documents and Settings\Potter\Application Data\SUPERAntiSpyware.com
2007-10-17 10:27:38 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-17 10:27:24 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-10-17 10:27:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-10-17 10:25:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-17 07:58:04 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-10-17 07:57:41 0 d-------- C:\WINDOWS\system32\CatRoot2
2007-10-17 06:23:14 86080 -----n--- C:\WINDOWS\system32\ajbuwplq.dll
2007-10-17 06:11:53 389184 --a------ C:\WINDOWS\system32\hqvqlexa.exe
2007-10-17 06:11:39 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-10-17 05:13:40 0 d-------- C:\Documents and Settings\Potter\Application Data\Grisoft
2007-10-17 05:13:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-17 02:34:46 339968 --a------ C:\WINDOWS\system32\vrpbtlue.dll
2007-10-17 02:34:21 389184 --a------ C:\WINDOWS\system32\ilpfhcgv.exe
2007-10-17 01:59:18 0 d-------- C:\VundoFix Backups
2007-10-17 00:47:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-10-16 12:12:33 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2007-10-16 11:45:30 389184 --a------ C:\WINDOWS\system32\qgmjdjpd.exe
2007-10-13 09:31:32 339968 --a------ C:\WINDOWS\system32\jqnekhlp.dll
2007-10-13 09:31:32 339968 --a------ C:\Program Files\Hammer.dll
2007-10-13 09:31:04 389184 --a------ C:\WINDOWS\system32\nixutdob.exe
2007-10-08 03:01:41 0 d-------- C:\Program Files\MSXML 4.0
2007-10-06 17:32:05 0 d-------- C:\WINDOWS\system32\PreInstall
2007-10-06 15:57:06 0 d--h----- C:\WINDOWS\$hf_mig$
2007-10-06 05:24:46 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-10-05 16:03:48 0 dr-h----- C:\Documents and Settings\LocalService\Recent
2007-10-05 15:40:49 85056 --a------ C:\WINDOWS\system32\lpueofju.dll
2007-10-05 05:16:34 0 d---s---- C:\Documents and Settings\LocalService\UserData
2007-10-05 05:08:05 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-10-05 05:07:40 85056 --a------ C:\WINDOWS\system32\hxcdiqgb.dll
2007-10-05 02:20:09 423516 ---hs---- C:\WINDOWS\system32\hjjjl.ini2
2007-10-04 04:17:58 0 d-------- C:\Documents and Settings\Potter\WD Sync Data
2007-10-04 03:43:37 426455 ---hs---- C:\WINDOWS\system32\hjjjl.bak2
2007-10-03 15:43:30 6465 ---hs---- C:\WINDOWS\system32\hjjjl.bak1
2007-10-03 15:43:07 310880 --a------ C:\WINDOWS\system32\ljjjh.dll
2007-10-03 15:38:04 0 d-------- C:\WINDOWS\system32\vMW02a
2007-10-03 15:38:04 0 d-------- C:\Temp
2007-10-03 04:00:56 53 --ahs---- C:\WINDOWS\system32\3434062923.dat
2007-10-03 04:00:40 39050 -r-hs---- C:\WINDOWS\system32\3076d.exe


-- Find3M Report ---------------------------------------------------------------

2007-10-18 11:08:03 0 d-------- C:\Program Files\Symantec AntiVirus
2007-10-18 08:22:09 0 d-------- C:\Program Files\MSN Messenger
2007-10-18 08:15:11 0 d-------- C:\Program Files\iTunes
2007-10-18 08:14:17 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-10-17 10:25:50 0 d-------- C:\Program Files\Common Files
2007-10-08 03:10:09 0 d-------- C:\Program Files\Messenger
2007-10-05 16:23:44 0 d-------- C:\Documents and Settings\Potter\Application Data\Skype
2007-08-29 14:47:12 0 d-------- C:\Program Files\Microsoft Games
2007-08-18 11:31:41 0 d-------- C:\Program Files\The Weather Channel FW


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45A43EDF-FDB0-44C9-80B4-0DD31524CFA5}]
10/03/2007 03:43 PM 310880 --a------ C:\WINDOWS\system32\ljjjh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89AD4D75-2429-462e-BD4E-443F233F6033}]
10/18/2007 08:24 AM 78400 --a------ C:\WINDOWS\system32\pewpbumi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
10/18/2007 11:09 AM 339968 --a------ C:\WINDOWS\system32\cfwbryhi.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\cfwbryhi.dll [10/18/2007 11:09 AM 339968]

