Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Popups [RESOLVED]


  • This topic is locked This topic is locked

#1
charles97

charles97

    Member

  • Member
  • PipPip
  • 13 posts
Hi, im getting popups on my comp. I also get alot of error messages when i start my computer, i think its because the startup registries have been messed with by a program. I would be very greatful for any help you can provide me with.


Here we go.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:57 PM, on 2/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F3 - REG:win.ini: load=C:\WINDOWS\system32\awtqq.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll
O2 - BHO: {5c582a0d-2ed3-ccab-69c4-dc1cf607e3f3} - {3f3e706f-c1cd-4c96-bacc-3de2d0a285c5} - C:\WINDOWS\system32\wkgbsjec.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5b0d1249-81e3-4732-94f3-ca40fe23fe0e} - (no file)
O2 - BHO: (no name) - {5C0FDCFA-4FFB-45AF-9A70-EE4A41CCF921} - C:\WINDOWS\system32\jkkli.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {86F04680-4B73-4A20-A90F-3D7FBA4EDC22} - C:\WINDOWS\system32\ssttt.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive3.dll (file missing)
O2 - BHO: BndBlock4 BHO Class - {8F9E2BE3-766D-4831-BB0E-766D5B819995} - C:\Program Files\QdrDrive\QdrDrive9.dll
O2 - BHO: (no name) - {A6CB2F6C-A87C-4294-9B51-47FF0DECCC09} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: (no name) - {b3625c88-4998-4fc5-a638-bbd36c6f26cb} - C:\WINDOWS\system32\otfmjbg.dll
O2 - BHO: (no name) - {B5F1136B-E556-41FA-984A-51DE16692164} - C:\WINDOWS\system32\geeda.dll (file missing)
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\hggebbc.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminder
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [98323b35] rundll32.exe "C:\WINDOWS\system32\anhqvhhe.dll",b
O4 - HKLM\..\Run: [BM9b0108a9] Rundll32.exe "C:\WINDOWS\system32\aehgkhhn.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Pais] "C:\WINDOWS\system32\PPATCH~1\nslookup.exe" -vt yazb
O4 - HKCU\..\Run: [Ohyjlpg] C:\WINDOWS\M?crosoft.NET\t?skmgr.exe
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\smss.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Pat\smss.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [QdrModule11] "C:\Program Files\QdrModule\QdrModule11.exe"
O4 - HKCU\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.exe"
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D235DC6-9AD6-4E21-A958-ECB15B5B7CB0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4F5B83F-3533-46F8-9B6C-0D6EB36EBCC4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF0C9849-087F-4315-BB0F-8F5F1EBE56D7}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{E78678BB-0DE1-419A-BBCA-3014E278A8CE}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D235DC6-9AD6-4E21-A958-ECB15B5B7CB0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{2D235DC6-9AD6-4E21-A958-ECB15B5B7CB0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - AppInit_DLLs: secuload.dll
O20 - Winlogon Notify: evenmgr - evenmgr.dll (file missing)
O20 - Winlogon Notify: hggebbc - C:\WINDOWS\SYSTEM32\hggebbc.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 9673 bytes

Again, the work you guys do here is phenomenal. All help is greatly appreciated. Thanks.

Charles
  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi Charles97

welcome to geekstogo :) i can see the malware that is causing the popups, so lets deal with that first.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

andrewuk
  • 0

#3
charles97

charles97

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Wow, what a program lol. OK heres the two logs. Combofix first.

ComboFix 08-02-14.2 - Pat 2008-02-15 15:24:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1564 [GMT -8:00]
Running from: C:\Documents and Settings\Pat\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\hggebbc.dll
C:\Documents and Settings\Pat\Application Data\tmp116.tmp.exe
C:\Documents and Settings\Pat\Application Data\tmp12A.tmp.exe
C:\Documents and Settings\Pat\Application Data\tmpBF.tmp.exe
C:\Documents and Settings\Pat\Application Data\tmpC7.tmp.exe
C:\Documents and Settings\Pat\Application Data\tmpCC.tmp.exe
C:\Documents and Settings\Pat\Application Data\tmpFB.tmp.exe
C:\Documents and Settings\Pat\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Pat\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Pat\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive9.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrModule\QdrModule12.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack12.exe
C:\Program Files\QdrPack\trgts.gz
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\mcroso~1.net
C:\WINDOWS\system32\_000110_.tmp.dll
C:\WINDOWS\system32\{BFB10077-97D3-4E2B-A307-CA07D9922553}.exe
C:\WINDOWS\system32\adeeg.ini
C:\WINDOWS\system32\adeeg.ini2
C:\WINDOWS\system32\b1
C:\WINDOWS\system32\bblfipul.dll
C:\WINDOWS\system32\gvbmvyok.dll
C:\WINDOWS\system32\hggebbc.dll
C:\WINDOWS\system32\kernel32.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\otfmjbg.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ppatch~1
C:\WINDOWS\system32\ppatch~1\??pPatch\
C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\system32\tttss.ini2
C:\WINDOWS\system32\vcatulet.dll
C:\WINDOWS\system32\xmplgiqy.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_WINDOWS_MANAGEMENT_SERVICE


((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.

