Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

I guess I got Vundo Too [RESOLVED]

Started by Joker2kill , Jan 06 2008 12:57 PM

This topic is locked

#1
Joker2kill

Posted 06 January 2008 - 12:57 PM

New Member

Member
9 posts

Yeah so, I guess I got infected with Vundo. Been searching around for a few days on how to remove it, but none have seemed to work for my system, I guess. I will try to post as much info as possible in this post, so you don't have to try and ask what i've done

. I seem to be having troubles with "ddcca.dll", for when I start up my computer after a reboot a get an error message stating; "Windows can not find C:\WINDOWS\system32\ddcca.dll" Make sure you typed the name correctly and then try again". Also; geebc.dll has been coming up for quite a while now.

Things I have tried:
- I have tryed following the steps on Here, I got stuck on the part after when running Kapersky AV ( Which I did a complete scan on), I could not locate "jkhhi.dll" in my directory, even after showing hidden files.
- I have tryed multiple programs that state they remove Vundo, but none seems to come up clean.
- Ran VundoFix in Safemode.
- Ran Anti-Virus / Spyboy S&D / Ad-Aware in Safemode.

Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:49:31 PM, on 1/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Craig's\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddcca.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask		  .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [d8967f50] rundll32.exe "C:\WINDOWS\system32\uhqxfbme.dll",b
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitZip - Powered by Miro] C:\Program Files\Participatory Culture Foundation\Miro\Miro.exe --theme "BitZip"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {82FFA573-38AA-482A-99AD-91F697B91631} (Installer.InstallControl) - http://static.35mb.com/applet/applet_o.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:  
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

VundoFix Log:

VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Scan started at 10:55:11 AM 1/6/2008

Listing files found while scanning....

C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray.exe

Beginning removal...

 Attempting to delete C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hkcmd.exe Has been deleted!

 Attempting to delete C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxpers.exe Has been deleted!

 Attempting to delete C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxtray.exe Has been deleted!

Performing Repairs to the registry.
Done!

Kapersky AV Log:
[code=auto:0]-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, January 06, 2008 1:50:49 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/01/2008
Kaspersky Anti-Virus database records: 503089
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 98045
Number of viruses found: 11
Number of infected objects: 185
Number of suspicious objects: 0
Duration of the scan process: 01:06:06

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Craig's\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-59afe7f7-4cdbcc71.zip/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\Documents and Settings\Craig's\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-59afe7f7-4cdbcc71.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Craig's\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-5e7eb989-4f650f42.zip/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\Documents and Settings\Craig's\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-5e7eb989-4f650f42.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Craig's\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Craig's\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Craig's\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Craig's\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\eZROMs.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\eZROMs.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\eZROMs.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\eZROMs.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\eZROMs.exe NSIS: infected - 4 skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\RCX15F.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\RCX165.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\RCX16B.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\RCX171.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\RCX31.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\RCX32.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\RCX36.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\RCX37.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\RCX3C.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\RCX3E.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\RCX40.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\RCX42.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\RCX47.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\RCX48.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\RCX49.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\RCX4D.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\RCX4F.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\RCX50.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\RCX53.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\RCX56.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\TMP3A.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\TMP3B.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\_avast4_\unp137539845.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\_avast4_\unp195895763.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\_avast4_\unp213856196.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\~DFE195.tmp Object is locked skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\~DFE1A1.tmp Object is locked skipped
C:\Documents and Settings\Craig's\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Craig's\Local Settings\Temporary Internet Files\Content.IE5\6BOC9KMJ\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\Documents and Settings\Craig's\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Craig's\Local Settings\Temporary Internet Files\Content.IE5\LCO7T9KT\smart-keystroke-recorder-pro-setup[1].exe/file05 Infected: not-a-virus:Monitor.Win32.SKRecorder.a skipped
C:\Documents and Settings\Craig's\Local Settings\Temporary Internet Files\Content.IE5\LCO7T9KT\smart-keystroke-recorder-pro-setup[1].exe/file10 Infected: not-a-virus:Monitor.Win32.SKRecorder.a skipped
C:\Documents and Settings\Craig's\Local Settings\Temporary Internet Files\Content.IE5\LCO7T9KT\smart-keystroke-recorder-pro-setup[1].exe Inno: infected - 2 skipped
C:\Documents and Settings\Craig's\Local Settings\Temporary Internet Files\Content.IE5\N7T3354W\smart-keystroke-recorder-setup[1].exe/file04 Infected: not-a-virus:Monitor.Win32.SKRecorder.a skipped
C:\Documents and Settings\Craig's\Local Settings\Temporary Internet Files\Content.IE5\N7T3354W\smart-keystroke-recorder-setup[1].exe/file09 Infected: not-a-virus:Monitor.Win32.SKRecorder.a skipped
C:\Documents and Settings\Craig's\Local Settings\Temporary Internet Files\Content.IE5\N7T3354W\smart-keystroke-recorder-setup[1].exe Inno: infected - 2 skipped
C:\Documents and Settings\Craig's\Local Settings\Temporary Internet Files\Content.IE5\N7T3354W\smart-keystroke-recorder-setup[2].exe/file04 Infected: not-a-virus:Monitor.Win32.SKRecorder.a skipped
C:\Documents and Settings\Craig's\Local Settings\Temporary Internet Files\Content.IE5\N7T3354W\smart-keystroke-recorder-setup[2].exe/file09 Infected: not-a-virus:Monitor.Win32.SKRecorder.a skipped
C:\Documents and Settings\Craig's\Local Settings\Temporary Internet Files\Content.IE5\N7T3354W\smart-keystroke-recorder-setup[2].exe Inno: infected - 2 skipped
C:\Documents and Settings\Craig's\Local Settings\Temporary Internet Files\Content.IE5\N7T3354W\smart-keystroke-recorder-setup[3].exe/file04 Infected: not-a-virus:Monitor.Win32.SKRecorder.a skipped
C:\Documents and Settings\Craig's\Local Settings\Temporary Internet Files\Content.IE5\N7T3354W\smart-keystroke-recorder-setup[3].exe/file09 Infected: not-a-virus:Monitor.Win32.SKRecorder.a skipped
C:\Documents and Settings\Craig's\Local Settings\Temporary Internet Files\Content.IE5\N7T3354W\smart-keystroke-recorder-setup[3].exe Inno: infected - 2 skipped
C:\Documents and Settings\Craig's\Local Settings\Temporary Internet Files\Content.IE5\N7T3354W\smart-keystroke-recorder-setup[4].exe/file04 Infected: not-a-virus:Monitor.Win32.SKRecorder.a skipped
C:\Documents and Settings\Craig's\Local Settings\Temporary Internet Files\Content.IE5\N7T3354W\smart-keystroke-recorder-setup[4].exe/file09 Infected: not-a-virus:Monitor.Win32.SKRecorder.a skipped
C:\Documents and Settings\Craig's\Local Settings\Temporary Internet Files\Content.IE5\N7T3354W\smart-keystroke-recorder-setup[4].exe Inno: infected - 2 skipped
C:\Documents and Settings\Craig's\Local Settings\Temporary Internet Files\Content.IE5\QITFGQCT\gamadril20071203[1] Infected: Backdoor.Win32.Agent.dbm skipped
C:\Documents and Settings\Craig's\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Craig's\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Ideazon\ZEngine\Zboard.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\iTunes\iTunesHelper.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\QuickTime\qttask .exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\QuickTime\qttask .exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\QuickTime\qttask .exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\QuickTime\qttask .exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\QuickTime\qttask .exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\QuickTime\qttask .exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\QuickTime\qttask .exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\QuickTime\qttask .exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\QuickTime\qttask .exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\QuickTime\qttask.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP504\A0114947.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP504\A0114948.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP504\A0114949.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP504\A0114950.exe Infected: Trojan-PSW.Win32.Magania.hh skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP504\A0114951.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP504\A0114952.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP504\A0114953.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP504\A0114973.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP504\A0114974.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP504\A0114975.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP504\A0114977.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP504\A0114978.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP504\A0114979.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP504\A0114987.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP504\A0114989.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP504\A0114990.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP504\A0114991.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP504\A0114992.exe Infected: Trojan-PSW.Win32.Magania.hh skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP504\A0114993.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP504\A0114995.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP505\A0115032.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP505\A0115034.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP505\A0115035.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP505\A0115036.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP505\A0115038.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP505\A0115039.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP505\A0115040.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP506\A0115069.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP506\A0115074.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP506\A0115076.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP506\A0115077.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP506\A0115078.exe Infected: Trojan-PSW.Win32.Magania.hh skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP506\A0115079.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP506\A0115081.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP506\A0115106.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP506\A0115113.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP506\A0115115.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP506\A0115116.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP506\A0115117.exe Infected: Trojan-PSW.Win32.Magania.hh skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP506\A0115118.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP506\A0115120.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115179.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115180.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115181.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115182.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115183.exe Infected: Trojan-PSW.Win32.Magania.hh skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115184.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115186.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115190.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115204.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115205.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115206.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115208.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115209.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115210.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115211.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115212.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115213.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115274.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115279.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115281.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115282.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115283.exe Infected: Trojan-PSW.Win32.Magania.hh skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115284.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115286.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115287.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115288.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP507\A0115289.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP508\A0115729.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP508\A0115821.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP508\A0115823.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP508\A0115825.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP508\A0115826.exe Infected: Trojan-PSW.Win32.Magania.hh skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP508\A0115827.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP508\A0115829.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP508\A0115830.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP508\A0115831.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP508\A0115832.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP509\A0115877.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP509\A0115882.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP509\A0115883.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP509\A0115886.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP509\A0115888.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP509\A0115889.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP509\A0115890.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP509\A0115891.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP509\A0115892.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP509\A0115893.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP509\A0115900.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP509\A0115925.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP509\A0115933.exe Infected: Trojan-PSW.Win32.Magania.hh skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP509\A0116937.exe Infected: Trojan-PSW.Win32.Magania.hh skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP511\A0116974.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP511\A0116975.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP511\A0116976.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP511\A0116978.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP511\A0117238.exe Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP511\A0117244.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP511\A0117244.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP511\A0117244.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP511\A0117248.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP511\A0117249.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP511\A0117252.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP511\A0117254.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP511\A0117255.exe Infected: Trojan-PSW.Win32.Magania.hh skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP512\A0117298.dll Infected: Trojan-Downloader.Win32.Small.hme skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP512\A0117299.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP512\A0117300.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP512\A0117301.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP512\A0117304.dll Infected: Trojan-Downloader.Win32.Small.hme skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP512\A0118306.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP512\A0118327.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP512\A0118328.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP512\A0118344.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP512\A0118345.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP512\A0118346.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP513\change.log Object is locked skipped
C:\VundoFix Backups\hkcmd.exe.bad Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\VundoFix Backups\igfxpers.exe.bad Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\VundoFix Backups\igfxtray.exe.bad Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\Ir32_a.exe Infected: Trojan-PSW.Win32.Magania.hh skipped
C:\WINDOWS\system32\Ir32_b.exe Infected: Trojan-PSW.Win32.Maga

Edited by Joker2kill, 06 January 2008 - 01:25 PM.

#2
kahdah

Posted 06 January 2008 - 01:45 PM

GeekU Teacher

Retired Staff
15,822 posts

Hello Joker2kill

Welcome to G2Go.

==================

Download RenV.exe by sUBs to your desktop
Double click on it to run it
It will search your system drive looking for any modified .exe file and will produce a log for you.

Refering to the picture above, drag the log it produced into RenV.exe and attach the resulting report to your reply.

==============================================================================
Please download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

#3
Joker2kill

Posted 06 January 2008 - 09:08 PM

New Member

Topic Starter
Member
9 posts

Thanks for the reply! Heres the logs you asked for:
RV:
Ran on Mon 01/07/2008 - 22:02:53.07

----a-w		 5,674,352 2008-01-05 23:36:59  C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w			77,824 2008-01-06 15:37:10  C:\WINDOWS\system32\hkcmd .exe
----a-w		   118,784 2008-01-06 15:37:10  C:\WINDOWS\system32\igfxpers .exe
----a-w			98,304 2008-01-06 15:37:09  C:\WINDOWS\system32\igfxtray .exe
----a-w		   155,648 2008-01-05 21:29:22  C:\WINDOWS\system32\NeroCheck .exe

 Entries:				5  (5)
 Directories:			0  Files:			 5
 Bytes:		  6,124,912  Blocks:	   11,963

Combo:
ComboFix 08-01-07.1 - Craig's 2008-01-06 14:25:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.139 [GMT -5:00]
Running from: C:\Documents and Settings\Craig's\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Craig's\Application Data\macromedia\Flash Player\#SharedObjects\DSBJC2CX\iforex.com
C:\Documents and Settings\Craig's\Application Data\macromedia\Flash Player\#SharedObjects\DSBJC2CX\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Craig's\Application Data\macromedia\Flash Player\#SharedObjects\DSBJC2CX\www.broadcaster.com
C:\Documents and Settings\Craig's\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Craig's\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Documents and Settings\Craig's\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Craig's\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Alwil Software\Avast4\ashDisp .exe
C:\Program Files\Common Files\{38967~1
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\system32\accdd.ini2
C:\WINDOWS\system32\cbeeg.ini2
C:\WINDOWS\system32\embfxqhu.ini

<pre>
C:\Program Files\Alwil Software\Avast4\ashDisp .exe ---> QooBox
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe ---> GoogleToolbarNotifier.exe
C:\Program Files\Ideazon\ZEngine\Zboard .exe ---> Zboard.exe
C:\Program Files\iTunes\iTunesHelper .exe ---> iTunesHelper.exe
C:\Program Files\QuickTime\qttask		  .exe ---> qttask.exe
</pre>

.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.

2008-01-06 14:25 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-06 11:59 . 2008-01-06 11:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-06 11:59 . 2008-01-06 11:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-06 11:49 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-06 10:55 . 2008-01-06 10:55 <DIR> d-------- C:\VundoFix Backups
2008-01-06 00:56 . 2008-01-06 00:56 100 --a------ C:\WINDOWS\wininit.ini
2008-01-06 00:23 . 2008-01-06 09:34 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-06 00:23 . 2008-01-06 00:23 <DIR> d-------- C:\Documents and Settings\Craig's\Application Data\SUPERAntiSpyware.com
2008-01-06 00:23 . 2008-01-06 00:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-05 23:55 . 2008-01-06 00:23 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-05 18:36 . 2005-11-03 17:21 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2008-01-05 16:19 . 2008-01-05 18:36 475 --ahs---- C:\WINDOWS\system32\jwitpgtv.ini
2008-01-04 12:13 . 2008-01-04 12:13 18,312 --a------ C:\Documents and Settings\Craig's\Application Data\GDIPFONTCACHEV1.DAT
2008-01-04 00:04 . 2007-10-10 18:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-04 00:04 . 2007-06-30 22:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-04 00:04 . 2007-06-30 22:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-04 00:04 . 2007-10-10 18:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-04 00:04 . 2007-10-10 18:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-04 00:04 . 2007-10-10 18:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-04 00:04 . 2007-10-10 18:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-04 00:04 . 2007-10-10 18:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-04 00:04 . 2007-10-10 05:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-03 23:56 . 2008-01-03 23:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-03 23:56 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-03 23:28 . 2006-08-21 04:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-03 23:28 . 2006-08-21 04:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-03 23:28 . 2006-08-21 07:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-03 23:04 . 2008-01-06 10:37 118,784 --a------ C:\WINDOWS\system32\igfxpers .exe
2008-01-03 23:04 . 2008-01-06 10:37 98,304 --a------ C:\WINDOWS\system32\igfxtray .exe
2008-01-03 23:04 . 2008-01-06 10:37 77,824 --a------ C:\WINDOWS\system32\hkcmd .exe
2008-01-03 23:00 . 2008-01-03 23:00 <DIR> d-------- C:\Intel
2008-01-03 22:37 . 2007-07-09 08:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-03 21:46 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-03 21:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-03 21:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-03 21:46 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-03 17:17 . 2008-01-05 16:29 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2007-12-25 23:30 . 2007-12-25 23:30 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-12-25 23:24 . 2008-01-05 16:47 <DIR> d-------- C:\Program Files\World of Warcraft
2007-12-18 21:47 . 2007-12-18 21:47 <DIR> d-------- C:\Program Files\Common Files\HP
2007-12-18 21:41 . 2007-12-18 22:11 69,421 --a------ C:\WINDOWS\hpoins05.dat
2007-12-18 21:41 . 2004-12-14 11:07 19,696 --------- C:\WINDOWS\hpomdl05.dat
2007-12-07 14:47 . 2007-12-07 14:47 <DIR> d-------- C:\Documents and Settings\Craig's\Application Data\PCF-VLC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-07 19:29 --------- d-----w C:\Program Files\QuickTime
2008-01-07 19:29 --------- d-----w C:\Program Files\iTunes
2008-01-06 16:49 --------- d-----w C:\Program Files\Java
2008-01-06 05:21 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-06 01:42 --------- d-----w C:\Program Files\MSN Messenger
2008-01-04 00:07 --------- d-----w C:\Program Files\VentSrv
2007-12-31 04:41 --------- d-----w C:\Program Files\Warcraft III
2007-12-19 02:47 --------- d-----w C:\Program Files\HP
2007-12-19 02:46 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-08 17:13 --------- d-----w C:\Program Files\Morpheus
2007-12-08 15:19 --------- d-----w C:\Program Files\Starcraft
2007-12-07 03:42 --------- d-----w C:\Documents and Settings\Craig's\Application Data\Participatory Culture Foundation
2007-12-07 03:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Participatory Culture Foundation
2007-12-06 23:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-06 23:43 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-06 23:09 --------- d-----w C:\Program Files\Microsoft Games
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-02 18:25 --------- d-----w C:\Program Files\Power Tab Software
2007-11-29 22:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-27 04:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\DFX
2007-11-25 23:02 --------- d-----w C:\Program Files\Google
2007-11-20 19:51 --------- d-----w C:\Documents and Settings\Craig's\Application Data\GetRightToGo
2007-11-20 05:35 --------- d-----w C:\Documents and Settings\Craig's\Application Data\Turbine
2007-11-20 05:09 --------- d-----w C:\Program Files\Turbine
2007-11-18 23:23 --------- d-----w C:\Documents and Settings\Craig's\Application Data\Ventrilo
2007-11-18 22:56 --------- d-----w C:\Program Files\Ventrilo
2007-11-14 08:09 --------- d-----w C:\Program Files\iPod
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.

<pre>
----a-w		 5,674,352 2008-01-05 23:36:59  C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w			77,824 2008-01-06 15:37:10  C:\WINDOWS\system32\hkcmd .exe
----a-w		   118,784 2008-01-06 15:37:10  C:\WINDOWS\system32\igfxpers .exe
----a-w			98,304 2008-01-06 15:37:09  C:\WINDOWS\system32\igfxtray .exe
----a-w		   155,648 2008-01-05 21:29:22  C:\WINDOWS\system32\NeroCheck .exe
</pre>

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 49,152 2004-09-13 22:49:00 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
----a-w 49,152 2004-09-13 20:49:00 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

----a-w 49,263 2006-07-26 10:03:14 C:\Program Files\Java\jre1.5.0_08\bin\bak\jusched.exe

----a-w 282,624 2006-09-07 03:56:01 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 286,720 2008-01-06 14:27:22 C:\Program Files\QuickTime\qttask.exe

----a-w 77,824 2005-11-03 22:22:36 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 118,784 2005-11-03 22:26:30 C:\WINDOWS\system32\bak\igfxpers.exe

----a-w 98,304 2005-11-03 22:25:48 C:\WINDOWS\system32\bak\igfxtray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-06 14:22 68856]
"BitZip - Powered by Miro"="C:\Program Files\Participatory Culture Foundation\Miro\Miro.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 12:58 73728 C:\WINDOWS\SOUNDMAN.EXE]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 18:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-05 19:05 2550272 C:\WINDOWS\ALCWZRD.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 11:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"Zboard"="C:\Program Files\Ideazon\ZEngine\Zboard.exe" [2008-01-06 14:22 61440]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-06 14:22 267048]
"d8967f50"="C:\WINDOWS\system32\uhqxfbme.dll" [ ]
"igfxtray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"igfxhkcmd"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"igfxpers"="C:\WINDOWS\System32\igfxpers.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-11-27 19:18:03]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

R3 Alpham1;Ideazon ZBoard USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham1.sys [2007-02-08 12:49]
R3 Alpham2;Ideazon ZBoard MM USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham2.sys [2007-02-08 13:04]
S3 Alpham;Ideazon ZBoard Composite Keyboard Driver;C:\WINDOWS\system32\DRIVERS\Alpham.sys []
S3 azt2320;Aztech 2320 Audio Driver (WDM);C:\WINDOWS\system32\drivers\aztw2320.sys [2001-08-17 14:19]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys [2001-08-17 14:19]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2006-12-04 13:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autoplay.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-25 21:07:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-06 08:30:00 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
- C:\Program Files\RegClean\RegClean.ex
- C:\Program Files\RegClean
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 14:30:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-07 14:34:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-07 19:34:27
.
2008-01-05 21:32:47 --- E O F ---

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 10:08:21 PM, on 1/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Craig's\Desktop\Vundo\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask		  .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [d8967f50] rundll32.exe "C:\WINDOWS\system32\uhqxfbme.dll",b
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitZip - Powered by Miro] C:\Program Files\Participatory Culture Foundation\Miro\Miro.exe --theme "BitZip"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {82FFA573-38AA-482A-99AD-91F697B91631} (Installer.InstallControl) - http://static.35mb.com/applet/applet_o.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:  
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Hope this helps, and thanks again! =)

Edited by kahdah, 06 January 2008 - 09:58 PM.

#4
kahdah

Posted 06 January 2008 - 10:05 PM

GeekU Teacher

Retired Staff
15,822 posts

Please download the OTMoveIt by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\jwitpgtv.ini
C:\WINDOWS\system32\uhqxfbme.dll
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Click "Exit" to close OTMoveIt.

**When ready to Reply on the forum, please Paste the content of the latest log which is located at the root of the drive where the OTMoveIt folder is:
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=======================================

Copy the entire contents of the Code Box below to Notepad.
Name the file as Log.txt (Overwrite the existing one)
Change the Save as Type to All Files
and Save it on the desktop

C:\Program Files\MSN Messenger\msnmsgr .exeC:\WINDOWS\system32\hkcmd .exeC:\WINDOWS\system32\igfxpers .exeC:\WINDOWS\system32\igfxtray .exeC:\WINDOWS\system32\NeroCheck .exe

Refering to the picture above, drag Log.txt into RenV.exe and attach the resulting report to your reply.
=================================================================
After that please run Combofix again and post all three logs in your next reply. Combofix log otmoveit log new renv log

#5
Joker2kill

Posted 07 January 2008 - 02:52 PM

New Member

Topic Starter
Member
9 posts

Thanks Kahdah, Here are the logs you asked for:

Combofix:

ComboFix 08-01-07.1 - Craig's 2008-01-08 15:37:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.146 [GMT -5:00]
Running from: C:\Documents and Settings\Craig's\Desktop\Vundo\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-08 to 2008-01-08 )))))))))))))))))))))))))))))))
.

2008-01-07 14:57 . 2008-01-07 14:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-06 14:25 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-06 11:59 . 2008-01-06 11:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-06 11:59 . 2008-01-06 11:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-06 11:49 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-06 10:55 . 2008-01-06 10:55 <DIR> d-------- C:\VundoFix Backups
2008-01-06 00:56 . 2008-01-06 00:56 100 --a------ C:\WINDOWS\wininit.ini
2008-01-06 00:23 . 2008-01-06 09:34 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-06 00:23 . 2008-01-06 00:23 <DIR> d-------- C:\Documents and Settings\Craig's\Application Data\SUPERAntiSpyware.com
2008-01-06 00:23 . 2008-01-06 00:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-05 23:55 . 2008-01-06 00:23 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-05 18:36 . 2005-11-03 17:21 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2008-01-04 12:13 . 2008-01-04 12:13 18,312 --a------ C:\Documents and Settings\Craig's\Application Data\GDIPFONTCACHEV1.DAT
2008-01-04 00:04 . 2007-10-10 18:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-04 00:04 . 2007-06-30 22:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-04 00:04 . 2007-06-30 22:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-04 00:04 . 2007-10-10 18:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-04 00:04 . 2007-10-10 18:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-04 00:04 . 2007-10-10 18:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-04 00:04 . 2007-10-10 18:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-04 00:04 . 2007-10-10 18:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-04 00:04 . 2007-10-10 05:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-03 23:56 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-03 23:28 . 2006-08-21 04:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-03 23:28 . 2006-08-21 04:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-03 23:28 . 2006-08-21 07:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-03 23:00 . 2008-01-03 23:00 <DIR> d-------- C:\Intel
2008-01-03 22:37 . 2007-07-09 08:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-03 21:46 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-03 21:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-03 21:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-03 21:46 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-12-25 23:30 . 2007-12-25 23:30 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-12-25 23:24 . 2008-01-05 16:47 <DIR> d-------- C:\Program Files\World of Warcraft
2007-12-18 21:47 . 2007-12-18 21:47 <DIR> d-------- C:\Program Files\Common Files\HP
2007-12-18 21:41 . 2007-12-18 22:11 69,421 --a------ C:\WINDOWS\hpoins05.dat
2007-12-18 21:41 . 2004-12-14 11:07 19,696 --------- C:\WINDOWS\hpomdl05.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 20:37 --------- d-----w C:\Program Files\MSN Messenger
2008-01-07 19:29 --------- d-----w C:\Program Files\QuickTime
2008-01-07 19:29 --------- d-----w C:\Program Files\iTunes
2008-01-06 16:49 --------- d-----w C:\Program Files\Java
2008-01-06 05:21 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-04 00:07 --------- d-----w C:\Program Files\VentSrv
2007-12-31 04:41 --------- d-----w C:\Program Files\Warcraft III
2007-12-19 02:47 --------- d-----w C:\Program Files\HP
2007-12-19 02:46 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-08 17:13 --------- d-----w C:\Program Files\Morpheus
2007-12-08 15:19 --------- d-----w C:\Program Files\Starcraft
2007-12-07 19:47 --------- d-----w C:\Documents and Settings\Craig's\Application Data\PCF-VLC
2007-12-07 03:42 --------- d-----w C:\Documents and Settings\Craig's\Application Data\Participatory Culture Foundation
2007-12-07 03:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Participatory Culture Foundation
2007-12-06 23:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-06 23:43 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-06 23:09 --------- d-----w C:\Program Files\Microsoft Games
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-12-02 18:25 --------- d-----w C:\Program Files\Power Tab Software
2007-11-29 22:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-27 04:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\DFX
2007-11-25 23:02 --------- d-----w C:\Program Files\Google
2007-11-20 19:51 --------- d-----w C:\Documents and Settings\Craig's\Application Data\GetRightToGo
2007-11-20 05:35 --------- d-----w C:\Documents and Settings\Craig's\Application Data\Turbine
2007-11-20 05:09 --------- d-----w C:\Program Files\Turbine
2007-11-18 23:23 --------- d-----w C:\Documents and Settings\Craig's\Application Data\Ventrilo
2007-11-18 22:56 --------- d-----w C:\Program Files\Ventrilo
2007-11-14 08:09 --------- d-----w C:\Program Files\iPod
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-22 08:39 267,272 ----a-w C:\WINDOWS\system32\xactengine2_10.dll
2007-10-22 08:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-12 20:14 3,734,536 ----a-w C:\WINDOWS\system32\d3dx9_36.dll
2007-10-12 20:14 1,374,232 ----a-w C:\WINDOWS\system32\D3DCompiler_36.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-07_14.34.10.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-08 20:12:09 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_540.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 49,152 2004-09-13 22:49:00 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
----a-w 49,152 2004-09-13 20:49:00 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

----a-w 49,263 2006-07-26 10:03:14 C:\Program Files\Java\jre1.5.0_08\bin\bak\jusched.exe

----a-w 282,624 2006-09-07 03:56:01 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 286,720 2008-01-06 14:27:22 C:\Program Files\QuickTime\qttask.exe

----a-w 77,824 2005-11-03 22:22:36 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 118,784 2005-11-03 22:26:30 C:\WINDOWS\system32\bak\igfxpers.exe

----a-w 98,304 2005-11-03 22:25:48 C:\WINDOWS\system32\bak\igfxtray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-06 14:22 68856]
"BitZip - Powered by Miro"="C:\Program Files\Participatory Culture Foundation\Miro\Miro.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 12:58 73728 C:\WINDOWS\SOUNDMAN.EXE]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 18:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-05 19:05 2550272 C:\WINDOWS\ALCWZRD.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 11:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"Zboard"="C:\Program Files\Ideazon\ZEngine\Zboard.exe" [2008-01-06 14:22 61440]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-06 14:22 267048]
"d8967f50"="C:\WINDOWS\system32\uhqxfbme.dll" [ ]
"igfxtray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"igfxhkcmd"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"igfxpers"="C:\WINDOWS\System32\igfxpers.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-11-27 19:18:03]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

R3 Alpham1;Ideazon ZBoard USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham1.sys [2007-02-08 12:49]
R3 Alpham2;Ideazon ZBoard MM USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham2.sys [2007-02-08 13:04]
S3 Alpham;Ideazon ZBoard Composite Keyboard Driver;C:\WINDOWS\system32\DRIVERS\Alpham.sys []
S3 azt2320;Aztech 2320 Audio Driver (WDM);C:\WINDOWS\system32\drivers\aztw2320.sys [2001-08-17 14:19]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys [2001-08-17 14:19]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2006-12-04 13:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autoplay.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-25 21:07:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-06 08:30:00 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
- C:\Program Files\RegClean\RegClean.ex
- C:\Program Files\RegClean
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 15:38:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-08 15:39:46
ComboFix-quarantined-files.txt 2008-01-08 20:39:37
ComboFix2.txt 2008-01-07 19:34:30
.
2008-01-05 21:32:47 --- E O F ---

RunV:

Ran on Tue 01/08/2008 - 15:49:33.84

 Entries:				0  (0)
 Directories:			0  Files:			 0
 Bytes:				  0  Blocks:			0

OTmoveit:

C:\WINDOWS\system32\jwitpgtv.ini moved successfully.
File/Folder C:\WINDOWS\system32\uhqxfbme.dll not found.

Created on 01/08/2008 15:32:14

Hope these help. =)

#6
kahdah

Posted 07 January 2008 - 07:03 PM

GeekU Teacher

Retired Staff
15,822 posts

One infection is out of the way.
You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

Download FindAWF.exe from here or here, and save it to your desktop.

Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.

1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 1, then press Enter
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt.
Please copy and paste the contents of the AWF.txt file in your next reply.

#7
Joker2kill

Posted 08 January 2008 - 04:00 PM

New Member

Topic Starter
Member
9 posts

Glad we're making some progress =) Thanks again for the reply; heres the log you asked for:

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Wed 01/09/2008
The current time is: 16:56:58.50

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\QUICKT~1\BAK

09/06/2006 10:56 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

11/03/2005 05:22 PM 77,824 hkcmd.exe
11/03/2005 05:26 PM 118,784 igfxpers.exe
11/03/2005 05:25 PM 98,304 igfxtray.exe
3 File(s) 294,912 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

09/13/2004 05:49 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

07/26/2006 05:03 AM 49,263 jusched.exe
1 File(s) 49,263 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

286720 Jan 6 2008 "C:\Program Files\QuickTime\qttask.exe"
282624 Sep 6 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
77824 Nov 3 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 Aug 20 2004 "C:\hp\drivers\video\video_intel\hkcmd.exe"
77824 Nov 3 2005 "C:\pnp\video\intel\Win2000\hkcmd.exe"
163840 Jan 13 2007 "C:\WINDOWS\system32\DRVSTORE\igxp32_757949EFDD70357EE37252D828ACA09CDF5C75B7\hkcmd.exe"
77824 Nov 3 2005 "C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\hkcmd.exe"
118784 Nov 3 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
118784 Nov 3 2005 "C:\pnp\video\intel\Win2000\igfxpers.exe"
135168 Jan 13 2007 "C:\WINDOWS\system32\DRVSTORE\igxp32_757949EFDD70357EE37252D828ACA09CDF5C75B7\igfxpers.exe"
118784 Nov 3 2005 "C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\igfxpers.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Aug 20 2004 "C:\hp\drivers\video\video_intel\igfxtray.exe"
98304 Nov 3 2005 "C:\pnp\video\intel\Win2000\igfxtray.exe"
131072 Jan 13 2007 "C:\WINDOWS\system32\DRVSTORE\igxp32_757949EFDD70357EE37252D828ACA09CDF5C75B7\igfxtray.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\igfxtray.exe"
49152 Sep 13 2004 "C:\Program Files\HP\HP Software Update\hpwuSchd2.exe"
49152 Sep 13 2004 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\bak\jusched.exe"

end of report

#8
kahdah

Posted 08 January 2008 - 06:18 PM

GeekU Teacher

Retired Staff
15,822 posts

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

Insert Files to be moved

"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\igfxpers.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\Java\jre1.5.0_08\bin\bak\jusched.exe"
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.

1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 2, then press Enter.
Press any key to continue.
A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
The program will proceed to move the legit files and will perform another scan for .bak folder
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt.
Please copy and paste the contents of the AWF.txt file in your next reply.

#9
Joker2kill

Posted 08 January 2008 - 06:34 PM

New Member

Topic Starter
Member
9 posts

Thanks for the reply again =) Heres the log:

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Wed 01/09/2008
The current time is: 19:31:08.87

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\QUICKT~1\BAK

09/06/2006 10:56 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

11/03/2005 05:22 PM 77,824 hkcmd.exe
11/03/2005 05:26 PM 118,784 igfxpers.exe
11/03/2005 05:25 PM 98,304 igfxtray.exe
3 File(s) 294,912 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

09/13/2004 05:49 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

07/26/2006 05:03 AM 49,263 jusched.exe
1 File(s) 49,263 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

282624 Sep 6 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Sep 6 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
77824 Nov 3 2005 "C:\WINDOWS\system32\hkcmd.exe"
77824 Nov 3 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 Aug 20 2004 "C:\hp\drivers\video\video_intel\hkcmd.exe"
77824 Nov 3 2005 "C:\pnp\video\intel\Win2000\hkcmd.exe"
163840 Jan 13 2007 "C:\WINDOWS\system32\DRVSTORE\igxp32_757949EFDD70357EE37252D828ACA09CDF5C75B7\hkcmd.exe"
77824 Nov 3 2005 "C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\hkcmd.exe"
118784 Nov 3 2005 "C:\WINDOWS\system32\igfxpers.exe"
118784 Nov 3 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
118784 Nov 3 2005 "C:\pnp\video\intel\Win2000\igfxpers.exe"
135168 Jan 13 2007 "C:\WINDOWS\system32\DRVSTORE\igxp32_757949EFDD70357EE37252D828ACA09CDF5C75B7\igfxpers.exe"
118784 Nov 3 2005 "C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\igfxpers.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\igfxtray.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Aug 20 2004 "C:\hp\drivers\video\video_intel\igfxtray.exe"
98304 Nov 3 2005 "C:\pnp\video\intel\Win2000\igfxtray.exe"
131072 Jan 13 2007 "C:\WINDOWS\system32\DRVSTORE\igxp32_757949EFDD70357EE37252D828ACA09CDF5C75B7\igfxtray.exe"
98304 Nov 3 2005 "C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\igfxtray.exe"
49152 Sep 13 2004 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Sep 13 2004 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\bak\jusched.exe"

end of report

#10
kahdah

Posted 08 January 2008 - 06:50 PM

GeekU Teacher

Retired Staff
15,822 posts

You are welcome

===============

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

Insert Folders to be removed

C:\Program Files\QuickTime\bak
C:\WINDOWS\system32\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\Java\jre1.5.0_08\bin\bak
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.

1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 3, then press Enter.
Press any key to continue.
A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
The program will proceed to remove the bad folders and will perform another scan for .bak folder
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt.
Please copy and paste the contents of the AWF.txt file in your next reply.

#11
Joker2kill

Posted 08 January 2008 - 06:53 PM

New Member

Topic Starter
Member
9 posts

Here yah go =):

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Wed 01/09/2008
The current time is: 19:50:46.53

bak folders found
~~~~~~~~~~~

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

#12
kahdah

Posted 08 January 2008 - 06:58 PM

GeekU Teacher

Retired Staff
15,822 posts

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
=================================================================
Please download SUPERAntiSpyware Home Edition (free version).
–Install it and double-click the icon on your desktop to run it.

It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
Close browsers before scanning
Scan for tracking cookies
Scan for Alternate Data streams
Terminate memory threats before quarantining.
Please leave the others unchecked.
Click the Close button to leave the control center screen.

*Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

Then run Superantispyware.

Double click on the icon to start Superantispyware.
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.

1. To retrieve the removal information for me please do the following:
2. After reboot, double-click the SUPERAntispyware icon on your desktop.
3. Click Preferences. Click the Statistics/Logs tab.
4. Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
5. It will open in your default text editor (such as Notepad/Wordpad).
6. Please highlight everything in the notepad, then right-click and choose copy.
7. Click close and close again to exit the program.
Save the log information. If needed (still infected) paste this info along with your HijackThis log.

#13
Joker2kill

Posted 08 January 2008 - 07:59 PM

New Member

Topic Starter
Member
9 posts

Ugh! I scanned and that stupid Vundo came up, ( I thought I got rid of that =\) Well, heres the logs...

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 8:57:14 PM, on 1/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Craig's\Desktop\Vundo\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [d8967f50] rundll32.exe "C:\WINDOWS\system32\uhqxfbme.dll",b
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitZip - Powered by Miro] C:\Program Files\Participatory Culture Foundation\Miro\Miro.exe --theme "BitZip"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard....des/cabs/si.cab
O16 - DPF: {82FFA573-38AA-482A-99AD-91F697B91631} (Installer.InstallControl) - http://static.35mb.c...et/applet_o.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

SAS:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/09/2008 at 08:46 PM

Application Version : 3.9.1008

Core Rules Database Version : 3375
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 00:43:36

Memory items scanned : 504
Memory threats detected : 0
Registry items scanned : 5773
Registry threats detected : 0
File items scanned : 54230
File threats detected : 14

Adware.Tracking Cookie
C:\Documents and Settings\Craig's\Cookies\craig's@statcounter[1].txt

Trojan.Unclassifed/AffiliateBundle
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP512\A0117298.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP512\A0117304.DLL

Trojan.Vundo/Variant-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP512\A0117299.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP512\A0117300.EXE

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP512\A0117301.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP512\A0118304.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP512\A0118326.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP512\A0118327.DLL

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP512\A0117305.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP512\A0117306.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP512\A0118323.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP512\A0118324.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP513\A0118371.DLL

#14
kahdah

Posted 08 January 2008 - 08:05 PM

GeekU Teacher

Retired Staff
15,822 posts

Everything found that says vundo has been deleted what shows in this log is deleted items that are in system restore points.
We will clean them now.

1. Turn off System Restore.
Click on *Start
Right-click *My Computer
Click *Properties
Click the *System Restore tab
Check *Turn off System Restore
Click *Apply, and then click *OK.

2. Reboot.

3. Turn ON System Restore.
Click on *Start
Right-click *My Computer
Click *Properties
*UN-Check *Turn off System Restore*
Check *Turn on System Restore
Click *Apply, and then click *OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb;en-us;310405
==================
After that Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

===============================
Post that log and a new Hijackthis log as well.

#15
Joker2kill

Posted 08 January 2008 - 09:08 PM

New Member

Topic Starter
Member
9 posts

Here yah go:

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 10:05:55 PM, on 1/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Craig's\Desktop\Vundo\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [d8967f50] rundll32.exe "C:\WINDOWS\system32\uhqxfbme.dll",b
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitZip - Powered by Miro] C:\Program Files\Participatory Culture Foundation\Miro\Miro.exe --theme "BitZip"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard....des/cabs/si.cab
O16 - DPF: {82FFA573-38AA-482A-99AD-91F697B91631} (Installer.InstallControl) - http://static.35mb.c...et/applet_o.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Kapersky:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 09, 2008 9:59:23 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/01/2008
Kaspersky Anti-Virus database records: 504494
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 59719
Number of viruses found: 3
Number of infected objects: 21
Number of suspicious objects: 0
Duration of the scan process: 00:42:40

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Craig's\Application Data\Ideazon\ZEngine\data\mods\IDeazon.ldb Object is locked skipped
C:\Documents and Settings\Craig's\Application Data\Ideazon\ZEngine\data\mods\IDeazon.zbd Object is locked skipped
C:\Documents and Settings\Craig's\Application Data\Sun\Java\Deployment\cache\6.0\12\3343c00c-5b965d82/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\Documents and Settings\Craig's\Application Data\Sun\Java\Deployment\cache\6.0\12\3343c00c-5b965d82 ZIP: infected - 1 skipped
C:\Documents and Settings\Craig's\Application Data\Sun\Java\Deployment\cache\6.0\36\d4e61e4-3e30e928/HiPointInstallShieldRT.class Infected: Trojan-Downloader.Java.OpenConnection.ap skipped
C:\Documents and Settings\Craig's\Application Data\Sun\Java\Deployment\cache\6.0\36\d4e61e4-3e30e928 ZIP: infected - 1 skipped
C:\Documents and Settings\Craig's\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Craig's\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Craig's\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Craig's\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Craig's\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Craig's\Local Settings\History\History.IE5\MSHist012008010920080110\index.dat Object is locked skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\JET41D6.tmp Object is locked skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\~DF73B0.tmp Object is locked skipped
C:\Documents and Settings\Craig's\Local Settings\Temp\~DF73BC.tmp Object is locked skipped
C:\Documents and Settings\Craig's\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Craig's\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Craig's\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Craig's\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Ideazon\ZEngine\Zboard.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\iTunes\iTunesHelper.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6E504182-C0FB-4384-B5F4-5EA641F0F436}\RP1\change.log Object is locked skipped
C:\VundoFix Backups\hkcmd.exe.bad Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\VundoFix Backups\igfxpers.exe.bad Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\VundoFix Backups\igfxtray.exe.bad Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\Ir32_a.exe Infected: Trojan-PSW.Win32.Magania.hh skipped
C:\WINDOWS\system32\Ir32_b.exe Infected: Trojan-PSW.Win32.Magania.hh skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_540.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.