[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [10/14/2004 09:11 AM]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [09/23/2004 12:41 PM]
"ATIModeChange"="Ati2mdxx.exe" [09/04/2001 03:24 PM C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [01/20/2004 09:10 PM]
"AGRSMMSG"="AGRSMMSG.exe" [04/19/2005 10:03 AM C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [05/22/2003 09:10 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [05/22/2003 10:06 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/25/2006 06:58 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/30/2006 09:36 AM]
"HP SchedIndexer"="C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe" [04/22/2002 12:56 PM]
"HP AutoIndexer"="C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe" [04/22/2002 12:57 PM]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [08/29/2003 03:17 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/04/2005 01:42 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [11/15/2005 02:28 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 08:42 PM]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [08/29/2003 03:20 PM]
"LogitechGalleryRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [08/29/2003 03:17 PM]
"!AVG Anti-Spyware"="C:\Documents and Settings\Potter\Desktop\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 10:25 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"SearchIndexer"="C:\WINDOWS\system32\pjwwsnew.dll" [10/18/2007 11:10 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/05/2004 01:00 AM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]
"Tok-Cirrhatus"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Tok-Cirrhatus"=

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [12:00:00 AM]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [6/2/2004 5:48:22 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0
"DisableCMD"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableCMD"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe \"C:\WINDOWS\KesenjanganSosial.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cfwbryhi]
cfwbryhi.dll 10/18/2007 11:09 AM 339968 C:\WINDOWS\system32\cfwbryhi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnoopq]
opnoopq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ljjjh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP LaserJet Director.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP LaserJet Director.lnk
backup=C:\WINDOWS\pss\HP LaserJet Director.lnkCommon Startup


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45ede1a3-cfa7-11db-a9a3-000e35399146}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e488021-c20c-11db-a97a-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
Open\command- Boot.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8435ae0-e46f-11db-a9f5-000e35399146}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
Open\command- G:\Boot.exe e




-- End of Deckard's System Scanner: finished at 2007-10-18 14:13:30 ------------
  • 0

#4
ppny

ppny

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
...and here is the part from the Extra.txt Notepad...

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.70GHz
Percentage of Memory in Use: 45%
Physical Memory (total/avail): 1023.36 MiB / 558.41 MiB
Pagefile Memory (total/avail): 2462.5 MiB / 2036.21 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1922.56 MiB

C: is Fixed (NTFS) - 20.5 GiB total, 11.13 GiB free.
D: is Fixed (NTFS) - 24.73 GiB total, 5.75 GiB free.
E: is Fixed (NTFS) - 29.3 GiB total, 29.24 GiB free.
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST98823A - 74.53 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 20.5 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 54.03 GiB - D: - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Symantec AntiVirus Corporate Edition v10.0.2.2000 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. The whole world can talk for free."


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Potter\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=POTTER-BOP6U9C8
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Potter
LOGONSERVER=\\POTTER-BOP6U9C8
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d06
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Potter\LOCALS~1\Temp
TMP=C:\DOCUME~1\Potter\LOCALS~1\Temp
USERDOMAIN=POTTER-BOP6U9C8
USERNAME=Potter
USERPROFILE=C:\Documents and Settings\Potter
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Potter (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 6.0 Professional --> MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Agere Systems AC'97 Modem --> agrsmdel
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Anti-Spyware 7.5 --> C:\Documents and Settings\Potter\Desktop\AVG Anti-Spyware 7.5\Uninstall.exe
Bluetooth by hp --> MsiExec.exe /X{90535871-81B9-4D99-8A13-A7EE97F2D7FE}
hp LaserJet 3300 Uninstaller --> C:\Program Files\Hewlett-Packard\LaserJet 33xx\Uninstall\setup.exe uninst.ini
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Logitech QuickCam --> MsiExec.exe /I{A488D63E-B3DD-4423-892F-2F2EC8909518}
Logitech® Camera Driver --> "C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
Lookout --> "C:\Program Files\Lookout Software\Lookout\UninstallLookout.exe"
Microsoft Combat Flight Simulator 2 --> "C:\Program Files\Microsoft Games\Combat Flight Simulator 2\UNINSTAL.EXE" /runtemp /addremove
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Media Content --> MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Outlook Personal Folders Backup --> MsiExec.exe /X{C63E7C60-25EB-11D3-8EDA-00A0C911E8E5}
Move Networks Player for Internet Explorer --> "C:\Documents and Settings\Potter\Application Data\Move Networks\ie_bin\unins000.exe"
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
Skype Plugin Manager --> MsiExec.exe /I{3D5E5C0A-5B36-4F98-99A7-287F7DBDCE03}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symantec AntiVirus --> MsiExec.exe /I{46B63F23-2B4A-4525-A827-688026BE5E40}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
WD Diagnostics --> MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
WebCam for MSN Messenger --> Rundll32.exe setupapi,InstallHinfSection DefaultUnInstall 128 C:\WINDOWS\INF\Athena.inf
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}