2008-02-15 14:56 . 2008-02-15 14:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-15 14:53 . 2008-02-15 14:54 4,099 --a------ C:\WINDOWS\system32\geedc.dll
2008-02-15 14:46 . 2008-02-15 14:46 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-15 11:28 . 2008-02-15 14:36 13,087 --a------ C:\WINDOWS\BM9b0108a9.xml
2008-02-15 11:28 . 2008-02-15 14:24 22 --a------ C:\WINDOWS\pskt.ini
2008-02-14 00:44 . 2008-02-15 11:27 594 --ahs---- C:\WINDOWS\system32\lmivwvmr.ini
2008-02-14 00:38 . 2008-02-14 00:38 294 --ahs---- C:\WINDOWS\system32\vljomwuy.ini
2008-02-13 22:46 . 2008-02-15 14:46 <DIR> d-------- C:\VundoFix Backups
2008-02-13 18:15 . 2008-02-13 22:32 1,554 --ahs---- C:\WINDOWS\system32\uvalpwbn.ini
2008-02-13 18:09 . 2008-02-13 18:10 1,374 --ahs---- C:\WINDOWS\system32\tnjnkqeo.ini
2008-02-13 17:08 . 2008-02-13 17:07 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-13 17:08 . 2008-02-13 17:08 3,442 --a------ C:\WINDOWS\unins000.dat
2008-02-13 16:48 . 2008-02-13 18:03 1,314 --ahs---- C:\WINDOWS\system32\wywigxac.ini
2008-02-13 16:45 . 2008-02-13 16:45 1,134 --ahs---- C:\WINDOWS\system32\jmhthjki.ini
2008-02-12 16:46 . 2008-02-13 16:45 1,074 --ahs---- C:\WINDOWS\system32\apladkrk.ini
2008-02-12 16:43 . 2008-02-12 16:43 894 --ahs---- C:\WINDOWS\system32\wbtervqo.ini
2008-02-11 15:47 . 2008-02-12 16:34 834 --ahs---- C:\WINDOWS\system32\hlixjiym.ini
2008-02-11 15:44 . 2008-02-11 15:45 594 --ahs---- C:\WINDOWS\system32\opqwfrak.ini
2008-02-11 14:47 . 2008-02-11 14:48 534 --ahs---- C:\WINDOWS\system32\hnqhljtb.ini
2008-02-11 14:41 . 2008-02-11 14:42 474 --ahs---- C:\WINDOWS\system32\jatuklyx.ini
2008-02-10 14:40 . 2008-02-10 14:40 1,074 --ahs---- C:\WINDOWS\system32\pubnvjkv.ini
2008-02-10 14:40 . 2008-02-11 14:40 414 --ahs---- C:\WINDOWS\system32\yjufbuil.ini
2008-02-10 13:43 . 2008-02-10 13:43 1,014 --ahs---- C:\WINDOWS\system32\lnwaiioc.ini
2008-02-10 13:40 . 2008-02-10 13:40 954 --ahs---- C:\WINDOWS\system32\daianhmg.ini
2008-02-07 17:49 . 2008-02-10 13:32 894 --ahs---- C:\WINDOWS\system32\hbsbauqx.ini
2008-02-07 17:43 . 2008-02-07 17:44 534 --ahs---- C:\WINDOWS\system32\thwgljjk.ini
2008-02-06 17:47 . 2008-02-07 17:08 474 --ahs---- C:\WINDOWS\system32\xsujhowx.ini
2008-02-06 17:44 . 2008-02-06 17:44 294 --ahs---- C:\WINDOWS\system32\sqchrxka.ini
2008-02-05 17:49 . 2008-02-05 17:49 90,688 --a------ C:\WINDOWS\system32\psqawocv.dll
2008-02-05 17:49 . 2008-02-06 12:37 534 --ahs---- C:\WINDOWS\system32\vcowaqsp.ini
2008-02-05 17:43 . 2008-02-05 17:43 414 --ahs---- C:\WINDOWS\system32\kwgurqqd.ini
2008-02-05 16:43 . 2008-02-05 16:43 354 --ahs---- C:\WINDOWS\system32\vnoarurw.ini
2008-02-05 16:40 . 2008-02-05 16:40 294 --ahs---- C:\WINDOWS\system32\jdedqgcf.ini
2008-02-04 17:33 . 2008-02-04 17:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-02-04 02:07 . 2008-02-04 02:07 954 --ahs---- C:\WINDOWS\system32\mrpwykou.ini
2008-02-02 14:32 . 2008-02-04 02:04 894 --ahs---- C:\WINDOWS\system32\iupvtvlo.ini
2008-02-02 14:29 . 2008-02-02 14:29 714 --ahs---- C:\WINDOWS\system32\espstvbj.ini
2008-01-31 16:51 . 2008-02-02 14:24 654 --ahs---- C:\WINDOWS\system32\iaprjlxy.ini
2008-01-31 16:48 . 2008-01-31 16:48 474 --ahs---- C:\WINDOWS\system32\xnpgksnb.ini
2008-01-30 16:42 . 2008-01-31 16:40 414 --ahs---- C:\WINDOWS\system32\udnuwneu.ini
2008-01-30 16:39 . 2008-01-30 16:39 294 --ahs---- C:\WINDOWS\system32\okokymtu.ini
2008-01-30 16:08 . 2006-09-11 10:56 526,184 --a------ C:\WINDOWS\system32\XceedCry.dll
2008-01-30 16:08 . 2006-12-21 14:18 497,496 --a------ C:\WINDOWS\system32\XceedZip.dll
2008-01-30 16:08 . 2003-05-14 21:07 389,120 --a------ C:\WINDOWS\system32\actskn43.ocx
2008-01-30 16:08 . 2004-12-07 09:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-01-30 15:14 . 2004-03-09 01:00 1,081,616 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-01-29 16:43 . 2008-01-30 16:07 2,394 --ahs---- C:\WINDOWS\system32\iiydrsyb.ini
2008-01-29 16:40 . 2008-01-29 16:40 2,154 --ahs---- C:\WINDOWS\system32\larixdkk.ini
2008-01-28 16:21 . 2008-01-29 16:32 2,094 --ahs---- C:\WINDOWS\system32\gxemcyoj.ini
2008-01-28 16:18 . 2008-01-28 16:18 1,974 --ahs---- C:\WINDOWS\system32\cdnfinfn.ini
2008-01-28 15:18 . 2008-01-28 15:18 1,914 --ahs---- C:\WINDOWS\system32\quabetrj.ini
2008-01-28 15:15 . 2008-01-28 15:15 1,854 --ahs---- C:\WINDOWS\system32\jbmurbxy.ini
2008-01-27 00:50 . 2008-01-28 15:09 1,794 --ahs---- C:\WINDOWS\system32\kxonghsx.ini
2008-01-27 00:47 . 2008-01-27 00:47 1,614 --ahs---- C:\WINDOWS\system32\yjrcpqgn.ini
2008-01-25 18:29 . 2008-01-27 00:39 1,554 --ahs---- C:\WINDOWS\system32\cedcaeco.ini
2008-01-25 18:26 . 2008-01-25 18:26 1,314 --ahs---- C:\WINDOWS\system32\estngajk.ini
2008-01-24 17:22 . 2008-01-25 18:16 1,254 --ahs---- C:\WINDOWS\system32\okbmvmaf.ini
2008-01-24 17:17 . 2008-01-24 17:17 954 --ahs---- C:\WINDOWS\system32\isceifuu.ini
2008-01-23 15:57 . 2008-01-24 17:11 894 --ahs---- C:\WINDOWS\system32\ynujbnae.ini
2008-01-23 15:51 . 2008-01-23 15:51 774 --ahs---- C:\WINDOWS\system32\lgofotbi.ini
2008-01-22 15:51 . 2008-01-23 15:51 714 --ahs---- C:\WINDOWS\system32\scnjdlix.ini
2008-01-22 15:48 . 2008-01-22 15:48 594 --ahs---- C:\WINDOWS\system32\nsarpqio.ini
2008-01-21 15:33 . 2008-01-22 15:43 534 --ahs---- C:\WINDOWS\system32\ijunsqge.ini
2008-01-21 15:30 . 2008-01-21 15:30 414 --ahs---- C:\WINDOWS\system32\vjoawyig.ini
2008-01-21 14:27 . 2008-01-21 14:27 354 --ahs---- C:\WINDOWS\system32\eosvhjix.ini
2008-01-21 14:24 . 2008-01-21 14:24 294 --ahs---- C:\WINDOWS\system32\osvfwkoq.ini
2008-01-20 02:02 . 2008-01-21 14:20 1,254 --ahs---- C:\WINDOWS\system32\qiqosxuc.ini
2008-01-20 01:59 . 2008-01-20 01:59 1,074 --ahs---- C:\WINDOWS\system32\eepaywnh.ini
2008-01-18 01:16 . 2008-01-20 01:47 1,014 --ahs---- C:\WINDOWS\system32\isywwrmb.ini
2008-01-18 01:09 . 2008-01-18 01:09 834 --ahs---- C:\WINDOWS\system32\iowroaub.ini
2008-01-16 23:08 . 2008-01-18 01:04 774 --ahs---- C:\WINDOWS\system32\yhvnigxu.ini
2008-01-16 23:02 . 2008-01-16 23:02 534 --ahs---- C:\WINDOWS\system32\smhvwrnx.ini
2008-01-15 23:04 . 2008-01-16 21:23 474 --ahs---- C:\WINDOWS\system32\kxdifinp.ini
2008-01-15 23:01 . 2008-01-15 23:01 294 --ahs---- C:\WINDOWS\system32\aysybjqd.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-14 01:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-14 01:11 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-13 21:47 --------- d-----w C:\Program Files\World of Warcraft
2008-02-10 21:36 --------- d-----w C:\Documents and Settings\Pat\Application Data\LimeWire
2008-01-10 06:58 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-01-07 10:20 --------- d-----w C:\Program Files\Starcraft
2008-01-02 02:02 --------- d-----w C:\Program Files\QuickTime
2007-12-30 21:44 --------- d-----w C:\Program Files\MSN Messenger
2007-12-30 06:45 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-12-30 06:42 --------- d-----w C:\Program Files\SpyCatcher
2007-12-30 06:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-28 03:52 0 ----a-w C:\info.exe
2007-12-28 03:39 --------- d-----w C:\Program Files\RcvSystem
2007-12-24 04:42 --------- d-----w C:\Program Files\BitComet
2007-12-24 04:33 --------- d-----w C:\Program Files\Symantec
2007-12-24 04:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-19 23:11 --------- d-----w C:\Documents and Settings\Pat\Application Data\Skype
2007-12-19 07:13 --------- d-----w C:\Program Files\AIM6
2007-12-19 07:13 --------- d-----w C:\Documents and Settings\Pat\Application Data\acccore
2007-12-19 07:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-19 07:12 --------- d-----w C:\Program Files\Viewpoint
2007-12-19 07:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-19 07:11 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-19 07:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
.
<pre>
----a-w			75,128 2007-12-30 06:37:02  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w			52,896 2007-12-30 06:37:11  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w			36,975 2007-12-30 06:36:55  C:\Program Files\Java\jre1.5.0_03\bin\jusched .exe
----a-w			88,024 2007-12-30 06:37:05  C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray .exe
----a-w		 1,694,208 2007-12-30 06:37:36  C:\Program Files\Messenger\msmsgs .exe
----a-w		 5,674,352 2007-12-30 06:37:52  C:\Program Files\MSN Messenger\MsnMsgr .Exe
----a-w		   286,720 2007-12-30 06:37:09  C:\Program Files\QuickTime\QTTask	 .exe
----a-w		   286,720 2007-12-28 03:51:34  C:\Program Files\QuickTime\QTTask .exe
----a-w		   103,864 2007-12-30 06:36:58  C:\Program Files\SpyCatcher\SpyCatcher .exe
----a-w		   125,168 2007-12-30 06:37:15  C:\Program Files\Symantec AntiVirus\VPTray .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3f3e706f-c1cd-4c96-bacc-3de2d0a285c5}]
C:\WINDOWS\system32\wkgbsjec.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5b0d1249-81e3-4732-94f3-ca40fe23fe0e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C0FDCFA-4FFB-45AF-9A70-EE4A41CCF921}]
C:\WINDOWS\system32\jkkli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86F04680-4B73-4A20-A90F-3D7FBA4EDC22}]
C:\WINDOWS\system32\ssttt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B27CC68-110C-46a9-80D3-F3107DE6EB98}]
C:\Program Files\ISM\BndDrive3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F9E2BE3-766D-4831-BB0E-766D5B819995}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6CB2F6C-A87C-4294-9B51-47FF0DECCC09}]
C:\WINDOWS\system32\awtqq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b3625c88-4998-4fc5-a638-bbd36c6f26cb}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5F1136B-E556-41FA-984A-51DE16692164}]
C:\WINDOWS\system32\geeda.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pais"="C:\WINDOWS\system32\PPATCH~1\nslookup.exe" [ ]
"Ohyjlpg"="C:\WINDOWS\M?crosoft.NET\t?skmgr.exe" [ ]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 07:20 50528]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22 86016]
"SoundMan"="SOUNDMAN.EXE" [2006-06-21 04:42 577536 C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [ ]
"SpyCatcher Reminder"="C:\Program Files\SpyCatcher\SpyCatcher.exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [ ]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [ ]
"98323b35"="C:\WINDOWS\system32\anhqvhhe.dll" [ ]
"BM9b0108a9"="C:\WINDOWS\system32\aehgkhhn.dll" [ ]

C:\Documents and Settings\Pat\Start Menu\Programs\Startup\
Scheduler.lnk - C:\Program Files\SpyCatcher\Scheduler daemon.exe [2007-08-21 02:06:15 86133]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 00:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 23:01:50 734872]
SpyCatcher Protector.lnk - C:\Program Files\SpyCatcher\Protector.exe [2007-08-21 02:06:15 91576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\evenmgr]
evenmgr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggebbc]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=secuload.dll

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]

*Newly Created Service* - GTNDIS5
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 15:33:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-02-15 15:37:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-15 23:37:40
.
2008-02-14 02:06:44 --- E O F ---






Now Hijack.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:39:02 PM, on 2/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll
O2 - BHO: {5c582a0d-2ed3-ccab-69c4-dc1cf607e3f3} - {3f3e706f-c1cd-4c96-bacc-3de2d0a285c5} - C:\WINDOWS\system32\wkgbsjec.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C0FDCFA-4FFB-45AF-9A70-EE4A41CCF921} - C:\WINDOWS\system32\jkkli.dll (file missing)
O2 - BHO: (no name) - {86F04680-4B73-4A20-A90F-3D7FBA4EDC22} - C:\WINDOWS\system32\ssttt.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive3.dll (file missing)
O2 - BHO: (no name) - {A6CB2F6C-A87C-4294-9B51-47FF0DECCC09} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: (no name) - {b3625c88-4998-4fc5-a638-bbd36c6f26cb} - (no file)
O2 - BHO: (no name) - {B5F1136B-E556-41FA-984A-51DE16692164} - C:\WINDOWS\system32\geeda.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminder
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [98323b35] rundll32.exe "C:\WINDOWS\system32\anhqvhhe.dll",b
O4 - HKLM\..\Run: [BM9b0108a9] Rundll32.exe "C:\WINDOWS\system32\aehgkhhn.dll",s
O4 - HKCU\..\Run: [Pais] "C:\WINDOWS\system32\PPATCH~1\nslookup.exe" -vt yazb
O4 - HKCU\..\Run: [Ohyjlpg] C:\WINDOWS\M?crosoft.NET\t?skmgr.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D235DC6-9AD6-4E21-A958-ECB15B5B7CB0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4F5B83F-3533-46F8-9B6C-0D6EB36EBCC4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF0C9849-087F-4315-BB0F-8F5F1EBE56D7}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{E78678BB-0DE1-419A-BBCA-3014E278A8CE}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D235DC6-9AD6-4E21-A958-ECB15B5B7CB0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{2D235DC6-9AD6-4E21-A958-ECB15B5B7CB0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: secuload.dll
O20 - Winlogon Notify: evenmgr - evenmgr.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 8823 bytes


Again, you folks here amazing! thanks for the fast reply! youre the best
  • 0

#4
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
ok, this is going to take several posts from me to clear, including a few with this tool. as well as the vundo infection which is causing your pop-ups i can see other malware including a purity infection.

also, i can see that you are running 2 antivirus programs - avast and norton. they will conflict with each other, slow down your machine and provide less protection, not more. however, i suspect this infection has compromised them both, so we will deal with the fact you have 2 antivirus programs later.

also, the infection seems to have got into a fair few programs, so i suspect you will need to reinstall a few once we are done, but we will see.

a question: i can see on your machine a potential DNS Server issue, though it may be completely innocent. do you recognise this address: Freedom Networks LLC, 50 Freemont St., 16 Floor, San Francisco, CA, 94105, US. is it your ISP or company?

and now to the fix:

====STEP 1====
While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.


====STEP 2====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::C:\Program Files\ISM\BndDrive3.dllC:\WINDOWS\system32\awtqq.dllC:\WINDOWS\system32\wkgbsjec.dllC:\WINDOWS\system32\geedc.dllC:\WINDOWS\system32\geeda.dllC:\WINDOWS\system32\ssttt.dllC:\WINDOWS\system32\wkgbsjec.dllC:\WINDOWS\system32\jkkli.dllC:\WINDOWS\system32\anhqvhhe.dllC:\WINDOWS\system32\aehgkhhn.dllC:\WINDOWS\BM9b0108a9.xmlC:\WINDOWS\pskt.iniC:\WINDOWS\system32\lmivwvmr.iniC:\WINDOWS\system32\vljomwuy.iniC:\WINDOWS\system32\uvalpwbn.iniC:\WINDOWS\system32\tnjnkqeo.iniC:\WINDOWS\system32\wywigxac.iniC:\WINDOWS\system32\jmhthjki.iniC:\WINDOWS\system32\apladkrk.iniC:\WINDOWS\system32\wbtervqo.iniC:\WINDOWS\system32\hlixjiym.iniC:\WINDOWS\system32\opqwfrak.iniC:\WINDOWS\system32\hnqhljtb.iniC:\WINDOWS\system32\jatuklyx.iniC:\WINDOWS\system32\pubnvjkv.iniC:\WINDOWS\system32\yjufbuil.iniC:\WINDOWS\system32\lnwaiioc.iniC:\WINDOWS\system32\daianhmg.iniC:\WINDOWS\system32\hbsbauqx.iniC:\WINDOWS\system32\thwgljjk.iniC:\WINDOWS\system32\xsujhowx.iniC:\WINDOWS\system32\sqchrxka.iniC:\WINDOWS\system32\psqawocv.dllC:\WINDOWS\system32\vcowaqsp.iniC:\WINDOWS\system32\kwgurqqd.iniC:\WINDOWS\system32\vnoarurw.iniC:\WINDOWS\system32\jdedqgcf.iniC:\WINDOWS\system32\mrpwykou.iniC:\WINDOWS\system32\iupvtvlo.iniC:\WINDOWS\system32\espstvbj.iniC:\WINDOWS\system32\iaprjlxy.iniC:\WINDOWS\system32\xnpgksnb.iniC:\WINDOWS\system32\udnuwneu.iniC:\WINDOWS\system32\okokymtu.iniC:\WINDOWS\system32\iiydrsyb.iniC:\WINDOWS\system32\larixdkk.iniC:\WINDOWS\system32\gxemcyoj.iniC:\WINDOWS\system32\cdnfinfn.iniC:\WINDOWS\system32\quabetrj.iniC:\WINDOWS\system32\jbmurbxy.iniC:\WINDOWS\system32\kxonghsx.iniC:\WINDOWS\system32\yjrcpqgn.iniC:\WINDOWS\system32\cedcaeco.iniC:\WINDOWS\system32\estngajk.iniC:\WINDOWS\system32\okbmvmaf.iniC:\WINDOWS\system32\isceifuu.iniC:\WINDOWS\system32\ynujbnae.iniC:\WINDOWS\system32\lgofotbi.iniC:\WINDOWS\system32\scnjdlix.iniC:\WINDOWS\system32\nsarpqio.iniC:\WINDOWS\system32\ijunsqge.iniC:\WINDOWS\system32\vjoawyig.iniC:\WINDOWS\system32\eosvhjix.iniC:\WINDOWS\system32\osvfwkoq.iniC:\WINDOWS\system32\qiqosxuc.iniC:\WINDOWS\system32\eepaywnh.iniC:\WINDOWS\system32\isywwrmb.iniC:\WINDOWS\system32\iowroaub.iniC:\WINDOWS\system32\yhvnigxu.iniC:\WINDOWS\system32\smhvwrnx.iniC:\WINDOWS\system32\kxdifinp.iniC:\WINDOWS\system32\aysybjqd.iniRENV::C:\Program Files\Alwil Software\Avast4\ashDisp .exeC:\Program Files\Common Files\Symantec Shared\ccApp .exeC:\Program Files\Java\jre1.5.0_03\bin\jusched .exeC:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray .exeC:\Program Files\Messenger\msmsgs .exeC:\Program Files\MSN Messenger\MsnMsgr .ExeC:\Program Files\QuickTime\QTTask     .exeC:\Program Files\QuickTime\QTTask .exe-C:\Program Files\SpyCatcher\SpyCatcher .exeC:\Program Files\Symantec AntiVirus\VPTray .exeRegistry::[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{8B27CC68-110C-46a9-80D3-F3107DE6EB98}][-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{A6CB2F6C-A87C-4294-9B51-47FF0DECCC09}][-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{b3625c88-4998-4fc5-a638-bbd36c6f26cb}][-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{B5F1136B-E556-41FA-984A-51DE16692164}][-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{86F04680-4B73-4A20-A90F-3D7FBA4EDC22}][-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{3f3e706f-c1cd-4c96-bacc-3de2d0a285c5}][-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{5C0FDCFA-4FFB-45AF-9A70-EE4A41CCF921}][-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{8F9E2BE3-766D-4831-BB0E-766D5B819995}][-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]"98323b35"=-"BM9b0108a9"=-[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggebbc][-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\evenmgr]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


in your reply could i see:
1. the answer to the question about Freedom Networks LLC
2. the combofix log
3. a new hijackthis log

andrewuk

edit: put the text to copy in a codebox to keep formatting correct

Edited by andrewuk, 15 February 2008 - 07:02 PM.

  • 0

#5
charles97

charles97

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Ok, about the ISP, i dont know much about ISPs. But, i can tell you that ive never been to san francisco, i dont live in the state of california, and i dont use my computer for a company, only personal work. Ive never heard of Freedom Networks LLC. Basically im saying, i have no clue how that isp is attached to my computer.


Now for the Combofix

ComboFix 08-02-14.2 - Pat 2008-02-15 17:09:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1489 [GMT -8:00]
Running from: C:\Documents and Settings\Pat\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Pat\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Program Files\ISM\BndDrive3.dll
C:\WINDOWS\BM9b0108a9.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aehgkhhn.dll
C:\WINDOWS\system32\anhqvhhe.dll
C:\WINDOWS\system32\apladkrk.ini
C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\aysybjqd.ini
C:\WINDOWS\system32\cdnfinfn.ini
C:\WINDOWS\system32\cedcaeco.ini
C:\WINDOWS\system32\daianhmg.ini
C:\WINDOWS\system32\eepaywnh.ini
C:\WINDOWS\system32\eosvhjix.ini
C:\WINDOWS\system32\espstvbj.ini
C:\WINDOWS\system32\estngajk.ini
C:\WINDOWS\system32\geeda.dll
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\gxemcyoj.ini
C:\WINDOWS\system32\hbsbauqx.ini
C:\WINDOWS\system32\hlixjiym.ini
C:\WINDOWS\system32\hnqhljtb.ini
C:\WINDOWS\system32\iaprjlxy.ini
C:\WINDOWS\system32\iiydrsyb.ini
C:\WINDOWS\system32\ijunsqge.ini
C:\WINDOWS\system32\iowroaub.ini
C:\WINDOWS\system32\isceifuu.ini
C:\WINDOWS\system32\isywwrmb.ini
C:\WINDOWS\system32\iupvtvlo.ini
C:\WINDOWS\system32\jatuklyx.ini
C:\WINDOWS\system32\jbmurbxy.ini
C:\WINDOWS\system32\jdedqgcf.ini
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\jmhthjki.ini
C:\WINDOWS\system32\kwgurqqd.ini
C:\WINDOWS\system32\kxdifinp.ini
C:\WINDOWS\system32\kxonghsx.ini
C:\WINDOWS\system32\larixdkk.ini
C:\WINDOWS\system32\lgofotbi.ini
C:\WINDOWS\system32\lmivwvmr.ini
C:\WINDOWS\system32\lnwaiioc.ini
C:\WINDOWS\system32\mrpwykou.ini
C:\WINDOWS\system32\nsarpqio.ini
C:\WINDOWS\system32\okbmvmaf.ini
C:\WINDOWS\system32\okokymtu.ini
C:\WINDOWS\system32\opqwfrak.ini
C:\WINDOWS\system32\osvfwkoq.ini
C:\WINDOWS\system32\psqawocv.dll
C:\WINDOWS\system32\pubnvjkv.ini
C:\WINDOWS\system32\qiqosxuc.ini
C:\WINDOWS\system32\quabetrj.ini
C:\WINDOWS\system32\scnjdlix.ini
C:\WINDOWS\system32\smhvwrnx.ini
C:\WINDOWS\system32\sqchrxka.ini
C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\thwgljjk.ini
C:\WINDOWS\system32\tnjnkqeo.ini
C:\WINDOWS\system32\udnuwneu.ini
C:\WINDOWS\system32\uvalpwbn.ini
C:\WINDOWS\system32\vcowaqsp.ini
C:\WINDOWS\system32\vjoawyig.ini
C:\WINDOWS\system32\vljomwuy.ini
C:\WINDOWS\system32\vnoarurw.ini
C:\WINDOWS\system32\wbtervqo.ini
C:\WINDOWS\system32\wkgbsjec.dll
C:\WINDOWS\system32\wywigxac.ini
C:\WINDOWS\system32\xnpgksnb.ini
C:\WINDOWS\system32\xsujhowx.ini
C:\WINDOWS\system32\yhvnigxu.ini
C:\WINDOWS\system32\yjrcpqgn.ini
C:\WINDOWS\system32\yjufbuil.ini
C:\WINDOWS\system32\ynujbnae.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM9b0108a9.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\apladkrk.ini
C:\WINDOWS\system32\aysybjqd.ini
C:\WINDOWS\system32\cdnfinfn.ini
C:\WINDOWS\system32\cedcaeco.ini
C:\WINDOWS\system32\daianhmg.ini
C:\WINDOWS\system32\eepaywnh.ini
C:\WINDOWS\system32\eosvhjix.ini
C:\WINDOWS\system32\espstvbj.ini
C:\WINDOWS\system32\estngajk.ini
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\gxemcyoj.ini
C:\WINDOWS\system32\hbsbauqx.ini
C:\WINDOWS\system32\hlixjiym.ini
C:\WINDOWS\system32\hnqhljtb.ini
C:\WINDOWS\system32\iaprjlxy.ini
C:\WINDOWS\system32\iiydrsyb.ini
C:\WINDOWS\system32\ijunsqge.ini
C:\WINDOWS\system32\iowroaub.ini
C:\WINDOWS\system32\isceifuu.ini
C:\WINDOWS\system32\isywwrmb.ini
C:\WINDOWS\system32\iupvtvlo.ini
C:\WINDOWS\system32\jatuklyx.ini
C:\WINDOWS\system32\jbmurbxy.ini
C:\WINDOWS\system32\jdedqgcf.ini
C:\WINDOWS\system32\jmhthjki.ini
C:\WINDOWS\system32\kwgurqqd.ini
C:\WINDOWS\system32\kxdifinp.ini
C:\WINDOWS\system32\kxonghsx.ini
C:\WINDOWS\system32\larixdkk.ini
C:\WINDOWS\system32\lgofotbi.ini
C:\WINDOWS\system32\lmivwvmr.ini
C:\WINDOWS\system32\lnwaiioc.ini
C:\WINDOWS\system32\mrpwykou.ini
C:\WINDOWS\system32\nsarpqio.ini
C:\WINDOWS\system32\okbmvmaf.ini
C:\WINDOWS\system32\okokymtu.ini
C:\WINDOWS\system32\opqwfrak.ini
C:\WINDOWS\system32\osvfwkoq.ini
C:\WINDOWS\system32\psqawocv.dll
C:\WINDOWS\system32\pubnvjkv.ini
C:\WINDOWS\system32\qiqosxuc.ini
C:\WINDOWS\system32\quabetrj.ini
C:\WINDOWS\system32\scnjdlix.ini
C:\WINDOWS\system32\smhvwrnx.ini
C:\WINDOWS\system32\sqchrxka.ini
C:\WINDOWS\system32\thwgljjk.ini
C:\WINDOWS\system32\tnjnkqeo.ini
C:\WINDOWS\system32\udnuwneu.ini
C:\WINDOWS\system32\uvalpwbn.ini
C:\WINDOWS\system32\vcowaqsp.ini
C:\WINDOWS\system32\vjoawyig.ini
C:\WINDOWS\system32\vljomwuy.ini
C:\WINDOWS\system32\vnoarurw.ini
C:\WINDOWS\system32\wbtervqo.ini
C:\WINDOWS\system32\wywigxac.ini
C:\WINDOWS\system32\xnpgksnb.ini
C:\WINDOWS\system32\xsujhowx.ini
C:\WINDOWS\system32\yhvnigxu.ini
C:\WINDOWS\system32\yjrcpqgn.ini
C:\WINDOWS\system32\yjufbuil.ini
C:\WINDOWS\system32\ynujbnae.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

2008-02-15 14:56 . 2008-02-15 14:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-15 14:46 . 2008-02-15 14:46 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-13 22:46 . 2008-02-15 14:46 <DIR> d-------- C:\VundoFix Backups
2008-02-13 17:08 . 2008-02-13 17:07 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-13 17:08 . 2008-02-13 17:08 3,442 --a------ C:\WINDOWS\unins000.dat
2008-02-04 17:33 . 2008-02-04 17:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-01-30 16:08 . 2006-09-11 10:56 526,184 --a------ C:\WINDOWS\system32\XceedCry.dll
2008-01-30 16:08 . 2006-12-21 14:18 497,496 --a------ C:\WINDOWS\system32\XceedZip.dll
2008-01-30 16:08 . 2003-05-14 21:07 389,120 --a------ C:\WINDOWS\system32\actskn43.ocx
2008-01-30 16:08 . 2004-12-07 09:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-01-30 15:14 . 2004-03-09 01:00 1,081,616 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 01:11 --------- d-----w C:\Program Files\MSN Messenger
2008-02-16 01:09 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-16 01:09 --------- d-----w C:\Program Files\SpyCatcher
2008-02-16 01:09 --------- d-----w C:\Program Files\QuickTime
2008-02-16 01:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-14 01:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-14 01:11 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-13 21:47 --------- d-----w C:\Program Files\World of Warcraft
2008-02-10 21:36 --------- d-----w C:\Documents and Settings\Pat\Application Data\LimeWire
2008-01-10 06:58 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-01-07 10:20 --------- d-----w C:\Program Files\Starcraft
2007-12-28 03:52 0 ----a-w C:\info.exe
2007-12-28 03:39 --------- d-----w C:\Program Files\RcvSystem
2007-12-24 04:42 --------- d-----w C:\Program Files\BitComet
2007-12-24 04:33 --------- d-----w C:\Program Files\Symantec
2007-12-24 04:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-19 23:11 --------- d-----w C:\Documents and Settings\Pat\Application Data\Skype
2007-12-19 07:13 --------- d-----w C:\Program Files\AIM6
2007-12-19 07:13 --------- d-----w C:\Documents and Settings\Pat\Application Data\acccore
2007-12-19 07:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-19 07:12 --------- d-----w C:\Program Files\Viewpoint
2007-12-19 07:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-19 07:11 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-19 07:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
.
<pre>
----a-w		   286,720 2007-12-30 06:37:09  C:\Program Files\QuickTime\QTTask	 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3f3e706f-c1cd-4c96-bacc-3de2d0a285c5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C0FDCFA-4FFB-45AF-9A70-EE4A41CCF921}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86F04680-4B73-4A20-A90F-3D7FBA4EDC22}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B27CC68-110C-46a9-80D3-F3107DE6EB98}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6CB2F6C-A87C-4294-9B51-47FF0DECCC09}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b3625c88-4998-4fc5-a638-bbd36c6f26cb}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5F1136B-E556-41FA-984A-51DE16692164}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pais"="C:\WINDOWS\system32\PPATCH~1\nslookup.exe" [ ]
"Ohyjlpg"="C:\WINDOWS\M?crosoft.NET\t?skmgr.exe" [ ]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 07:20 50528]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-12-29 22:37 5674352]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-12-29 22:37 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22 86016]
"SoundMan"="SOUNDMAN.EXE" [2006-06-21 04:42 577536 C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2007-12-29 22:36 36975]
"SpyCatcher Reminder"="C:\Program Files\SpyCatcher\SpyCatcher.exe" [2007-12-29 22:36 103864]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-29 22:37 75128]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-12-29 22:37 88024]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-12-29 22:37 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-12-29 22:37 125168]

C:\Documents and Settings\Pat\Start Menu\Programs\Startup\
Scheduler.lnk - C:\Program Files\SpyCatcher\Scheduler daemon.exe [2007-08-21 02:06:15 86133]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 00:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 23:01:50 734872]
SpyCatcher Protector.lnk - C:\Program Files\SpyCatcher\Protector.exe [2007-08-21 02:06:15 91576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\evenmgr]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=secuload.dll

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 17:12:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
.
**************************************************************************
.
Completion time: 2008-02-15 17:17:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-16 01:17:18
ComboFix2.txt 2008-02-15 23:37:44
.
2008-02-14 02:06:44 --- E O F ---





And the Hijackthis




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:21:40 PM, on 2/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminder
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Pais] "C:\WINDOWS\system32\PPATCH~1\nslookup.exe" -vt yazb
O4 - HKCU\..\Run: [Ohyjlpg] C:\WINDOWS\M?crosoft.NET\t?skmgr.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D235DC6-9AD6-4E21-A958-ECB15B5B7CB0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4F5B83F-3533-46F8-9B6C-0D6EB36EBCC4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF0C9849-087F-4315-BB0F-8F5F1EBE56D7}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{E78678BB-0DE1-419A-BBCA-3014E278A8CE}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D235DC6-9AD6-4E21-A958-ECB15B5B7CB0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{2D235DC6-9AD6-4E21-A958-ECB15B5B7CB0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: secuload.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 8125 bytes




Charles
  • 0

#6
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

Ok, about the ISP, i dont know much about ISPs. But, i can tell you that ive never been to san francisco, i dont live in the state of california, and i dont use my computer for a company, only personal work. Ive never heard of Freedom Networks LLC. Basically im saying, i have no clue how that isp is attached to my computer.

ok, we will deal with that later

there is a file on your machine C:\info.exe - do you know what it is?

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

RENV::
C:\Program Files\QuickTime\QTTask	 .exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3f3e706f-c1cd-4c96-bacc-3de2d0a285c5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C0FDCFA-4FFB-45AF-9A70-EE4A41CCF921}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86F04680-4B73-4A20-A90F-3D7FBA4EDC22}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B27CC68-110C-46a9-80D3-F3107DE6EB98}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6CB2F6C-A87C-4294-9B51-47FF0DECCC09}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b3625c88-4998-4fc5-a638-bbd36c6f26cb}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5F1136B-E556-41FA-984A-51DE16692164}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


in your next reply could i see:
1. the combofix log
2. a new hijackthis log
3. any idea what c:\info.exe is

andrewuk
  • 0

#7
charles97

charles97

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
ComboBreaker

ComboFix 08-02-14.2 - Pat 2008-02-15 17:47:38.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1401 [GMT -8:00]
Running from: C:\Documents and Settings\Pat\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Pat\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

2008-02-15 17:44 . 2008-02-15 17:44 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-15 14:56 . 2008-02-15 14:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-15 14:46 . 2008-02-15 14:46 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-13 22:46 . 2008-02-15 14:46 <DIR> d-------- C:\VundoFix Backups
2008-02-13 17:08 . 2008-02-13 17:07 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-13 17:08 . 2008-02-13 17:08 3,442 --a------ C:\WINDOWS\unins000.dat
2008-02-04 17:33 . 2008-02-04 17:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-01-30 16:08 . 2006-09-11 10:56 526,184 --a------ C:\WINDOWS\system32\XceedCry.dll
2008-01-30 16:08 . 2006-12-21 14:18 497,496 --a------ C:\WINDOWS\system32\XceedZip.dll
2008-01-30 16:08 . 2003-05-14 21:07 389,120 --a------ C:\WINDOWS\system32\actskn43.ocx
2008-01-30 16:08 . 2004-12-07 09:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-01-30 15:14 . 2004-03-09 01:00 1,081,616 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 01:47 --------- d-----w C:\Program Files\QuickTime
2008-02-16 01:11 --------- d-----w C:\Program Files\MSN Messenger
2008-02-16 01:09 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-16 01:09 --------- d-----w C:\Program Files\SpyCatcher
2008-02-16 01:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-14 01:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-14 01:11 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-13 21:47 --------- d-----w C:\Program Files\World of Warcraft
2008-02-10 21:36 --------- d-----w C:\Documents and Settings\Pat\Application Data\LimeWire
2008-01-10 06:58 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-01-07 10:20 --------- d-----w C:\Program Files\Starcraft
2007-12-28 03:52 0 ----a-w C:\info.exe
2007-12-28 03:39 --------- d-----w C:\Program Files\RcvSystem
2007-12-24 04:42 --------- d-----w C:\Program Files\BitComet
2007-12-24 04:33 --------- d-----w C:\Program Files\Symantec
2007-12-24 04:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-19 23:11 --------- d-----w C:\Documents and Settings\Pat\Application Data\Skype
2007-12-19 07:13 --------- d-----w C:\Program Files\AIM6
2007-12-19 07:13 --------- d-----w C:\Documents and Settings\Pat\Application Data\acccore
2007-12-19 07:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-19 07:12 --------- d-----w C:\Program Files\Viewpoint
2007-12-19 07:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-19 07:11 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-19 07:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pais"="C:\WINDOWS\system32\PPATCH~1\nslookup.exe" [ ]
"Ohyjlpg"="C:\WINDOWS\M?crosoft.NET\t?skmgr.exe" [ ]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 07:20 50528]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-12-29 22:37 5674352]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-12-29 22:37 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22 86016]
"SoundMan"="SOUNDMAN.EXE" [2006-06-21 04:42 577536 C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2007-12-29 22:36 36975]
"SpyCatcher Reminder"="C:\Program Files\SpyCatcher\SpyCatcher.exe" [2007-12-29 22:36 103864]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-29 22:37 75128]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-12-29 22:37 88024]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-12-29 22:37 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-12-29 22:37 125168]

C:\Documents and Settings\Pat\Start Menu\Programs\Startup\
Scheduler.lnk - C:\Program Files\SpyCatcher\Scheduler daemon.exe [2007-08-21 02:06:15 86133]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 00:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 23:01:50 734872]
SpyCatcher Protector.lnk - C:\Program Files\SpyCatcher\Protector.exe [2007-08-21 02:06:15 91576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=secuload.dll

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 17:48:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-15 17:48:50
ComboFix-quarantined-files.txt 2008-02-16 01:48:36
ComboFix2.txt 2008-02-16 01:17:22
ComboFix3.txt 2008-02-15 23:37:44
.
2008-02-14 02:06:44 --- E O F ---





Hijackthis




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:54:08 PM, on 2/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll
O2 - BHO: (no name) - {3f3e706f-c1cd-4c96-bacc-3de2d0a285c5} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C0FDCFA-4FFB-45AF-9A70-EE4A41CCF921} - (no file)
O2 - BHO: (no name) - {86F04680-4B73-4A20-A90F-3D7FBA4EDC22} - (no file)
O2 - BHO: (no name) - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - (no file)
O2 - BHO: (no name) - {A6CB2F6C-A87C-4294-9B51-47FF0DECCC09} - (no file)
O2 - BHO: (no name) - {b3625c88-4998-4fc5-a638-bbd36c6f26cb} - (no file)
O2 - BHO: (no name) - {B5F1136B-E556-41FA-984A-51DE16692164} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminder
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Pais] "C:\WINDOWS\system32\PPATCH~1\nslookup.exe" -vt yazb
O4 - HKCU\..\Run: [Ohyjlpg] C:\WINDOWS\M?crosoft.NET\t?skmgr.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D235DC6-9AD6-4E21-A958-ECB15B5B7CB0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4F5B83F-3533-46F8-9B6C-0D6EB36EBCC4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF0C9849-087F-4315-BB0F-8F5F1EBE56D7}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{E78678BB-0DE1-419A-BBCA-3014E278A8CE}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D235DC6-9AD6-4E21-A958-ECB15B5B7CB0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{2D235DC6-9AD6-4E21-A958-ECB15B5B7CB0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: secuload.dll
O20 - Winlogon Notify: evenmgr - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 8640 bytes





And the info.exe, i have no idea what that is. It says the file size is 0kb if that matters. I did not want to click it to run it. If you want me to run it let me know, but i dont know what it is for. Could be good, could be bad, i have no idea.

Charles
  • 0

#8
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

And the info.exe, i have no idea what that is. It says the file size is 0kb if that matters. I did not want to click it to run it. If you want me to run it let me know, but i dont know what it is for. Could be good, could be bad, i have no idea.

we will deal with that later

in this post we will gather more information on the purity infection and tackle most of the rest of the malware

we will also remove that DNS lookup, therefore you may need to reset your DNS by checking "Obtain DNS server address automatically": start >>> control panel >>> network connections >>> right click your active/default connection and select properties >>> select the Networking tab >>> highlight Internet Protocol (TCP/IP) >>> properties >>> and then check obtain an IP address automatically and Obtain DNS server address automatically

====STEP 1====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below (if present).

O2 - BHO: (no name) - {3f3e706f-c1cd-4c96-bacc-3de2d0a285c5} - (no file)
O2 - BHO: (no name) - {5C0FDCFA-4FFB-45AF-9A70-EE4A41CCF921} - (no file)
O2 - BHO: (no name) - {86F04680-4B73-4A20-A90F-3D7FBA4EDC22} - (no file)
O2 - BHO: (no name) - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - (no file)
O2 - BHO: (no name) - {A6CB2F6C-A87C-4294-9B51-47FF0DECCC09} - (no file)
O2 - BHO: (no name) - {b3625c88-4998-4fc5-a638-bbd36c6f26cb} - (no file)
O2 - BHO: (no name) - {B5F1136B-E556-41FA-984A-51DE16692164} - (no file)
O4 - HKCU\..\Run: [Pais] "C:\WINDOWS\system32\PPATCH~1\nslookup.exe" -vt yazb

O17 - HKLM\System\CCS\Services\Tcpip\..\{2D235DC6-9AD6-4E21-A958-ECB15B5B7CB0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4F5B83F-3533-46F8-9B6C-0D6EB36EBCC4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF0C9849-087F-4315-BB0F-8F5F1EBE56D7}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{E78678BB-0DE1-419A-BBCA-3014E278A8CE}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D235DC6-9AD6-4E21-A958-ECB15B5B7CB0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{2D235DC6-9AD6-4E21-A958-ECB15B5B7CB0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O20 - Winlogon Notify: evenmgr - C:\WINDOWS\

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


====STEP 2====
Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINDOWS\M?crosoft.NET\t?skmgr.exe /a h > files.txt
notepad files.txt

Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here along with a new HiJackThis log.



in your next reply could i see:
1. the findfile.bat text
2. a new hijackthis log

andrewuk
  • 0

#9
charles97

charles97

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
When i opened the findfile.bat after saving findfile.bat to my desktop, the notepad was blank. Is this an error or correct?


Ane the Hijackthis



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:10 PM, on 2/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminder
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Ohyjlpg] C:\WINDOWS\M?crosoft.NET\t?skmgr.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: secuload.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 6922 bytes




Charles
  • 0

#10
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

When i opened the findfile.bat after saving findfile.bat to my desktop, the notepad was blank. Is this an error or correct?

did you double click on the findfile.bat? if you do, it should open up a notepad in a second or two. the idea is that the findfile.bat is a small program to run which produces a notepad with information for you to post.

i can still see some of the old infection, so we will take a closer look and we will take this opportunity to update your java.


====STEP 1====
Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    Downloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.

====STEP 2====
1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" c:\postme.txt


3. Save the above as findme.bat to your desktop

4. on your desktop, double click on findme.bat.

a window will open and close, this is normal.

5. locate the file c:\postme.txt on your C Drive, and attach the file to your next reply i.e. do not paste the contents, but attach the file



in your next reply could i see:
1. the contents of the notepad produced by the findfile.bat program
1. the postme file
2. a new hijackthis log

andrewuk
  • 0

Advertisements


#11
charles97

charles97

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Again, the findfile.bat is not working. I followed the directions exactly. The black box in the background says there is an error in locating the file. Here is the entire context in that box


C:\Documents and Settings\Pat\Desktop>dir C:\WINDOWS\M?crosoft.NET\t?skmgr.exe /
a h 1>files.txt
The filename, directory name, or volume label syntax is incorrect.

C:\Documents and Settings\Pat\Desktop>notepad files.txt




I attached the postme as specified


Heres the Hijack




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:19 PM, on 2/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll
O2 - BHO: (no name) - {3f3e706f-c1cd-4c96-bacc-3de2d0a285c5} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C0FDCFA-4FFB-45AF-9A70-EE4A41CCF921} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {86F04680-4B73-4A20-A90F-3D7FBA4EDC22} - (no file)
O2 - BHO: (no name) - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - (no file)
O2 - BHO: (no name) - {A6CB2F6C-A87C-4294-9B51-47FF0DECCC09} - (no file)
O2 - BHO: (no name) - {b3625c88-4998-4fc5-a638-bbd36c6f26cb} - (no file)
O2 - BHO: (no name) - {B5F1136B-E556-41FA-984A-51DE16692164} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminder
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Ohyjlpg] C:\WINDOWS\M?crosoft.NET\t?skmgr.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: secuload.dll
O20 - Winlogon Notify: evenmgr - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 7874 bytes



Charles

Attached Files


  • 0

#12
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will try and find/clear that purityscan file C:\WINDOWS\M?crosoft.NET\t?skmgr.exe, clear out the final part of the popup infection and do an online scan to see if there are any remaining infections lurking on your machine. we will also get a list of your add/install programs.

the entire instructions will proabaly take over 2 hours, though the vast majority of this will be the scanning.

====STEP 1====
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


====STEP 2====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

(make sure there are 4 spaces between the "QTTask" and the ".exe")

RENV::
C:\Program Files\QuickTime\QTTask	.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{3f3e706f-c1cd-4c96-bacc-3de2d0a285c5}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{5C0FDCFA-4FFB-45AF-9A70-EE4A41CCF921}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{86F04680-4B73-4A20-A90F-3D7FBA4EDC22}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{8B27CC68-110C-46a9-80D3-F3107DE6EB98}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{A6CB2F6C-A87C-4294-9B51-47FF0DECCC09}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{b3625c88-4998-4fc5-a638-bbd36c6f26cb}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{B5F1136B-E556-41FA-984A-51DE16692164}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ohyjlpg"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt


====STEP 3====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

====STEP 4====
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.


in your next reply could i see:
1. the SUPERantispyware log
2. the combofixit log
3. the kaspersky scan report
4. the uninstall list
5. a new hijackthis log

there will be a lot of information to post, hence to insure it is all posted you may need to post over more than one reply.

andrewuk
  • 0

#13
charles97

charles97

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
OK, took a while to do all that, we got there though.


SUPERAntiSpyware Report



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/16/2008 at 01:31 PM

Application Version : 3.9.1008

Core Rules Database Version : 3404
Trace Rules Database Version: 1396

Scan type : Complete Scan
Total Scan Time : 00:27:30

Memory items scanned : 505
Memory threats detected : 0
Registry items scanned : 4038
Registry threats detected : 168
File items scanned : 28466
File threats detected : 248

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{09AED905-7241-4F5D-A6D5-17C3EC445178}
HKCR\CLSID\{09AED905-7241-4F5D-A6D5-17C3EC445178}
HKCR\CLSID\{09AED905-7241-4F5D-A6D5-17C3EC445178}\InprocServer32
HKCR\CLSID\{09AED905-7241-4F5D-A6D5-17C3EC445178}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEEDA.DLL
HKLM\Software\Classes\CLSID\{0D1A75BC-DC72-4C03-84D7-47086BCAD6F3}
HKCR\CLSID\{0D1A75BC-DC72-4C03-84D7-47086BCAD6F3}
HKCR\CLSID\{0D1A75BC-DC72-4C03-84D7-47086BCAD6F3}\InprocServer32
HKCR\CLSID\{0D1A75BC-DC72-4C03-84D7-47086BCAD6F3}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{0DC961A2-8566-410D-AA6C-920C98AD2D5D}
HKCR\CLSID\{0DC961A2-8566-410D-AA6C-920C98AD2D5D}
HKCR\CLSID\{0DC961A2-8566-410D-AA6C-920C98AD2D5D}\InprocServer32
HKCR\CLSID\{0DC961A2-8566-410D-AA6C-920C98AD2D5D}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{10A9CB94-EE35-4853-9E6F-4D0FF91776D2}
HKCR\CLSID\{10A9CB94-EE35-4853-9E6F-4D0FF91776D2}
HKCR\CLSID\{10A9CB94-EE35-4853-9E6F-4D0FF91776D2}\InprocServer32
HKCR\CLSID\{10A9CB94-EE35-4853-9E6F-4D0FF91776D2}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{1A196359-D84A-4A27-AA57-ECA4FC550F58}
HKCR\CLSID\{1A196359-D84A-4A27-AA57-ECA4FC550F58}
HKCR\CLSID\{1A196359-D84A-4A27-AA57-ECA4FC550F58}\InprocServer32
HKCR\CLSID\{1A196359-D84A-4A27-AA57-ECA4FC550F58}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{1DC88ECD-C2BB-4F9C-9B4A-79C28A2B98AE}
HKCR\CLSID\{1DC88ECD-C2BB-4F9C-9B4A-79C28A2B98AE}
HKCR\CLSID\{1DC88ECD-C2BB-4F9C-9B4A-79C28A2B98AE}\InprocServer32
HKCR\CLSID\{1DC88ECD-C2BB-4F9C-9B4A-79C28A2B98AE}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{28849629-4D97-4B60-989F-34DECD5FB0B8}
HKCR\CLSID\{28849629-4D97-4B60-989F-34DECD5FB0B8}
HKCR\CLSID\{28849629-4D97-4B60-989F-34DECD5FB0B8}\InprocServer32
HKCR\CLSID\{28849629-4D97-4B60-989F-34DECD5FB0B8}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{2EEB281E-1816-4E30-9076-AB2E7459EF4C}
HKCR\CLSID\{2EEB281E-1816-4E30-9076-AB2E7459EF4C}
HKCR\CLSID\{2EEB281E-1816-4E30-9076-AB2E7459EF4C}\InprocServer32
HKCR\CLSID\{2EEB281E-1816-4E30-9076-AB2E7459EF4C}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{46FAA16B-64AA-4B8A-B0E4-845ABABF9DBA}
HKCR\CLSID\{46FAA16B-64AA-4B8A-B0E4-845ABABF9DBA}
HKCR\CLSID\{46FAA16B-64AA-4B8A-B0E4-845ABABF9DBA}\InprocServer32
HKCR\CLSID\{46FAA16B-64AA-4B8A-B0E4-845ABABF9DBA}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{4ED06F81-67E4-448E-BF84-64BC5CEAA7A4}
HKCR\CLSID\{4ED06F81-67E4-448E-BF84-64BC5CEAA7A4}
HKCR\CLSID\{4ED06F81-67E4-448E-BF84-64BC5CEAA7A4}\InprocServer32
HKCR\CLSID\{4ED06F81-67E4-448E-BF84-64BC5CEAA7A4}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{4F14857D-6446-4859-9E3E-5F650EDEC28E}
HKCR\CLSID\{4F14857D-6446-4859-9E3E-5F650EDEC28E}
HKCR\CLSID\{4F14857D-6446-4859-9E3E-5F650EDEC28E}\InprocServer32
HKCR\CLSID\{4F14857D-6446-4859-9E3E-5F650EDEC28E}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{5102E64C-0059-41A7-94D7-0BE45E574C4B}
HKCR\CLSID\{5102E64C-0059-41A7-94D7-0BE45E574C4B}
HKCR\CLSID\{5102E64C-0059-41A7-94D7-0BE45E574C4B}\InprocServer32
HKCR\CLSID\{5102E64C-0059-41A7-94D7-0BE45E574C4B}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{54D891DA-FF56-49D8-B4F3-6FF214DC189E}
HKCR\CLSID\{54D891DA-FF56-49D8-B4F3-6FF214DC189E}
HKCR\CLSID\{54D891DA-FF56-49D8-B4F3-6FF214DC189E}\InprocServer32
HKCR\CLSID\{54D891DA-FF56-49D8-B4F3-6FF214DC189E}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{56FC09D7-7C4E-42D7-9FBF-53E1D41896C4}
HKCR\CLSID\{56FC09D7-7C4E-42D7-9FBF-53E1D41896C4}
HKCR\CLSID\{56FC09D7-7C4E-42D7-9FBF-53E1D41896C4}\InprocServer32
HKCR\CLSID\{56FC09D7-7C4E-42D7-9FBF-53E1D41896C4}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{5AC33DCA-054D-4BD5-ABE3-AC55F0F19453}
HKCR\CLSID\{5AC33DCA-054D-4BD5-ABE3-AC55F0F19453}
HKCR\CLSID\{5AC33DCA-054D-4BD5-ABE3-AC55F0F19453}\InprocServer32
HKCR\CLSID\{5AC33DCA-054D-4BD5-ABE3-AC55F0F19453}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{623FC868-0810-4195-98E1-B70018078AFA}
HKCR\CLSID\{623FC868-0810-4195-98E1-B70018078AFA}
HKCR\CLSID\{623FC868-0810-4195-98E1-B70018078AFA}\InprocServer32
HKCR\CLSID\{623FC868-0810-4195-98E1-B70018078AFA}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{65211F90-0E6E-4F2C-9C26-85F5B47E6F2E}
HKCR\CLSID\{65211F90-0E6E-4F2C-9C26-85F5B47E6F2E}
HKCR\CLSID\{65211F90-0E6E-4F2C-9C26-85F5B47E6F2E}\InprocServer32
HKCR\CLSID\{65211F90-0E6E-4F2C-9C26-85F5B47E6F2E}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWTQQ.DLL
HKLM\Software\Classes\CLSID\{69C57F44-EA81-4C52-A5B8-9CA85A2C31F1}
HKCR\CLSID\{69C57F44-EA81-4C52-A5B8-9CA85A2C31F1}
HKCR\CLSID\{69C57F44-EA81-4C52-A5B8-9CA85A2C31F1}\InprocServer32
HKCR\CLSID\{69C57F44-EA81-4C52-A5B8-9CA85A2C31F1}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{6AB6709F-F0F9-4376-B288-51ABE5009ACD}
HKCR\CLSID\{6AB6709F-F0F9-4376-B288-51ABE5009ACD}
HKCR\CLSID\{6AB6709F-F0F9-4376-B288-51ABE5009ACD}\InprocServer32
HKCR\CLSID\{6AB6709F-F0F9-4376-B288-51ABE5009ACD}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{7884D0D9-12BE-420C-AB09-A3F451A93647}
HKCR\CLSID\{7884D0D9-12BE-420C-AB09-A3F451A93647}
HKCR\CLSID\{7884D0D9-12BE-420C-AB09-A3F451A93647}\InprocServer32
HKCR\CLSID\{7884D0D9-12BE-420C-AB09-A3F451A93647}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{85D68BB1-4F5E-4683-B997-67620A665028}
HKCR\CLSID\{85D68BB1-4F5E-4683-B997-67620A665028}
HKCR\CLSID\{85D68BB1-4F5E-4683-B997-67620A665028}\InprocServer32
HKCR\CLSID\{85D68BB1-4F5E-4683-B997-67620A665028}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{973EAAFE-39ED-40CF-B9AA-2B650D568E54}
HKCR\CLSID\{973EAAFE-39ED-40CF-B9AA-2B650D568E54}
HKCR\CLSID\{973EAAFE-39ED-40CF-B9AA-2B650D568E54}\InprocServer32
HKCR\CLSID\{973EAAFE-39ED-40CF-B9AA-2B650D568E54}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{9B1BFEB8-E8F6-4464-B65F-DF94E9EE7738}
HKCR\CLSID\{9B1BFEB8-E8F6-4464-B65F-DF94E9EE7738}
HKCR\CLSID\{9B1BFEB8-E8F6-4464-B65F-DF94E9EE7738}\InprocServer32
HKCR\CLSID\{9B1BFEB8-E8F6-4464-B65F-DF94E9EE7738}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{9D1BD279-DCEE-43B3-9C98-15666338CDAD}
HKCR\CLSID\{9D1BD279-DCEE-43B3-9C98-15666338CDAD}
HKCR\CLSID\{9D1BD279-DCEE-43B3-9C98-15666338CDAD}\InprocServer32
HKCR\CLSID\{9D1BD279-DCEE-43B3-9C98-15666338CDAD}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{A1AD7F4F-4285-4BA9-84C9-ED517AB73DD4}
HKCR\CLSID\{A1AD7F4F-4285-4BA9-84C9-ED517AB73DD4}
HKCR\CLSID\{A1AD7F4F-4285-4BA9-84C9-ED517AB73DD4}\InprocServer32
HKCR\CLSID\{A1AD7F4F-4285-4BA9-84C9-ED517AB73DD4}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{A27EC9F5-E3B9-43EF-B30E-BC3B04FDE94B}
HKCR\CLSID\{A27EC9F5-E3B9-43EF-B30E-BC3B04FDE94B}
HKCR\CLSID\{A27EC9F5-E3B9-43EF-B30E-BC3B04FDE94B}\InprocServer32
HKCR\CLSID\{A27EC9F5-E3B9-43EF-B30E-BC3B04FDE94B}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{B008C1F9-B9B6-4469-82A5-86C47B858843}
HKCR\CLSID\{B008C1F9-B9B6-4469-82A5-86C47B858843}
HKCR\CLSID\{B008C1F9-B9B6-4469-82A5-86C47B858843}\InprocServer32
HKCR\CLSID\{B008C1F9-B9B6-4469-82A5-86C47B858843}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{C41A44E2-9813-4E8B-9EFA-8C19ED6FED7B}
HKCR\CLSID\{C41A44E2-9813-4E8B-9EFA-8C19ED6FED7B}
HKCR\CLSID\{C41A44E2-9813-4E8B-9EFA-8C19ED6FED7B}\InprocServer32
HKCR\CLSID\{C41A44E2-9813-4E8B-9EFA-8C19ED6FED7B}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{C8502F78-F6FF-49D1-A2DF-429B775E414B}
HKCR\CLSID\{C8502F78-F6FF-49D1-A2DF-429B775E414B}
HKCR\CLSID\{C8502F78-F6FF-49D1-A2DF-429B775E414B}\InprocServer32
HKCR\CLSID\{C8502F78-F6FF-49D1-A2DF-429B775E414B}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{D63F0156-747A-4093-BFD3-71229D96348C}
HKCR\CLSID\{D63F0156-747A-4093-BFD3-71229D96348C}
HKCR\CLSID\{D63F0156-747A-4093-BFD3-71229D96348C}\InprocServer32
HKCR\CLSID\{D63F0156-747A-4093-BFD3-71229D96348C}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{D8579DC0-08AF-4C16-B81A-81E801956B74}
HKCR\CLSID\{D8579DC0-08AF-4C16-B81A-81E801956B74}
HKCR\CLSID\{D8579DC0-08AF-4C16-B81A-81E801956B74}\InprocServer32
HKCR\CLSID\{D8579DC0-08AF-4C16-B81A-81E801956B74}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{DFBBE4EE-F3C7-4108-9110-86057DAE05DD}
HKCR\CLSID\{DFBBE4EE-F3C7-4108-9110-86057DAE05DD}
HKCR\CLSID\{DFBBE4EE-F3C7-4108-9110-86057DAE05DD}\InprocServer32
HKCR\CLSID\{DFBBE4EE-F3C7-4108-9110-86057DAE05DD}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{E19BAB6A-834B-4330-AB22-2791989BF549}
HKCR\CLSID\{E19BAB6A-834B-4330-AB22-2791989BF549}
HKCR\CLSID\{E19BAB6A-834B-4330-AB22-2791989BF549}\InprocServer32
HKCR\CLSID\{E19BAB6A-834B-4330-AB22-2791989BF549}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{E9C2E4F4-112F-4357-B6B1-4ACFF6A4272A}
HKCR\CLSID\{E9C2E4F4-112F-4357-B6B1-4ACFF6A4272A}
HKCR\CLSID\{E9C2E4F4-112F-4357-B6B1-4ACFF6A4272A}\InprocServer32
HKCR\CLSID\{E9C2E4F4-112F-4357-B6B1-4ACFF6A4272A}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{EE4C9C93-4A0D-472C-AFE1-B4DB4EAB14EA}
HKCR\CLSID\{EE4C9C93-4A0D-472C-AFE1-B4DB4EAB14EA}
HKCR\CLSID\{EE4C9C93-4A0D-472C-AFE1-B4DB4EAB14EA}\InprocServer32
HKCR\CLSID\{EE4C9C93-4A0D-472C-AFE1-B4DB4EAB14EA}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{F0264302-D54F-4359-A8A7-D341032239A5}
HKCR\CLSID\{F0264302-D54F-4359-A8A7-D341032239A5}
HKCR\CLSID\{F0264302-D54F-4359-A8A7-D341032239A5}\InprocServer32
HKCR\CLSID\{F0264302-D54F-4359-A8A7-D341032239A5}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{F87176CE-2A4B-4C40-9336-8C519C0897FE}
HKCR\CLSID\{F87176CE-2A4B-4C40-9336-8C519C0897FE}
HKCR\CLSID\{F87176CE-2A4B-4C40-9336-8C519C0897FE}\InprocServer32
HKCR\CLSID\{F87176CE-2A4B-4C40-9336-8C519C0897FE}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{F8EB5C79-F751-4335-89D4-052B7583EC19}
HKCR\CLSID\{F8EB5C79-F751-4335-89D4-052B7583EC19}
HKCR\CLSID\{F8EB5C79-F751-4335-89D4-052B7583EC19}\InprocServer32
HKCR\CLSID\{F8EB5C79-F751-4335-89D4-052B7583EC19}\InprocServer32#ThreadingModel
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP157\A0057283.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP157\A0057284.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP166\A0072094.DLL
C:\VUNDOFIX BACKUPS\HGGEBBC.DLL.BAD

Adware.AdSponsor/ISM
HKLM\Software\Classes\CLSID\{12DA1BC4-5384-42fd-A119-3C99D2D146A2}
HKCR\CLSID\{12DA1BC4-5384-42FD-A119-3C99D2D146A2}
HKCR\CLSID\{12DA1BC4-5384-42FD-A119-3C99D2D146A2}
HKCR\CLSID\{12DA1BC4-5384-42FD-A119-3C99D2D146A2}#AppID
HKCR\CLSID\{12DA1BC4-5384-42FD-A119-3C99D2D146A2}\Implemented Categories
HKCR\CLSID\{12DA1BC4-5384-42FD-A119-3C99D2D146A2}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{12DA1BC4-5384-42FD-A119-3C99D2D146A2}\InprocServer32
HKCR\CLSID\{12DA1BC4-5384-42FD-A119-3C99D2D146A2}\InprocServer32#ThreadingModel
HKCR\CLSID\{12DA1BC4-5384-42FD-A119-3C99D2D146A2}\ProgID
HKCR\CLSID\{12DA1BC4-5384-42FD-A119-3C99D2D146A2}\TypeLib
HKCR\CLSID\{12DA1BC4-5384-42FD-A119-3C99D2D146A2}\VersionIndependentProgID
C:\PROGRAM FILES\ISM\BNDDRIVE3.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B27CC68-110C-46a9-80D3-F3107DE6EB98}
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\{12DA1BC4-5384-42fd-A119-3C99D2D146A2}
HKU\S-1-5-21-515967899-1972579041-725345543-1003\Software\QdrModule
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\QDRDRIVE\QDRDRIVE9.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\QDRMODULE\QDRMODULE12.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\QDRPACK\QDRPACK12.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP157\A0057286.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP166\A0072068.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP166\A0072070.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP166\A0072071.EXE

Adware.Tracking Cookie
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][4].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][4].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][4].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][3].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][3].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][3].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][3].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][2].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][3].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt
C:\Documents and Settings\Pat\Cookies\[email protected][1].txt

Trojan.Unknown Origin
HKLM\Software\xpre
HKLM\Software\xpre#execount
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP157\A0057285.EXE

Adware.WebBuying Assistant
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OTFMJBG.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP166\A0072082.DLL

Adware.WebBuying Assistant-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP138\A0029264.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP138\A0029265.EXE

Trojan.Rootkit-TnCore
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP138\A0029324.SYS

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP152\A0047878.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP152\A0047906.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP152\A0048931.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP152\A0048932.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP153\A0049981.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP153\A0049982.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP153\A0050010.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP153\A0050011.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP154\A0050041.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP154\A0050042.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP154\A0050043.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP154\A0050044.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP154\A0050065.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP154\A0050066.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP155\A0050096.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP155\A0050097.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP155\A0050112.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP155\A0050113.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP155\A0053149.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP155\A0053150.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP156\A0056190.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP156\A0056191.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP156\A0056236.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP156\A0056237.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP156\A0056238.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP156\A0056239.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP156\A0056254.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP156\A0056255.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP157\A0057349.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP157\A0057350.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP157\A0058359.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP157\A0058360.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP158\A0060390.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP158\A0060391.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP158\A0061416.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP158\A0061417.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP160\A0064484.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP160\A0064485.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP160\A0064486.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP160\A0066498.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP161\A0066530.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP161\A0066531.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP162\A0067641.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP162\A0067642.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP162\A0067643.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP162\A0067656.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP162\A0067657.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP162\A0067658.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP162\A0067659.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP163\A0068751.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP163\A0068752.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP163\A0069812.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP163\A0069813.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069860.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069861.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069875.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069876.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069877.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069878.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069879.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069880.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069881.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069882.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069884.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069885.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069886.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069887.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069888.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069889.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069890.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069891.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069892.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069894.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069895.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069896.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069897.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069898.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069899.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069900.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069901.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069902.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069903.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069904.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069905.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069906.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069907.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069908.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069909.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069910.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069911.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069912.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069913.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069914.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069915.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069916.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069917.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069918.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069919.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069920.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069921.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069922.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069923.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069924.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069925.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069926.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069927.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069929.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069930.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069931.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069932.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069933.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069934.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069935.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069936.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069937.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069938.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069939.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069940.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069941.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069942.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069943.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069944.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069945.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069954.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069984.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP165\A0072019.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP165\A0072035.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP165\A0072036.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP165\A0072037.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP165\A0072047.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP166\A0072084.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP166\A0072085.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP166\A0072086.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP166\A0072087.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP167\A0072273.DLL

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP163\A0069833.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP164\A0069928.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP165\A0072034.DLL

Adware.ClickSpring/Yazzle
C:\WINDOWS\PREFETCH\YAZZLE1281OINADMIN.EXE-2D8F7800.PF

Trojan.Downloader-Gen/TaLDrv
C:\WINDOWS\SYSTEM32\DJ2\AXEBMBRPL6.EXE






ComboFix


ComboFix 08-02-14.2 - Pat 2008-02-17 13:15:25.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1409 [GMT -8:00]
Running from: C:\Documents and Settings\Pat\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Pat\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.

2008-02-16 12:58 . 2008-02-16 12:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-16 12:57 . 2008-02-16 13:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-16 12:57 . 2008-02-16 12:57 <DIR> d-------- C:\Documents and Settings\Pat\Application Data\SUPERAntiSpyware.com
2008-02-15 21:43 . 2008-02-15 21:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-15 20:55 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-15 20:39 . 2008-02-15 20:46 <DIR> d-------- C:\Documents and Settings\Pat\.SunDownloadManager
2008-02-15 17:44 . 2008-02-15 17:44 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-15 14:56 . 2008-02-15 14:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-15 14:46 . 2008-02-15 14:46 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-13 22:46 . 2008-02-15 14:46 <DIR> d-------- C:\VundoFix Backups
2008-02-13 17:08 . 2008-02-13 17:07 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-13 17:08 . 2008-02-13 17:08 3,442 --a------ C:\WINDOWS\unins000.dat
2008-02-04 17:33 . 2008-02-04 17:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-01-30 16:08 . 2006-09-11 10:56 526,184 --a------ C:\WINDOWS\system32\XceedCry.dll
2008-01-30 16:08 . 2006-12-21 14:18 497,496 --a------ C:\WINDOWS\system32\XceedZip.dll
2008-01-30 16:08 . 2003-05-14 21:07 389,120 --a------ C:\WINDOWS\system32\actskn43.ocx
2008-01-30 16:08 . 2004-12-07 09:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-01-30 15:14 . 2004-03-09 01:00 1,081,616 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 20:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-16 05:45 --------- d-----w C:\Program Files\AIM6
2008-02-16 05:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-16 05:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-16 04:55 --------- d-----w C:\Program Files\Java
2008-02-16 01:47 --------- d-----w C:\Program Files\QuickTime
2008-02-16 01:11 --------- d-----w C:\Program Files\MSN Messenger
2008-02-16 01:09 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-16 01:09 --------- d-----w C:\Program Files\SpyCatcher
2008-02-16 01:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-14 01:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-14 01:11 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-13 21:47 --------- d-----w C:\Program Files\World of Warcraft
2008-02-10 21:36 --------- d-----w C:\Documents and Settings\Pat\Application Data\LimeWire
2008-01-10 06:58 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-01-07 10:20 --------- d-----w C:\Program Files\Starcraft
2007-12-28 03:52 0 ----a-w C:\info.exe
2007-12-28 03:39 --------- d-----w C:\Program Files\RcvSystem
2007-12-24 04:42 --------- d-----w C:\Program Files\BitComet
2007-12-24 04:33 --------- d-----w C:\Program Files\Symantec
2007-12-24 04:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-19 23:11 --------- d-----w C:\Documents and Settings\Pat\Application Data\Skype
2007-12-19 07:13 --------- d-----w C:\Documents and Settings\Pat\Application Data\acccore
2007-12-19 07:12 --------- d-----w C:\Program Files\Viewpoint
2007-12-19 07:11 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-19 07:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 08:15 50528]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-12-29 22:37 5674352]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-12-29 22:37 1694208]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22 86016]
"SoundMan"="SOUNDMAN.EXE" [2006-06-21 04:42 577536 C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"SpyCatcher Reminder"="C:\Program Files\SpyCatcher\SpyCatcher.exe" [2007-12-29 22:36 103864]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-12-29 22:37 88024]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-12-29 22:37 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-12-29 22:37 125168]

C:\Documents and Settings\Pat\Start Menu\Programs\Startup\
Scheduler.lnk - C:\Program Files\SpyCatcher\Scheduler daemon.exe [2007-08-21 02:06:15 86133]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 00:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 23:01:50 734872]
SpyCatcher Protector.lnk - C:\Program Files\SpyCatcher\Protector.exe [2007-08-21 02:06:15 91576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\evenmgr]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=secuload.dll

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 13:16:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-17 13:17:02
ComboFix-quarantined-files.txt 2008-02-17 21:16:47
ComboFix2.txt 2008-02-16 01:48:51
ComboFix3.txt 2008-02-16 01:17:22
ComboFix4.txt 2008-02-15 23:37:44
.
2008-02-14 02:06:44 --- E O F ---
  • 0

#14
charles97

charles97

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Ok, Now kaspersky report


KASPERSKY ONLINE SCANNER REPORT
Sunday, February 17, 2008 2:26:21 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/02/2008
Kaspersky Anti-Virus database records: 570131
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
Scan Statistics
Total number of scanned objects 46361
Number of viruses found 7
Number of infected objects 92
Number of suspicious objects 0
Duration of the scan process 00:42:05

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07D40000\47F5989E.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Pat\Application Data\acccore\nss\cert8.db Object is locked skipped
C:\Documents and Settings\Pat\Application Data\acccore\nss\key3.db Object is locked skipped
C:\Documents and Settings\Pat\Application Data\Mozilla\Firefox\Profiles\7bcc35cu.default\cert8.db Object is locked skipped
C:\Documents and Settings\Pat\Application Data\Mozilla\Firefox\Profiles\7bcc35cu.default\flashgot.log Object is locked skipped
C:\Documents and Settings\Pat\Application Data\Mozilla\Firefox\Profiles\7bcc35cu.default\history.dat Object is locked skipped
C:\Documents and Settings\Pat\Application Data\Mozilla\Firefox\Profiles\7bcc35cu.default\key3.db Object is locked skipped
C:\Documents and Settings\Pat\Application Data\Mozilla\Firefox\Profiles\7bcc35cu.default\parent.lock Object is locked skipped
C:\Documents and Settings\Pat\Application Data\Mozilla\Firefox\Profiles\7bcc35cu.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Pat\Application Data\Mozilla\Firefox\Profiles\7bcc35cu.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Pat\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Pat\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Application Data\AOL OCP\AIM\Storage\data\moosejr86\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_2098_3267_9832_3B9A\dfsr.db Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_2098_3267_9832_3B9A\fsr.log Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_2098_3267_9832_3B9A\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_2098_3267_9832_3B9A\tmp.edb Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Application Data\Mozilla\Firefox\Profiles\7bcc35cu.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Application Data\Mozilla\Firefox\Profiles\7bcc35cu.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Application Data\Mozilla\Firefox\Profiles\7bcc35cu.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Application Data\Mozilla\Firefox\Profiles\7bcc35cu.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\History\History.IE5\MSHist012008021720080218\index.dat Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Temp\fnm5F.tmp Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Temp\fnm61.tmp Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Temp\fnm78.tmp Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Temp\fnm79.tmp Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Temp\~DF3563.tmp Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Temp\~DF8E7A.tmp Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Temp\~DF8E99.tmp Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Temp\~DF936F.tmp Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Temp\~DF93B2.tmp Object is locked skipped
C:\Documents and Settings\Pat\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Pat\ntuser.dat Object is locked skipped
C:\Documents and Settings\Pat\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0202NAV~.TMP Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\ISM\ism.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bblfipul.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\geedc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gvbmvyok.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\psqawocv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vcatulet.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xmplgiqy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-15_153232.09.zip/hggebbc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-15_153232.09.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP132\A0024035.exe Infected: Trojan-Downloader.Win32.Osel.bx skipped
C:\System Volume Information\_restore{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP137\A0028221.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP137\A0028221.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP165\A0072046.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP166\A0072066.exe Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\System Volume Information\_restore{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP167\A0072244.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP170\A0072636.exe Infected: Trojan.Win32.Pakes.bvs skipped
C:\System Volume Information\_restore{F1F679AB-52DF-4DFD-9BF9-F3760C7C4A7C}\RP171\change.log Object is locked skipped
C:\VundoFix Backups\aehgkhhn.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\aiitmvxd.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\amnrcsmh.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\awtqq.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\bexcdohy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\bpvhqwan.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\caxjoaop.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\cceeowbm.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\ciabqnew.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\cltvufow.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\cuplfjac.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\dnecqayr.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\empmabdo.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\enqrhcrc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\eomwssvs.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\evllphei.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\fsvyfsdg.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\ftvgrmsm.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\gdrgkjqc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\gvslrrcm.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\hcbspjvo.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\hibmbltc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\iebbtnaf.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\ihboebwo.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\iiriduir.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\isajhqmc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\iuqhswxn.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\ivxuncov.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\jecvkjfo.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\jkkli.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\kiietogb.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\lokumqrt.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\lrelieak.dll.bad Infected: not-a-virus:AdWare.Win32.SuperJuan.auj skipped
C:\VundoFix Backups\mdkvnnbb.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\mjgptsnv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\nbwplavu.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\nhyjdxrl.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\nkufognm.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\ocsabvhr.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\ofqynajr.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\oltumfye.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\ooctgjte.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\opcnavfw.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\orcwulyw.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\pnpxciek.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\psdlhoyr.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\qbfaywbq.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\qbweuqti.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\qcdhlriw.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\qcoaefvv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\rbgipdja.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\ripjbksg.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\rjgswatu.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\savqptjb.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\siexhkda.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\ssmfftvw.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\ssttt.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\stqblpln.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\svgcxakd.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\taywdbdj.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\uayeahje.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\ucjlhnxr.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\ujivkkcj.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\upjgtxxn.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\vkjvnbup.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\vsdaphjy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\wbdwxdsv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\wikfwojv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\wyajunfj.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\wyfwreqc.dll.bad Infected: not-a-virus:AdWare.Win32.SuperJuan.auj skipped
C:\VundoFix Backups\xcnpnxnt.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\xfelvtkp.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\xqhtfmoe.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\xqolbstc.dll.bad Infected: not-a-virus:AdWare.Win32.SuperJuan.auj skipped
C:\VundoFix Backups\yverfpqn.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_108.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.



Uninstall List



Ad-Aware 2007
Adobe Reader 8
AIM 6
Apple Software Update
avast! Antivirus
DivX Codec
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
J2SE Runtime Environment 5.0 Update 3
Java™ 6 Update 4
Kaspersky Online Scanner
Light Alloy 4.1
LimeWire 4.12.11
Linksys Wireless-G PCI Adapter
LiveUpdate 3.1 (Symantec Corporation)
Magic Online
Magic Workstation 0.94f
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.12)
MTG GamePack for Magic Workstation
NVIDIA Drivers
QuickTime
Realtek AC'97 Audio
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Skype™ 3.5
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
SpyCatcher Express 2007
Starcraft
SUPERAntiSpyware Free Edition
Symantec AntiVirus
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Ventrilo Client
Viewpoint Media Player
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
World of Warcraft



Hijackthis


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:11 PM, on 2/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll
O2 - BHO: (no name) - {3f3e706f-c1cd-4c96-bacc-3de2d0a285c5} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C0FDCFA-4FFB-45AF-9A70-EE4A41CCF921} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {86F04680-4B73-4A20-A90F-3D7FBA4EDC22} - (no file)
O2 - BHO: (no name) - {A6CB2F6C-A87C-4294-9B51-47FF0DECCC09} - (no file)
O2 - BHO: (no name) - {b3625c88-4998-4fc5-a638-bbd36c6f26cb} - (no file)
O2 - BHO: (no name) - {B5F1136B-E556-41FA-984A-51DE16692164} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminder
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: secuload.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: evenmgr - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 8251 bytes



Thanks!

Charles
  • 0

#15
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
this is proving a most stubbon vundo infection. hopefully we can get rid of it this time. the rest of the other malware appears now to be gone.


====STEP 1====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Program Files\QuickTime\QTTask	.exe


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt


====STEP 2====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {3f3e706f-c1cd-4c96-bacc-3de2d0a285c5} - (no file)
O2 - BHO: (no name) - {5C0FDCFA-4FFB-45AF-9A70-EE4A41CCF921} - (no file)
O2 - BHO: (no name) - {86F04680-4B73-4A20-A90F-3D7FBA4EDC22} - (no file)
O2 - BHO: (no name) - {A6CB2F6C-A87C-4294-9B51-47FF0DECCC09} - (no file)
O2 - BHO: (no name) - {b3625c88-4998-4fc5-a638-bbd36c6f26cb} - (no file)
O2 - BHO: (no name) - {B5F1136B-E556-41FA-984A-51DE16692164} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O20 - Winlogon Notify: evenmgr - C:\WINDOWS\

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


====STEP 3====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


in your next reply could i see:
1. the combofix report
2. the malwarebytes log
3. a new hijackthis log

andrewuk
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP