Avira Antivir seemed to catch the most after a 4 hour scan. Rebooted, Ran Hijack again, alot has been deledted by Avira according from the first Hijack scan I ran which didnt get rid of most if not all.
One of the problems Im having other not knowing what the [bleep] Im doing is: Which Exe's do I need? For Starup and Process Runs? I know that a few that are in quarantine, I looked up and could be infected but yet essential to my running process.
I did turn off system restore before downloading and running the anitvir.
Ok, heres my logs
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:46 AM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CamMonitor] "c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe"
O4 - HKLM\..\Run: [HPHUPD05] "c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Sunkist2k] "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [MediaFace Integration] "C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Ceedo AutoDetect] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AutoDetect.exe" /active
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ColdFusion MX 7 Search Server - Verity, Inc. - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 8551 bytes
Avira Anitvir Log:
AntiVir PersonalEdition Classic
Report file date: Sunday, February 03, 2008 07:08
Scanning for 1089295 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name:
Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 19:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 18:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 21:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 18:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 20:27:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 12:07:32
ANTIVIR2.VDF : 7.0.2.49 1339904 Bytes 1/25/2008 12:07:32
ANTIVIR3.VDF : 7.0.2.82 259072 Bytes 2/1/2008 12:07:32
AVEWIN32.DLL : 7.6.0.62 3240448 Bytes 2/3/2008 12:07:33
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 16:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 13:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 2/3/2008 12:07:33
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 13:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 18:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 13:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 17:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 18:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 18:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 15:37:21
Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: Sunday, February 03, 2008 07:08
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'mcvsshld.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'ssu.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'mcuimgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Playlist.exe' - '1' Module(s) have been scanned
Scan process 'AutoDetect .exe' - '1' Module(s) have been scanned
Scan process 'apdproxy .exe' - '1' Module(s) have been scanned
Scan process 'jusched .exe' - '1' Module(s) have been scanned
Scan process 'RxMon .exe' - '1' Module(s) have been scanned
Scan process 'SpySweeperUI .exe' - '1' Module(s) have been scanned
Scan process 'atiptaxx .exe' - '1' Module(s) have been scanned
Scan process 'shwicon2k .exe' - '1' Module(s) have been scanned
Scan process 'AutoDetect.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AutoDetect.exe'
Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
Scan process 'SpySweeperUI.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe'
Scan process 'apdproxy.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe'
Scan process 'ALCXMNTR.EXE' - '1' Module(s) have been scanned
Scan process 'RxMon.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe'
Scan process 'hpqcmon .exe' - '1' Module(s) have been scanned
Scan process 'shwicon2k.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\Program Files\Multimedia Card Reader\shwicon2k.exe'
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe'
Scan process 'ehtray .exe' - '1' Module(s) have been scanned
Scan process 'hpqcmon.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe'
Scan process 'ehtray.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned
Scan process 'mcagent.exe' - '1' Module(s) have been scanned
Scan process 'k2server.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'SpySweeper.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'MpfSrv.exe' - '1' Module(s) have been scanned
Scan process 'mcsysmon.exe' - '1' Module(s) have been scanned
Scan process 'Mcshield.exe' - '1' Module(s) have been scanned
Scan process 'RedirSvc.exe' - '1' Module(s) have been scanned
Scan process 'mcpromgr.exe' - '1' Module(s) have been scanned
Scan process 'mcods.exe' - '1' Module(s) have been scanned
Scan process 'McNASvc.exe' - '1' Module(s) have been scanned
Scan process 'mcmscsvc.exe' - '1' Module(s) have been scanned
Scan process 'HWAPI.exe' - '1' Module(s) have been scanned
Scan process 'gearsec.exe' - '1' Module(s) have been scanned
Scan process 'ehsched.exe' - '1' Module(s) have been scanned
Scan process 'k2admin.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
64 processes with 64 modules were scanned
Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!
Starting to scan the registry.
C:\hp\KBD\KBD.EXE
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47e9b1a3.qua'!
C:\hp\KBD\KBD.EXE
[DETECTION] Is the Trojan horse TR/Vundo.Gen
C:\hp\bin\AUTOTKIT.EXE
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47f9b1ba.qua'!
C:\hp\bin\AUTOTKIT.EXE
[DETECTION] Is the Trojan horse TR/Vundo.Gen
C:\WINDOWS\SMINST\RECGUARD.EXE
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47e8b1af.qua'!
C:\WINDOWS\SMINST\RECGUARD.EXE
[DETECTION] Is the Trojan horse TR/Vundo.Gen
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
The registry was scanned ( '31' files ).
Starting the file scan:
Begin scan in 'C:\' <HP_PAVILION>
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Administrator\Local Settings\Temp\AutoDetect.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Documents and Settings\Administrator\My Documents\My eBooks\BlockingBetter2Dollars.zip
[0] Archive type: ZIP
--> FreeSpeedDrillsEbook_e.hta
[DETECTION] Contains suspicious code HEUR/Exploit.HTML
[INFO] The file was moved to '4814ba34.qua'!
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d7c1c1312323370.bup
[DETECTION] Contains detection pattern of the exploits EXP/Office.Dropper.Gen
[INFO] The file was moved to '47dcbe4c.qua'!
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d822103933c0.bup
[DETECTION] Contains detection pattern of the exploits EXP/Office.Dropper.Gen
[INFO] The file was moved to '47ddbe4e.qua'!
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7d822103b6d0.bup
[DETECTION] Contains detection pattern of the exploits EXP/Office.Dropper.Gen
[INFO] The file was moved to '43357d17.qua'!
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
[DETECTION] Is the Trojan horse TR/Dldr.Purity.BV.7
[INFO] The file was moved to '481fc70a.qua'!
C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '480cc7a0.qua'!
C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4819c873.qua'!
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '480dc914.qua'!
C:\Program Files\iTunes\iTunesHelper.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '481acb81.qua'!
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Program Files\QuickTime\qttask .exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4819d348.qua'!
C:\Program Files\QuickTime\qttask .exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4819d349.qua'!
C:\Program Files\QuickTime\qttask .exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4819d34a.qua'!
C:\Program Files\QuickTime\qttask .exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '497b433b.qua'!
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '480cd37d.qua'!
C:\Program Files\Sony\SonicStage\SsAAD.exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47e6d3ab.qua'!
C:\sj655\HPD873~1 .EXE
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47e9d459.qua'!
C:\VundoFix Backups\ekwqbmci.dll.bad
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was moved to '481cd47b.qua'!
C:\VundoFix Backups\hkcmd.exe.bad
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4808d47d.qua'!
C:\VundoFix Backups\hphmon05.exe.bad
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '480dd482.qua'!
C:\VundoFix Backups\hpsysdrv.exe.bad
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4818d483.qua'!
C:\VundoFix Backups\hpztsb09.exe.bad
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '481fd484.qua'!
C:\VundoFix Backups\mljjh.dll.bad
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '480fd480.qua'!
C:\VundoFix Backups\mljjh.exe.bad
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '480fd481.qua'!
C:\VundoFix Backups\ps2.exe.bad
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47d7d489.qua'!
C:\VundoFix Backups\rmqqhdnp.dll.bad
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was moved to '4816d483.qua'!
C:\WINDOWS\eHome\ehtray.exe.tmp
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\dflaqyai.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4811df7f.qua'!
C:\WINDOWS\system32\kdmcd.exe
[WARNING] The file could not be opened!
C:\WINDOWS\system32\LE786.tmp
[DETECTION] Contains detection pattern of the dropper DR/Scapur.K.18
[INFO] The file was moved to '47dcdf7e.qua'!
C:\WINDOWS\system32\RCX43.tmp
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47fddfa4.qua'!
C:\WINDOWS\system32\RCX4C.tmp
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47fddfa5.qua'!
C:\WINDOWS\system32\RCX5C.tmp
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47fddfa6.qua'!
C:\WINDOWS\Temp\RCX3A4.tmp
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47fde071.qua'!
C:\WINDOWS\Temp\RCX3A7.tmp
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47fde072.qua'!
C:\WINDOWS\Temp\RCX3AD.tmp
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47fde074.qua'!
C:\WINDOWS\Temp\RCX3B3.tmp
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47fde075.qua'!
C:\WINDOWS\Temp\RCX3B9.tmp
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47fde076.qua'!
C:\WINDOWS\Temp\RCX3BC.tmp
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47fde077.qua'!
C:\WINDOWS\Temp\RCX3BF.tmp
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '469f7008.qua'!
Begin scan in 'D:\' <HP_RECOVERY>
End of the scan: Sunday, February 03, 2008 10:58
Used time: 3:50:01 min
The scan has been done completely.
7987 Scanning directories
556327 Files were scanned
59 viruses and/or unwanted programs were found
1 Files were classified as suspicious:
0 files were deleted
0 files were repaired
40 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
556268 Files not concerned
22445 Archives were scanned
15 Warnings
5 Notes
Previous Hijack Log of Start ups Before anitivir
StartupList report, 2/2/2008, 12:57:10 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Administrator\My Documents\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AutoDetect.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon .exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AutoDetect .exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
C:\Program Files\Multimedia Card Reader\shwicon2k .exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ehTray = C:\WINDOWS\ehome\ehtray.exe
CamMonitor = "c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe"
HPHUPD05 = "c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
KBD = C:\HP\KBD\KBD.EXE
AutoTKit = C:\hp\bin\AUTOTKIT.EXE
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
ATIPTA = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
Sunkist2k = "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
RoxioEngineUtility = "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
RoxioAudioCentral = "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
AlcxMonitor = ALCXMNTR.EXE
Adobe Photo Downloader = "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
MediaFace Integration = "C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe"
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
SpySweeper = C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
BackupNotify = c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
Ceedo AutoDetect = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AutoDetect.exe" /active
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Ceedo Repair = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AutoDetect .exe" /repair /drive=
DelayShred = "c:\program files\mcafee\mshr\ShrCL.EXE" /P7 /q C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse5.SH!
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[AutorunsDisabled]
hpsysdrv = c:\windows\system\hpsysdrv.exe
HPHmon05 = C:\WINDOWS\System32\hphmon05.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
PS2 = C:\WINDOWS\system32\ps2.exe
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=C:\WINDOWS\system32\mljjh.exe
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssstars.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Task Scheduler jobs:
McDefragTask.job
McQcTask.job
--------------------------------------------------
Enumerating Download Program Files:
[WebInstall Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\webinst.dll
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse5.tmp|C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse5.SH!|||
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll
--------------------------------------------------
End of report, 9,151 bytes
Report generated in 0.157 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Edited by angigonefishin, 03 February 2008 - 01:26 PM.