-- Application Event Log -------------------------------------------------------

Event Record #/Type8880 / Error
Event Submitted/Written: 10/18/2007 11:08:44 AM
Event ID/Source: 51 / Symantec AntiVirus
Event Description:
Security Risk Found!Threat: Downloader in File: C:\Documents and Settings\Potter\Local Settings\Temporary Internet Files\Content.IE5\LPYR8FMN\valera[1] by: Auto-Protect scan. Action: Quarantine failed : Delete failed : Access denied. Action Description: Quarantine was partially successful.

Event Record #/Type8879 / Error
Event Submitted/Written: 10/18/2007 11:08:42 AM
Event ID/Source: 46 / Symantec AntiVirus
Event Description:
Security Risk Found!Threat: Downloader in File: C:\Documents and Settings\Potter\Local Settings\Temporary Internet Files\Content.IE5\LPYR8FMN\valera[1] by: Auto-Protect scan. Action: Quarantine failed : Delete failed. Action Description: The file was left unchanged.

Event Record #/Type8865 / Warning
Event Submitted/Written: 10/18/2007 07:57:22 AM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 1 files inside D:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\YH561403.CAB due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type8864 / Warning
Event Submitted/Written: 10/18/2007 07:39:44 AM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 1 files inside C:\Drivers\HP zt3000\Bluetooth\sp28427.exe due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type8863 / Warning
Event Submitted/Written: 10/18/2007 07:37:58 AM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 181 files inside C:\Documents and Settings\Potter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 10-18-2007 - 06-59-39.SBU due to extraction errors encountered by the Decomposer Engines.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3751 / Error
Event Submitted/Written: 10/15/2007 05:08:00 PM
Event ID/Source: 7901 / Schedule
Event Description:
The At1.job command failed to start due to the following error:
%%2147942402

Event Record #/Type3750 / Error
Event Submitted/Written: 10/15/2007 04:55:06 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom0, has a bad block.

Event Record #/Type3749 / Error
Event Submitted/Written: 10/15/2007 04:55:06 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom0, has a bad block.

Event Record #/Type3748 / Error
Event Submitted/Written: 10/15/2007 04:55:06 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom0, has a bad block.

Event Record #/Type3747 / Error
Event Submitted/Written: 10/15/2007 04:55:06 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom0, has a bad block.



-- End of Deckard's System Scanner: finished at 2007-10-18 14:13:30 ------------
  • 0

#5
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome. :)

You are quite infected.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

In case you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

  • 0

#6
ppny

ppny

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
ComboFix 07-10-17.8@ - Potter 2007-10-18 15:25:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1.#QNAN [GMT 13:00]
Running from: C:\Documents and Settings\Potter\Local Settings\Temporary Internet Files\Content.IE5\C67L0IW0\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Hammer.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\agjbfayv.ini
C:\WINDOWS\system32\ajbuwplq.dll
C:\WINDOWS\system32\ajptiqht.ini
C:\WINDOWS\system32\bgqidcxh.ini
C:\WINDOWS\system32\chcbewdm.ini
C:\WINDOWS\system32\chthfvxo.dll
C:\WINDOWS\system32\cxlcubby.ini
C:\WINDOWS\system32\hjjjl.bak1
C:\WINDOWS\system32\hjjjl.bak1
C:\WINDOWS\system32\hjjjl.bak1
C:\WINDOWS\system32\hjjjl.bak2
C:\WINDOWS\system32\hjjjl.bak2
C:\WINDOWS\system32\hjjjl.bak2
C:\WINDOWS\system32\hjjjl.ini
C:\WINDOWS\system32\hjjjl.ini
C:\WINDOWS\system32\hjjjl.ini
C:\WINDOWS\system32\hjjjl.ini2
C:\WINDOWS\system32\hjjjl.ini2
C:\WINDOWS\system32\hjjjl.ini2
C:\WINDOWS\system32\hjjjl.tmp
C:\WINDOWS\system32\hjjjl.tmp
C:\WINDOWS\system32\hjjjl.tmp
C:\WINDOWS\system32\hxcdiqgb.dll
C:\WINDOWS\system32\ijucfsql.ini
C:\WINDOWS\system32\ljjjh.dll
C:\WINDOWS\system32\ljjjh.dll
C:\WINDOWS\system32\lpueofju.dll
C:\WINDOWS\system32\lqsfcuji.dll
C:\WINDOWS\system32\mdwebchc.dll
C:\WINDOWS\system32\ndbyxsbx.dll
C:\WINDOWS\system32\oorbbswr.dll
C:\WINDOWS\system32\oxvfhthc.ini
C:\WINDOWS\system32\pewpbumi.dll
C:\WINDOWS\system32\pjwwsnew.dll
C:\WINDOWS\system32\thqitpja.dll
C:\WINDOWS\system32\ujfoeupl.ini
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\system32\vyafbjga.dll
C:\WINDOWS\system32\wenswwjp.ini
C:\WINDOWS\system32\xbsxybdn.ini
C:\WINDOWS\system32\ybbuclxc.dll
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-09-18 to 2007-10-18 )))))))))))))))))))))))))))))))
.

2007-10-18 14:12 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-17 11:52 <DIR> d-------- C:\Documents and Settings\Potter\Application Data\SUPERAntiSpyware.com
2007-10-17 10:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-17 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-17 10:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-10-17 10:25 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-17 06:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-10-17 05:13 <DIR> d-------- C:\Documents and Settings\Potter\Application Data\Grisoft
2007-10-17 05:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-17 01:59 <DIR> d-------- C:\VundoFix Backups
2007-10-08 03:01 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-05 05:16 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2007-10-04 04:17 <DIR> d-------- C:\Documents and Settings\Potter\WD Sync Data
2007-10-03 15:38 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-18 03:21 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-17 22:09 339,968 ----a-w C:\WINDOWS\system32\cfwbryhi.dll
2007-10-17 22:08 389,184 ----a-w C:\WINDOWS\system32\fbakmxsq.exe
2007-10-17 19:22 --------- d-----w C:\Program Files\MSN Messenger
2007-10-17 19:15 --------- d-----w C:\Program Files\iTunes
2007-10-17 19:14 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-17 12:09 389,184 ----a-w C:\WINDOWS\system32\vjxaoahm.exe
2007-10-17 00:11 339,968 ----a-w C:\WINDOWS\system32\jisndvyc.dll
2007-10-17 00:10 389,184 ----a-w C:\WINDOWS\system32\qfvfootg.exe
2007-10-16 23:57 339,968 ----a-w C:\WINDOWS\system32\rvwwoeoh.dll
2007-10-16 23:56 389,184 ----a-w C:\WINDOWS\system32\ukxtbhib.exe
2007-10-16 17:11 389,184 ----a-w C:\WINDOWS\system32\hqvqlexa.exe
2007-10-16 13:34 389,184 ----a-w C:\WINDOWS\system32\ilpfhcgv.exe
2007-10-16 13:34 339,968 ----a-w C:\WINDOWS\system32\vrpbtlue.dll
2007-10-15 22:45 389,184 ----a-w C:\WINDOWS\system32\qgmjdjpd.exe
2007-10-12 20:31 389,184 ----a-w C:\WINDOWS\system32\nixutdob.exe
2007-10-12 20:31 339,968 ----a-w C:\WINDOWS\system32\jqnekhlp.dll
2007-10-05 03:23 --------- d-----w C:\Documents and Settings\Potter\Application Data\Skype
2007-10-02 15:00 39,050 --sha-r C:\WINDOWS\system32\3076d.exe
2007-08-29 01:47 --------- d-----w C:\Program Files\Microsoft Games
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 07:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 07:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 07:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 07:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 07:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 07:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 07:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 07:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2004-03-11 01:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2004-08-04 12:00:00 1,392,671 --sh--r C:\WINDOWS\system32\msvbvm60.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-18 11:09 339968 --a------ C:\WINDOWS\system32\cfwbryhi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\cfwbryhi.dll [2007-10-18 11:09 339968]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 12:41]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 15:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-20 21:10]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-19 10:03 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-22 21:10]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-22 22:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"HP SchedIndexer"="C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe" [2002-04-22 12:56]
"HP AutoIndexer"="C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe" [2002-04-22 12:57]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2003-08-29 15:17]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 13:42]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-11-15 14:28]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2003-08-29 15:20]
"LogitechGalleryRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2003-08-29 15:17]
"!AVG Anti-Spyware"="C:\Documents and Settings\Potter\Desktop\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 22:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 01:00]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"Tok-Cirrhatus"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Tok-Cirrhatus"=

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cfwbryhi]
cfwbryhi.dll 2007-10-18 11:09 339968 C:\WINDOWS\system32\cfwbryhi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnoopq]
opnoopq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ljjjh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP LaserJet Director.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP LaserJet Director.lnk
backup=C:\WINDOWS\pss\HP LaserJet Director.lnkCommon Startup

R2 U3sHlpDr;U3sHlpDr;\??\C:\WINDOWS\System32\Drivers\U3sHlpDr.sys
S2 NetDDEMSDTC;Network DDE NetDDEMSDTC;C:\WINDOWS\system32\3076d.exe srv
S3 imhidusb;Immersion's HID USB Driver;C:\WINDOWS\system32\DRIVERS\imhidusb.sys
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys
S3 SaiHFFB5;SaiHFFB5;C:\WINDOWS\system32\DRIVERS\SaiHFFB5.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45ede1a3-cfa7-11db-a9a3-000e35399146}]
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8435ae0-e46f-11db-a9f5-000e35399146}]
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
Open\command - G:\Boot.exe e

.
Contents of the 'Scheduled Tasks' folder
"2007-09-29 23:14:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-17 04:08:00 C:\WINDOWS\Tasks\At1.job"
- C:\Documents and Settings\Administrator\Templates\14004-NendangBro.com
"2007-10-17 22:03:00 C:\WINDOWS\Tasks\At2.job"
- C:\Documents and Settings\Administrator\Templates\14004-NendangBro.com
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-18 16:21:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-18 16:22:21 - machine was rebooted
.
--- E O F ---
  • 0

#7
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\cfwbryhi.dll
C:\WINDOWS\system32\fbakmxsq.exe
C:\WINDOWS\system32\jisndvyc.dll
C:\WINDOWS\system32\qfvfootg.exe
C:\WINDOWS\system32\rvwwoeoh.dll
C:\WINDOWS\system32\ukxtbhib.exe
C:\WINDOWS\system32\hqvqlexa.exe
C:\WINDOWS\system32\ilpfhcgv.exe
C:\WINDOWS\system32\vrpbtlue.dll
C:\WINDOWS\system32\qgmjdjpd.exe
C:\WINDOWS\system32\nixutdob.exe
C:\WINDOWS\system32\jqnekhlp.dll
C:\WINDOWS\system32\3076d.exe
C:\WINDOWS\KesenjanganSosial.exe
C:\WINDOWS\system32\pewpbumi.dll
C:\WINDOWS\system32\qfvfootg.exe 
C:\WINDOWS\system32\ukxtbhib.exe 
C:\WINDOWS\system32\vjxaoahm.exe

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_CLASSES_ROOT\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Tok-Cirrhatus"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cfwbryhi] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnoopq] 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
========================================
After that please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
=================
Please post back with:
Latest Combofix log
A Hijackthis log if you have it
Kaspersky scan log.

  • 0

#8
ppny

ppny

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I cannot locate that combofix icon on my PC....I tried to locate it through search as well and nothing...
  • 0

#9
ppny

ppny

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
disregard last...I redownloaded it.
  • 0

#10
ppny

ppny

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
ComboFix 07-10-17.8@ - Potter 2007-10-18 17:47:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.597 [GMT 13:00]
Running from: C:\Documents and Settings\Potter\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Potter\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\KesenjanganSosial.exe
C:\WINDOWS\system32\3076d.exe
C:\WINDOWS\system32\cfwbryhi.dll
C:\WINDOWS\system32\fbakmxsq.exe
C:\WINDOWS\system32\hqvqlexa.exe
C:\WINDOWS\system32\ilpfhcgv.exe
C:\WINDOWS\system32\jisndvyc.dll
C:\WINDOWS\system32\jqnekhlp.dll
C:\WINDOWS\system32\nixutdob.exe
C:\WINDOWS\system32\pewpbumi.dll
C:\WINDOWS\system32\qfvfootg.exe
C:\WINDOWS\system32\qgmjdjpd.exe
C:\WINDOWS\system32\rvwwoeoh.dll
C:\WINDOWS\system32\ukxtbhib.exe
C:\WINDOWS\system32\vjxaoahm.exe
C:\WINDOWS\system32\vrpbtlue.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\ajbuwplq.dll.bad
C:\VundoFix Backups\aplvxetb.ini.bad
C:\VundoFix Backups\btexvlpa.dll.bad
C:\VundoFix Backups\fvclhbmt.dll.bad
C:\VundoFix Backups\mfjrvadh.dll.bad
C:\VundoFix Backups\mklcixdw.dll.bad
C:\VundoFix Backups\paxyecfm.dll.bad
C:\VundoFix Backups\qlpwubja.ini.bad
C:\VundoFix Backups\rdikabfx.dll.bad
C:\VundoFix Backups\vvlakmui.dll.bad
C:\VundoFix Backups\wdxiclkm.ini.bad
C:\VundoFix Backups\wnvmxfix.dll.bad
C:\WINDOWS\system32\3076d.exe
C:\WINDOWS\system32\3076d.exe
C:\WINDOWS\system32\cfwbryhi.dll
C:\WINDOWS\system32\cfwbryhi.dll
C:\WINDOWS\system32\fbakmxsq.exe
C:\WINDOWS\system32\hqvqlexa.exe
C:\WINDOWS\system32\ilpfhcgv.exe
C:\WINDOWS\system32\jisndvyc.dll
C:\WINDOWS\system32\jqnekhlp.dll
C:\WINDOWS\system32\nixutdob.exe
C:\WINDOWS\system32\qfvfootg.exe
C:\WINDOWS\system32\qgmjdjpd.exe
C:\WINDOWS\system32\rvwwoeoh.dll
C:\WINDOWS\system32\ukxtbhib.exe
C:\WINDOWS\system32\vjxaoahm.exe
C:\WINDOWS\system32\vrpbtlue.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-18 to 2007-10-18 )))))))))))))))))))))))))))))))
.

2007-10-18 14:12 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-17 11:52 <DIR> d-------- C:\Documents and Settings\Potter\Application Data\SUPERAntiSpyware.com
2007-10-17 10:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-17 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-17 10:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-10-17 10:25 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-17 06:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-10-17 05:13 <DIR> d-------- C:\Documents and Settings\Potter\Application Data\Grisoft
2007-10-17 05:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-08 03:01 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-05 05:16 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2007-10-04 04:17 <DIR> d-------- C:\Documents and Settings\Potter\WD Sync Data
2007-10-03 15:38 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-18 03:21 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-17 19:22 --------- d-----w C:\Program Files\MSN Messenger
2007-10-17 19:15 --------- d-----w C:\Program Files\iTunes
2007-10-17 19:14 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-05 03:23 --------- d-----w C:\Documents and Settings\Potter\Application Data\Skype
2007-08-29 01:47 --------- d-----w C:\Program Files\Microsoft Games
2004-03-11 01:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2004-08-04 12:00:00 1,392,671 --sh--r C:\WINDOWS\system32\msvbvm60.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 12:41]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 15:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-20 21:10]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-19 10:03 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-22 21:10]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-22 22:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"HP SchedIndexer"="C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe" [2002-04-22 12:56]
"HP AutoIndexer"="C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe" [2002-04-22 12:57]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2003-08-29 15:17]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 13:42]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-11-15 14:28]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2003-08-29 15:20]
"LogitechGalleryRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2003-08-29 15:17]
"!AVG Anti-Spyware"="C:\Documents and Settings\Potter\Desktop\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 22:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 01:00]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP LaserJet Director.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP LaserJet Director.lnk
backup=C:\WINDOWS\pss\HP LaserJet Director.lnkCommon Startup


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45ede1a3-cfa7-11db-a9a3-000e35399146}]
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8435ae0-e46f-11db-a9f5-000e35399146}]
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
Open\command - G:\Boot.exe e

.
Contents of the 'Scheduled Tasks' folder
"2007-09-29 23:14:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-18 04:08:00 C:\WINDOWS\Tasks\At1.job"
- C:\Documents and Settings\Administrator\Templates\14004-NendangBro.com
"2007-10-17 22:03:00 C:\WINDOWS\Tasks\At2.job"
- C:\Documents and Settings\Administrator\Templates\14004-NendangBro.com
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-18 17:50:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-18 17:51:47 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-18 16:22
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:55:28 PM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Documents and Settings\Potter\Desktop\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Documents and Settings\Potter\Desktop\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Documents and Settings\Potter\Desktop\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.co.../AttachMail.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\Potter\Desktop\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network DDE NetDDEMSDTC (NetDDEMSDTC) - Unknown owner - C:\WINDOWS\system32\3076d.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7464 bytes


Kaspersky file to follow
  • 0

#11
ppny

ppny

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, October 19, 2007 2:58:32 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/10/2007
Kaspersky Anti-Virus database records: 437588
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 62466
Number of viruses found: 5
Number of infected objects: 209
Number of suspicious objects: 0
Duration of the scan process: 00:40:52

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\Potter\LOCALS~1\Temp\wxyqxotl.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600001.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600002.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600003.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600004.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600005.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600006.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600007.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600008.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600009.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60000A.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60000B.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60000C.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60000D.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60000E.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60000F.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600010.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600011.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600012.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600013.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600014.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600015.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600016.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600017.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600018.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600019.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60001A.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60001B.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60001C.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60001D.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60001E.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60001F.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600020.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600021.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600022.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600023.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600024.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600025.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600026.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600027.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600028.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600029.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60002A.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60002B.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60002C.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60002D.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60002E.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60002F.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600030.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600031.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600032.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600033.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600034.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600035.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600036.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600037.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600038.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600039.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60003A.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60003B.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60003C.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60003D.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60003E.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60003F.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600040.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600041.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600042.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600043.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600044.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600045.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600046.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600047.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600048.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600049.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60004A.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60004B.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60004C.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60004D.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60004E.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60004F.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600050.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600051.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600052.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600053.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600054.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600055.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600056.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600057.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600058.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600059.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60005A.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60005B.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60005C.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60005D.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60005E.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60005F.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600060.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600061.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600062.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600063.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600064.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600065.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600066.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600067.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600068.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600069.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60006A.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60006B.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60006C.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60006D.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60006E.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60006F.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600070.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600071.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600072.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600073.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600074.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600075.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600076.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600077.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600078.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600079.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60007A.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60007B.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60007C.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60007D.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60007E.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60007F.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600080.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600081.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600082.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600083.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600084.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600085.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600086.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600087.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600088.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600089.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60008A.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60008B.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60008C.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60008D.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60008E.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60008F.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600090.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600091.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600092.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600093.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600094.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600095.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600096.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600097.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600098.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A600099.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60009A.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60009B.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60009C.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60009D.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60009E.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A60009F.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A6000A0.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A6000A1.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A6000A2.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A6000A3.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A6000A4.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A6000A5.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A6000A6.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A6000A7.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A6000A8.VBN Infected: Email-Worm.Win32.Brontok.q skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Potter\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Potter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Potter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Potter\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Potter\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Potter\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Potter\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0098NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0735NAV~.TMP Object is locked skipped
C:\qoobox\Quarantine\C\Program Files\Hammer.dll.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\qoobox\Quarantine\C\VundoFix Backups\fvclhbmt.dll.bad.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\qoobox\Quarantine\C\VundoFix Backups\paxyecfm.dll.bad.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\qoobox\Quarantine\C\VundoFix Backups\rdikabfx.dll.bad.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\cfwbryhi.dll.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\fbakmxsq.exe.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\hqvqlexa.exe.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\hxcdiqgb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.wn skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ilpfhcgv.exe.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\jisndvyc.dll.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\jqnekhlp.dll.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\lpueofju.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.wn skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\nixutdob.exe.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\qfvfootg.exe.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\qgmjdjpd.exe.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\rvwwoeoh.dll.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ukxtbhib.exe.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\vjxaoahm.exe.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\vrpbtlue.dll.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\qoobox\Quarantine\catchme2007-10-18_175052.77.zip/cfwbryhi.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\qoobox\Quarantine\catchme2007-10-18_175052.77.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{10A8BBE3-3E54-42ED-8750-684B09977ABB}\RP3\A0000041.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{10A8BBE3-3E54-42ED-8750-684B09977ABB}\RP3\A0000063.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{10A8BBE3-3E54-42ED-8750-684B09977ABB}\RP5\A0000100.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wn skipped
C:\System Volume Information\_restore{10A8BBE3-3E54-42ED-8750-684B09977ABB}\RP5\A0000101.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wn skipped
C:\System Volume Information\_restore{10A8BBE3-3E54-42ED-8750-684B09977ABB}\RP5\A0000121.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{10A8BBE3-3E54-42ED-8750-684B09977ABB}\RP6\A0000182.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{10A8BBE3-3E54-42ED-8750-684B09977ABB}\RP6\A0000183.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{10A8BBE3-3E54-42ED-8750-684B09977ABB}\RP6\A0000184.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{10A8BBE3-3E54-42ED-8750-684B09977ABB}\RP6\A0000185.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{10A8BBE3-3E54-42ED-8750-684B09977ABB}\RP6\A0000186.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{10A8BBE3-3E54-42ED-8750-684B09977ABB}\RP6\A0000187.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{10A8BBE3-3E54-42ED-8750-684B09977ABB}\RP6\A0000188.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{10A8BBE3-3E54-42ED-8750-684B09977ABB}\RP6\A0000189.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{10A8BBE3-3E54-42ED-8750-684B09977ABB}\RP6\A0000190.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{10A8BBE3-3E54-42ED-8750-684B09977ABB}\RP6\A0000191.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{10A8BBE3-3E54-42ED-8750-684B09977ABB}\RP6\A0000192.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{10A8BBE3-3E54-42ED-8750-684B09977ABB}\RP6\A0000193.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{10A8BBE3-3E54-42ED-8750-684B09977ABB}\RP6\A0000197.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{10A8BBE3-3E54-42ED-8750-684B09977ABB}\RP6\A0000203.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{10A8BBE3-3E54-42ED-8750-684B09977ABB}\RP6\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{10A8BBE3-3E54-42ED-8750-684B09977ABB}\RP6\change.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{10A8BBE3-3E54-42ED-8750-684B09977ABB}\RP6\change.log Object is locked skipped

Scan process completed.
  • 0

#12
ppny

ppny

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Kahdah:

Well I sit here cautiously optomistic that the problem has been resolved. After running Kaspersky everything seems to be running smoothly. Did you expect a clean bill of health after running that or is there anything esle I should do?

Also, I am wondering what I should do to protect my PC into the future. On the lower left corner of my pc there is a yellow shield (slightly different from the Symantec one) that I think is for a windows update. It is saying that "updates are ready for your computer, click here to update". When I click on it it appears to be the Automatic update thing for Windows but I wanted to make sure it was something I should do.

What are your thoughts on that and any other program I should maintain on my PC for protection.

Potter
  • 0

#13
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yes the Yellow Shield is for Automatic Updates that is legitimate.
Just a little more to go and you will be on your way.

Please empty your Norton Qurantine.

After that Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.
========================
After that I only recommend an up to date antivirus and one antispyware program.
You can download Windows Defender from Here
It is free and will periodically scan for spyware.

Other than that you will need a firewall.
Here is a free one to use.

Zone Alarm.

This link will explain how to use firewalls to better understand them, Firewall tutorial
=============================================
Your log is clean. :)

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Ad-Aware-Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Castle Cops To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

If you have any further problems please feel free to contact G2Go.:)
  • 0

#14
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP