Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

VUNDO (vtsqo.dll) - pop ups, changes advertisements, bogs down compute

Started by rascluk , Mar 11 2008 09:10 PM

This topic is locked

#1
rascluk

Posted 11 March 2008 - 09:10 PM

Member

Member
14 posts

On Feb 24, 2008 12:36PM I posted a log on help with Vundo. After going through all the steps my computer was clean and my topic was closed Feb 24 2008, 10:52 PM. As of last week my computer is exhibiting the same behavior as before and has the Vundo virus again (Trend Micro tells me the name is Cryp_Tap), i.e. popups, advertisements changing on websites, bogged down computer, etc. I was wondering if maybe the virus was not completely removed or if I got it again? Can someone help me remove Vundo and tell me how I can prevent it in the future - what antivirus programs do you recommend. I use Trend Mirco Internet Security as my Anti Virus. Here is the link for my past log that was closed: http://www.geekstogo...view=getnewpost (Tigger93 was the staff member that worked on my case before and was extremely helpful). Thank you in advance for your help...again.

Here is a hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:20 PM, on 03/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\kdfmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\vtsqo.exe
N3 - Netscape 7: user_pref("browser.startup.homepage","http://www.sony.com/vaiopeople"); (C:\Documents and Settings\STEVE KULCSAR\Application Data\Mozilla\Profiles\default\n7ass3bz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\STEVE KULCSAR\Application Data\Mozilla\Profiles\default\n7ass3bz.slt\prefs.js)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\DOCUME~1\STEVEK~1\LOCALS~1\Temp\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\RunServices: [System Security Updates] thyhta.exe
O4 - HKLM\..\RunServices: [Windows XP Service Pack 2] sp2update.exe
O4 - HKLM\..\RunServices: [MicrosoftUpdate] syshelper.exe
O4 - HKLM\..\RunServices: [MSChoExE] suge.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRClean.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update] wserv32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [System Security Updates] thyhta.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MicrosoftUpdate] syshelper.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSChoExE] suge.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows System Serivce] winserv.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [MicrosoftUpdate] syshelper.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update] wserv32.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [MicrosoftUpdate] syshelper.exe (User 'Default user')
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony...ct/VaioInfo.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral....bs/pmupd806.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://mooley.axisca...activex/AMC.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....302/Coupons.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - http://moneycentral....s/pmupdate2.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - D:\iPod\Debs Ipod\iPod Updater 2005-11-17\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (file missing)
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

--
End of file - 13503 bytes

Here is SuperAntiSpyware Log:

SUPERAntiSpyware Scan Log
Generated 03/10/2008 at 09:30 PM

Application Version : 3.6.1000

Core Rules Database Version : 3417
Trace Rules Database Version: 1409

Scan type : Complete Scan
Total Scan Time : 01:38:11

Memory items scanned : 520
Memory threats detected : 1
Registry items scanned : 7063
Registry threats detected : 5
File items scanned : 88266
File threats detected : 5

Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM32\VTSQO.DLL
C:\WINDOWS\SYSTEM32\VTSQO.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{E883E9F2-CDFC-4F16-89A5-F268BD8AB5DC}
HKCR\CLSID\{E883E9F2-CDFC-4F16-89A5-F268BD8AB5DC}
HKCR\CLSID\{E883E9F2-CDFC-4F16-89A5-F268BD8AB5DC}\InprocServer32
HKCR\CLSID\{E883E9F2-CDFC-4F16-89A5-F268BD8AB5DC}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E883E9F2-CDFC-4F16-89A5-F268BD8AB5DC}

Adware.Tracking Cookie
C:\Documents and Settings\Steve Kulcsar\Cookies\[email protected][1].txt
C:\Documents and Settings\Steve Kulcsar\Cookies\[email protected][2].txt

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\OQSTV.INI
C:\WINDOWS\SYSTEM32\OQSTV.INI2

Here is Active Scan Log:

Incident Status Location

Adware:adware/mediatickets Not disinfected c:\windows\mtu.bat
Adware:adware/sbsoft Not disinfected c:\windows\webdlg32.inf
Adware:adware/ncase Not disinfected Windows Registry
Potentially unwanted tool:application/myway Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Steve Kulcsar\Cookies\[email protected][1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Steve Kulcsar\Cookies\steve_kulcsar@adrevolver[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Steve Kulcsar\Cookies\steve_kulcsar@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Steve Kulcsar\Cookies\steve_kulcsar@atdmt[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Steve Kulcsar\Cookies\steve_kulcsar@burstnet[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Steve Kulcsar\Cookies\steve_kulcsar@doubleclick[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Steve Kulcsar\Desktop\VirtumundoBeGone.exe
Potentially unwanted tool:Application/Psexec.A Not disinfected C:\WINDOWS\PSEXESVC.EXE
Adware:Adware/EliteBar Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\R62RGMOP\silent_install[1].exe

#2
Rorschach112

Posted 12 March 2008 - 09:59 AM

Ralphie

Retired Staff
47,710 posts

Hello

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

#3
rascluk

Posted 12 March 2008 - 07:24 PM

Member

Topic Starter
Member
14 posts

Here are the logs:

ComboFix 08-03-10.1 - Steve Kulcsar 2008-03-12 19:49:48.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.133 [GMT -5:00]
Running from: C:\Documents and Settings\Steve Kulcsar\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\oqstv.ini
C:\WINDOWS\system32\oqstv.ini2
C:\WINDOWS\system32\vtsqo.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-13 to 2008-03-13 )))))))))))))))))))))))))))))))
.

2008-03-12 17:45 . 2008-03-12 17:45 333,312 --a------ C:\WINDOWS\system32\RCX10.tmp
2008-03-12 08:45 . 2008-03-12 08:45 5,779 --a------ C:\WINDOWS\system32\dbpgtxqi.dll
2008-03-12 08:42 . 2008-03-12 08:42 5,765 --a------ C:\WINDOWS\system32\qpamxsgq.dll
2008-03-12 05:48 . 2008-03-12 05:48 5,769 --a------ C:\WINDOWS\system32\dwnrwcpj.dll
2008-03-11 06:07 . 2007-06-05 11:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-11 06:06 . 2007-06-08 10:44 8,576 --a------ C:\WINDOWS\system32\drivers\qgenunrfxxfe.sys
2008-03-11 05:52 . 2008-03-11 05:52 5,765 --a------ C:\WINDOWS\system32\swatfaxw.dll
2008-03-11 05:49 . 2008-03-11 05:49 5,779 --a------ C:\WINDOWS\system32\gdeyhdjv.dll
2008-03-11 05:46 . 2008-03-11 05:46 333,312 --a------ C:\WINDOWS\system32\RCX12.tmp
2008-03-10 18:03 . 2008-03-10 18:03 333,312 --a------ C:\WINDOWS\system32\RCXE.tmp
2008-03-10 06:57 . 2008-03-10 06:57 5,765 --a------ C:\WINDOWS\system32\melvvprd.dll
2008-03-10 06:54 . 2008-03-10 06:54 5,779 --a------ C:\WINDOWS\system32\pqnoddbm.dll
2008-03-10 06:51 . 2008-03-10 06:51 5,769 --a------ C:\WINDOWS\system32\gyusiufh.dll
2008-03-09 06:54 . 2008-03-09 06:54 5,779 --a------ C:\WINDOWS\system32\kjsogcdc.dll
2008-03-09 06:51 . 2008-03-09 06:51 5,765 --a------ C:\WINDOWS\system32\xetmqwpr.dll
2008-03-09 06:48 . 2008-03-09 06:48 5,769 --a------ C:\WINDOWS\system32\ufptsvda.dll
2008-03-08 06:54 . 2008-03-08 06:54 5,779 --a------ C:\WINDOWS\system32\euvltwfw.dll
2008-03-08 06:51 . 2008-03-08 06:51 5,765 --a------ C:\WINDOWS\system32\yyaqkanx.dll
2008-03-08 06:48 . 2008-03-08 06:48 5,769 --a------ C:\WINDOWS\system32\ggqinvai.dll
2008-03-07 06:54 . 2008-03-07 06:54 5,765 --a------ C:\WINDOWS\system32\htcbvkgq.dll
2008-03-07 06:51 . 2008-03-07 06:51 5,779 --a------ C:\WINDOWS\system32\prpgfwpy.dll
2008-03-07 06:48 . 2008-03-07 06:48 5,769 --a------ C:\WINDOWS\system32\daftfiai.dll
2008-03-06 06:56 . 2008-03-11 12:02 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-03-06 06:51 . 2008-03-06 06:51 5,779 --a------ C:\WINDOWS\system32\jantndbx.dll
2008-03-06 06:48 . 2008-03-06 06:48 5,765 --a------ C:\WINDOWS\system32\akhpirmr.dll
2008-03-06 06:45 . 2008-03-06 06:45 333,312 --a------ C:\WINDOWS\system32\RCXD.tmp
2008-03-05 20:28 . 2008-03-05 20:28 5,765 --a------ C:\WINDOWS\system32\tfqqlpep.dll
2008-03-05 20:25 . 2008-03-05 20:25 5,779 --a------ C:\WINDOWS\system32\gfjuvrep.dll
2008-03-05 20:20 . 2008-03-05 20:20 <DIR> d-------- C:\WINDOWS\system32\Quarantine
2008-03-05 13:32 . 2008-03-05 13:32 5,765 --a------ C:\WINDOWS\system32\tegkhnrv.dll
2008-03-05 13:29 . 2008-03-05 13:29 5,779 --a------ C:\WINDOWS\system32\lwiesqao.dll
2008-03-05 13:29 . 2008-03-05 13:29 5,769 --a------ C:\WINDOWS\system32\slfanfom.dll
2008-03-05 13:28 . 2008-03-12 19:50 333,312 --a------ C:\WINDOWS\system32\vtsqo.exe
2008-03-03 13:40 . 2008-03-03 13:40 <DIR> d-------- C:\House
2008-03-03 13:38 . 2008-03-03 13:41 265,042 --a------ C:\WINDOWS\house.jpg
2008-02-27 19:46 . 2008-02-27 19:46 <DIR> d-------- C:\Program Files\vso
2008-02-27 19:46 . 2008-02-27 19:46 68,608 --a------ C:\WINDOWS\system32\drivers\Pcatip.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 22:56 --------- d-----w C:\Program Files\Lx_cats
2008-03-11 11:27 --------- d-----w C:\Program Files\Lexmark 5200 Series
2008-03-11 11:25 --------- d-----w C:\Program Files\Google
2008-03-11 11:22 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-02-28 00:46 34,528 ----a-w C:\WINDOWS\system32\drivers\Pcouffin.sys
2008-02-25 22:07 --------- d-----w C:\Program Files\GhostSurf 2005
2007-12-04 11:56 2 --shatr C:\WINDOWS\winstart.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= "C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll" [2007-09-16 09:21 103760]

[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"SureCleanProfessional"="C:\PROGRA~1\PANICW~1\SURECL~1\SRClean.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-12 17:47 1481968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [ ]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [ ]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-18 20:56 4841472]
"AGRSMMSG"="AGRSMMSG.exe" []
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [ ]
"LXBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-02-23 08:47 61440]
"GhostSurfDelSatellite"="C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"System Security Updates"="thyhta.exe" []
"Windows XP Service Pack 2"="sp2update.exe" []
"MicrosoftUpdate"="syshelper.exe" []
"MSChoExE"="suge.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update"="wserv32.exe" []
"System Security Updates"="thyhta.exe" []
"MicrosoftUpdate"="syshelper.exe" []
"MSChoExE"="suge.exe" []
"Windows System Serivce"="winserv.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"MicrosoftUpdate"="syshelper.exe" []

C:\Documents and Settings\Steve Kulcsar\Start Menu\Programs\Startup\
Scheduler.lnk - C:\Program Files\GhostSurf 2005\Scheduler daemon.exe [2004-03-09 16:47:16 86133]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2004-02-25 02:35:22 10872]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-06-25 06:25:38 614531]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]
WinZip Quick Pick.lnk - C:\WinZip\WZQKPICK.EXE [2005-01-10 21:35:02 106560]

C:\DOCUME~1\STEVEK~1\STARTM~1\Programs\Startup\
Scheduler.lnk - C:\Program Files\GhostSurf 2005\Scheduler daemon.exe [2004-03-09 16:47:16 86133]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-12 17:47 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\GhostSurf 2005\\Proxy.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\WINDOWS\\explorer.exe"=
"C:\\Program Files\\Java\\j2re1.4.2_01\\launch4j-tmp\\yahtzee.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2003-05-14 17:01]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\CBTNDIS5.SYS [2003-07-16 23:28]
S3 IPN2120;Wireless-B PCI Adapter Driver;C:\WINDOWS\system32\DRIVERS\LSIPNDS.sys []
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2007-12-04 06:56]
S4 MicrosoftCorporation;MicrosoftUpdate;"C:\WINDOWS\System32\syshelper.exe" -netsvcs []

*Newly Created Service* - SASDIFSV
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 20:11:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
.
**************************************************************************
.
Completion time: 2008-03-12 20:14:17 - machine was rebooted [Steve Kulcsar]
ComboFix-quarantined-files.txt 2008-03-13 01:14:07
.
2008-03-12 14:02:53 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:16:49 PM, on 03/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
N3 - Netscape 7: user_pref("browser.startup.homepage","http://www.sony.com/vaiopeople"); (C:\Documents and Settings\STEVE KULCSAR\Application Data\Mozilla\Profiles\default\n7ass3bz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\STEVE KULCSAR\Application Data\Mozilla\Profiles\default\n7ass3bz.slt\prefs.js)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\RunServices: [System Security Updates] thyhta.exe
O4 - HKLM\..\RunServices: [Windows XP Service Pack 2] sp2update.exe
O4 - HKLM\..\RunServices: [MicrosoftUpdate] syshelper.exe
O4 - HKLM\..\RunServices: [MSChoExE] suge.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRClean.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update] wserv32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [System Security Updates] thyhta.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MicrosoftUpdate] syshelper.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSChoExE] suge.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows System Serivce] winserv.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [MicrosoftUpdate] syshelper.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update] wserv32.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [MicrosoftUpdate] syshelper.exe (User 'Default user')
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony...ct/VaioInfo.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral....bs/pmupd806.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://mooley.axisca...activex/AMC.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....302/Coupons.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - http://moneycentral....s/pmupdate2.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - D:\iPod\Debs Ipod\iPod Updater 2005-11-17\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (file missing)
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

--
End of file - 13001 bytes

#4
Rorschach112

Posted 13 March 2008 - 09:48 AM

Ralphie

Retired Staff
47,710 posts

Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O4 - HKLM\..\RunServices: [System Security Updates] thyhta.exe
O4 - HKLM\..\RunServices: [Windows XP Service Pack 2] sp2update.exe
O4 - HKLM\..\RunServices: [MicrosoftUpdate] syshelper.exe
O4 - HKLM\..\RunServices: [MSChoExE] suge.exe
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update] wserv32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [System Security Updates] thyhta.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MicrosoftUpdate] syshelper.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSChoExE] suge.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows System Serivce] winserv.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [MicrosoftUpdate] syshelper.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update] wserv32.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [MicrosoftUpdate] syshelper.exe (User 'Default user')
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....302/Coupons.cab

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\RCX10.tmp
C:\WINDOWS\system32\dbpgtxqi.dll
C:\WINDOWS\system32\qpamxsgq.dll
C:\WINDOWS\system32\dwnrwcpj.dll
C:\WINDOWS\system32\drivers\qgenunrfxxfe.sys
C:\WINDOWS\system32\swatfaxw.dll
C:\WINDOWS\system32\gdeyhdjv.dll
C:\WINDOWS\system32\RCX12.tmp
C:\WINDOWS\system32\RCXE.tmp
C:\WINDOWS\system32\melvvprd.dll
C:\WINDOWS\system32\pqnoddbm.dll
C:\WINDOWS\system32\gyusiufh.dll
C:\WINDOWS\system32\kjsogcdc.dll
C:\WINDOWS\system32\xetmqwpr.dll
C:\WINDOWS\system32\ufptsvda.dll
C:\WINDOWS\system32\euvltwfw.dll
C:\WINDOWS\system32\yyaqkanx.dll
C:\WINDOWS\system32\ggqinvai.dll
C:\WINDOWS\system32\htcbvkgq.dll
C:\WINDOWS\system32\prpgfwpy.dll
C:\WINDOWS\system32\daftfiai.dll
C:\WINDOWS\DCEBoot.exe
C:\WINDOWS\system32\jantndbx.dll
C:\WINDOWS\system32\akhpirmr.dll
C:\WINDOWS\system32\RCXD.tmp
C:\WINDOWS\system32\tfqqlpep.dll
C:\WINDOWS\system32\gfjuvrep.dll
C:\WINDOWS\system32\tegkhnrv.dll
C:\WINDOWS\system32\lwiesqao.dll
C:\WINDOWS\system32\slfanfom.dll
C:\WINDOWS\system32\vtsqo.exe
C:\WINDOWS\winstart.bat

Driver::
MicrosoftCorporation

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

#5
rascluk

Posted 14 March 2008 - 06:58 AM

Member

Topic Starter
Member
14 posts

Here are the logs:

SDFix: Version 1.156

Run by Steve Kulcsar on 03/13/2008 at 11:50 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFIX\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\FTPUPD.EXE - Deleted
C:\WINDOWS\system32\TFTP2284 - Deleted
C:\WINDOWS\system32\TFTP2376 - Deleted
C:\WINDOWS\system32\TFTP2784 - Deleted
C:\WINDOWS\system32\TFTP3292 - Deleted
C:\WINDOWS\system32\TFTP3440 - Deleted
C:\WINDOWS\system32\TFTP3696 - Deleted
C:\WINDOWS\system32\TFTP3752 - Deleted
C:\WINDOWS\system32\TFTP3820 - Deleted
C:\WINDOWS\system32\TFTP4092 - Deleted
C:\WINDOWS\system32\TFTP4196 - Deleted
C:\WINDOWS\system32\TFTP4512 - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 23:56:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\GhostSurf 2005\\Proxy.exe"="C:\\Program Files\\GhostSurf 2005\\Proxy.exe:*:Enabled:GhostSurf proxy"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Disabled:Windows Explorer"
"C:\\Program Files\\Java\\j2re1.4.2_01\\launch4j-tmp\\yahtzee.exe"="C:\\Program Files\\Java\\j2re1.4.2_01\\launch4j-tmp\\yahtzee.exe:*:Disabled:yahtzee"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"="C:\\Program Files\\Real\\RealOne Player\\realplay.exe:*:Enabled:RealOne Player"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

File Backups: - C:\SDFIX\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 4 May 2006 4 A..H. --- "C:\WINDOWS\uccspecb.sys"
Mon 20 Oct 2003 73,688 ..SHR --- "C:\Program Files\Autodesk\Autodesk Express Viewer\Setup.exe"
Sat 24 Jan 2004 5,120 A.SHR --- "C:\Program Files\Autodesk\Autodesk Express Viewer\_Setupx.dll"
Wed 3 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Wed 11 Oct 2006 19,456 ...H. --- "C:\Documents and Settings\Steve Kulcsar\Application Data\Microsoft\Word\~WRL0003.tmp"
Wed 9 May 2007 20,480 ...H. --- "C:\Documents and Settings\Steve Kulcsar\Application Data\Microsoft\Word\~WRL0147.tmp"
Wed 9 May 2007 19,968 ...H. --- "C:\Documents and Settings\Steve Kulcsar\Application Data\Microsoft\Word\~WRL0613.tmp"
Wed 9 May 2007 19,456 ...H. --- "C:\Documents and Settings\Steve Kulcsar\Application Data\Microsoft\Word\~WRL0885.tmp"
Wed 9 May 2007 20,992 ...H. --- "C:\Documents and Settings\Steve Kulcsar\Application Data\Microsoft\Word\~WRL0958.tmp"
Wed 9 May 2007 20,480 ...H. --- "C:\Documents and Settings\Steve Kulcsar\Application Data\Microsoft\Word\~WRL1170.tmp"
Wed 9 May 2007 20,480 ...H. --- "C:\Documents and Settings\Steve Kulcsar\Application Data\Microsoft\Word\~WRL2307.tmp"
Wed 9 May 2007 19,968 ...H. --- "C:\Documents and Settings\Steve Kulcsar\Application Data\Microsoft\Word\~WRL3308.tmp"
Wed 9 May 2007 19,968 ...H. --- "C:\Documents and Settings\Steve Kulcsar\Application Data\Microsoft\Word\~WRL3597.tmp"
Tue 26 Sep 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"

Finished!

ComboFix 08-03-10.1 - Steve Kulcsar 2008-03-14 0:06:32.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.109 [GMT -5:00]
Running from: C:\Documents and Settings\Steve Kulcsar\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steve Kulcsar\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\DCEBoot.exe
C:\WINDOWS\system32\akhpirmr.dll
C:\WINDOWS\system32\daftfiai.dll
C:\WINDOWS\system32\dbpgtxqi.dll
C:\WINDOWS\system32\drivers\qgenunrfxxfe.sys
C:\WINDOWS\system32\dwnrwcpj.dll
C:\WINDOWS\system32\euvltwfw.dll
C:\WINDOWS\system32\gdeyhdjv.dll
C:\WINDOWS\system32\gfjuvrep.dll
C:\WINDOWS\system32\ggqinvai.dll
C:\WINDOWS\system32\gyusiufh.dll
C:\WINDOWS\system32\htcbvkgq.dll
C:\WINDOWS\system32\jantndbx.dll
C:\WINDOWS\system32\kjsogcdc.dll
C:\WINDOWS\system32\lwiesqao.dll
C:\WINDOWS\system32\melvvprd.dll
C:\WINDOWS\system32\pqnoddbm.dll
C:\WINDOWS\system32\prpgfwpy.dll
C:\WINDOWS\system32\qpamxsgq.dll
C:\WINDOWS\system32\RCX10.tmp
C:\WINDOWS\system32\RCX12.tmp
C:\WINDOWS\system32\RCXD.tmp
C:\WINDOWS\system32\RCXE.tmp
C:\WINDOWS\system32\slfanfom.dll
C:\WINDOWS\system32\swatfaxw.dll
C:\WINDOWS\system32\tegkhnrv.dll
C:\WINDOWS\system32\tfqqlpep.dll
C:\WINDOWS\system32\ufptsvda.dll
C:\WINDOWS\system32\vtsqo.exe
C:\WINDOWS\system32\xetmqwpr.dll
C:\WINDOWS\system32\yyaqkanx.dll
C:\WINDOWS\winstart.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\DCEBoot.exe
C:\WINDOWS\system32\akhpirmr.dll
C:\WINDOWS\system32\daftfiai.dll
C:\WINDOWS\system32\dbpgtxqi.dll
C:\WINDOWS\system32\drivers\qgenunrfxxfe.sys
C:\WINDOWS\system32\dwnrwcpj.dll
C:\WINDOWS\system32\euvltwfw.dll
C:\WINDOWS\system32\gdeyhdjv.dll
C:\WINDOWS\system32\gfjuvrep.dll
C:\WINDOWS\system32\ggqinvai.dll
C:\WINDOWS\system32\gyusiufh.dll
C:\WINDOWS\system32\htcbvkgq.dll
C:\WINDOWS\system32\jantndbx.dll
C:\WINDOWS\system32\kjsogcdc.dll
C:\WINDOWS\system32\lwiesqao.dll
C:\WINDOWS\system32\melvvprd.dll
C:\WINDOWS\system32\pqnoddbm.dll
C:\WINDOWS\system32\prpgfwpy.dll
C:\WINDOWS\system32\qpamxsgq.dll
C:\WINDOWS\system32\RCX10.tmp
C:\WINDOWS\system32\RCX12.tmp
C:\WINDOWS\system32\RCXD.tmp
C:\WINDOWS\system32\RCXE.tmp
C:\WINDOWS\system32\slfanfom.dll
C:\WINDOWS\system32\swatfaxw.dll
C:\WINDOWS\system32\tegkhnrv.dll
C:\WINDOWS\system32\tfqqlpep.dll
C:\WINDOWS\system32\ufptsvda.dll
C:\WINDOWS\system32\vtsqo.exe
C:\WINDOWS\system32\xetmqwpr.dll
C:\WINDOWS\system32\yyaqkanx.dll
C:\WINDOWS\winstart.bat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_MICROSOFTCORPORATION
-------\MicrosoftCorporation

((((((((((((((((((((((((( Files Created from 2008-02-14 to 2008-03-14 )))))))))))))))))))))))))))))))
.

2008-03-13 23:44 . 2008-03-13 23:44 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-13 23:43 . 2008-03-13 23:43 <DIR> d-------- C:\SDFIX
2008-03-11 06:07 . 2007-06-05 11:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-05 20:20 . 2008-03-05 20:20 <DIR> d-------- C:\WINDOWS\system32\Quarantine
2008-03-03 13:40 . 2008-03-03 13:40 <DIR> d-------- C:\House
2008-03-03 13:38 . 2008-03-03 13:41 265,042 --a------ C:\WINDOWS\house.jpg
2008-02-27 19:46 . 2008-02-27 19:46 <DIR> d-------- C:\Program Files\vso
2008-02-27 19:46 . 2008-02-27 19:46 68,608 --a------ C:\WINDOWS\system32\drivers\Pcatip.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 04:40 --------- d-----w C:\Program Files\Lx_cats
2008-03-11 11:27 --------- d-----w C:\Program Files\Lexmark 5200 Series
2008-03-11 11:25 --------- d-----w C:\Program Files\Google
2008-03-11 11:22 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-02-28 00:46 34,528 ----a-w C:\WINDOWS\system32\drivers\Pcouffin.sys
2008-02-25 22:07 --------- d-----w C:\Program Files\GhostSurf 2005
.

((((((((((((((((((((((((((((( snapshot@2008-03-12_20.13.46.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-12 07:35:36 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-03-14 04:44:42 7,434,240 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-03-14 04:44:42 225,280 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-03-12 07:35:36 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-03-14 04:44:29 7,434,240 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-03-14 04:44:29 225,280 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-03-12 22:52:01 77,824 ----a-w C:\WINDOWS\system32\kdfapi.dll
+ 2008-03-14 12:41:58 77,824 ----a-w C:\WINDOWS\system32\kdfapi.dll
- 2008-03-12 22:52:01 53,248 ----a-w C:\WINDOWS\system32\Kdfhok.dll
+ 2008-03-14 12:41:57 53,248 ----a-w C:\WINDOWS\system32\Kdfhok.dll
- 2008-03-12 22:52:01 726,568 ----a-w C:\WINDOWS\system32\kdfmgr.exe
+ 2008-03-14 12:41:49 726,568 ----a-w C:\WINDOWS\system32\kdfmgr.exe
- 2008-03-12 22:52:01 192,512 ----a-w C:\WINDOWS\system32\kdfvmgr.exe
+ 2008-03-14 12:41:59 192,512 ----a-w C:\WINDOWS\system32\kdfvmgr.exe
- 2008-03-12 22:46:28 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-14 12:41:43 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-12 22:46:28 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-14 12:41:43 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= "C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll" [2007-09-16 09:21 103760]

[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"SureCleanProfessional"="C:\PROGRA~1\PANICW~1\SURECL~1\SRClean.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-12 17:47 1481968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [ ]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [ ]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-18 20:56 4841472]
"AGRSMMSG"="AGRSMMSG.exe" []
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [ ]
"LXBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-02-23 08:47 61440]
"GhostSurfDelSatellite"="C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"MSChoExE"="suge.exe" []

C:\Documents and Settings\Steve Kulcsar\Start Menu\Programs\Startup\
Scheduler.lnk - C:\Program Files\GhostSurf 2005\Scheduler daemon.exe [2004-03-09 16:47:16 86133]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2004-02-25 02:35:22 10872]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-06-25 06:25:38 614531]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]
WinZip Quick Pick.lnk - C:\WinZip\WZQKPICK.EXE [2005-01-10 21:35:02 106560]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-12 17:47 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\GhostSurf 2005\\Proxy.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\WINDOWS\\explorer.exe"=
"C:\\Program Files\\Java\\j2re1.4.2_01\\launch4j-tmp\\yahtzee.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2003-05-14 17:01]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\CBTNDIS5.SYS [2003-07-16 23:28]
S3 IPN2120;Wireless-B PCI Adapter Driver;C:\WINDOWS\system32\DRIVERS\LSIPNDS.sys []
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2007-12-04 06:56]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-14 07:40:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
.
**************************************************************************
.
Completion time: 2008-03-14 7:44:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-14 12:44:00
ComboFix2.txt 2008-03-13 01:14:18
.
2008-03-12 14:02:53 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:40 AM, on 03/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
N3 - Netscape 7: user_pref("browser.startup.homepage","http://www.sony.com/vaiopeople"); (C:\Documents and Settings\STEVE KULCSAR\Application Data\Mozilla\Profiles\default\n7ass3bz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\STEVE KULCSAR\Application Data\Mozilla\Profiles\default\n7ass3bz.slt\prefs.js)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\RunServices: [MSChoExE] suge.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRClean.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony...ct/VaioInfo.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral....bs/pmupd806.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://mooley.axisca...activex/AMC.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - http://moneycentral....s/pmupdate2.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - D:\iPod\Debs Ipod\iPod Updater 2005-11-17\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (file missing)
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

--
End of file - 12176 bytes

#6
Rorschach112

Posted 14 March 2008 - 08:18 AM

Ralphie

Retired Staff
47,710 posts

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O4 - HKLM\..\RunServices: [MSChoExE] suge.exe

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\uccspecb.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Reboot and do this

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

#7
rascluk

Posted 14 March 2008 - 08:08 PM

Member

Topic Starter
Member
14 posts

Here are the logs:

ComboFix 08-03-10.1 - Steve Kulcsar 2008-03-14 17:00:48.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.134 [GMT -5:00]
Running from: C:\Documents and Settings\Steve Kulcsar\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steve Kulcsar\Desktop\CFScript-2.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\uccspecb.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\uccspecb.sys

.
((((((((((((((((((((((((( Files Created from 2008-02-14 to 2008-03-14 )))))))))))))))))))))))))))))))
.

2008-03-13 23:44 . 2008-03-13 23:44 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-13 23:43 . 2008-03-13 23:43 <DIR> d-------- C:\SDFIX
2008-03-11 06:07 . 2007-06-05 11:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-05 20:20 . 2008-03-05 20:20 <DIR> d-------- C:\WINDOWS\system32\Quarantine
2008-03-03 13:40 . 2008-03-03 13:40 <DIR> d-------- C:\House
2008-03-03 13:38 . 2008-03-03 13:41 265,042 --a------ C:\WINDOWS\house.jpg
2008-02-27 19:46 . 2008-02-27 19:46 <DIR> d-------- C:\Program Files\vso
2008-02-27 19:46 . 2008-02-27 19:46 68,608 --a------ C:\WINDOWS\system32\drivers\Pcatip.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 21:55 77,824 ----a-w C:\WINDOWS\system32\kdfapi.dll
2008-03-14 21:55 726,568 ----a-w C:\WINDOWS\system32\kdfmgr.exe
2008-03-14 21:55 53,248 ----a-w C:\WINDOWS\system32\Kdfhok.dll
2008-03-14 21:55 192,512 ----a-w C:\WINDOWS\system32\kdfvmgr.exe
2008-03-14 04:40 --------- d-----w C:\Program Files\Lx_cats
2008-03-11 11:27 --------- d-----w C:\Program Files\Lexmark 5200 Series
2008-03-11 11:25 --------- d-----w C:\Program Files\Google
2008-03-11 11:22 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-02-28 00:46 34,528 ----a-w C:\WINDOWS\system32\drivers\Pcouffin.sys
2008-02-25 22:07 --------- d-----w C:\Program Files\GhostSurf 2005
2008-01-25 01:27 5,773 ----a-w C:\WINDOWS\system32\nqorypcx.dll
2008-01-24 01:25 5,773 ----a-w C:\WINDOWS\system32\cmxukhjp.dll
2008-01-23 01:21 5,773 ----a-w C:\WINDOWS\system32\pcqudhjc.dll
2008-01-22 01:26 5,773 ----a-w C:\WINDOWS\system32\esgisdsf.dll
2008-01-21 01:26 5,773 ----a-w C:\WINDOWS\system32\hgcftels.dll
2008-01-19 13:24 5,773 ----a-w C:\WINDOWS\system32\ekcoemhd.dll
2008-01-18 13:19 5,773 ----a-w C:\WINDOWS\system32\enkpkqph.dll
2008-01-18 13:15 5,735 ----a-w C:\WINDOWS\system32\lfbyqdoq.dll
2008-01-17 13:24 5,773 ----a-w C:\WINDOWS\system32\gloxspmx.dll
2008-01-17 13:21 5,735 ----a-w C:\WINDOWS\system32\eyraigyp.dll
2008-01-16 13:25 5,773 ----a-w C:\WINDOWS\system32\ajccykos.dll
2008-01-16 13:16 5,735 ----a-w C:\WINDOWS\system32\wteioiyb.dll
2008-01-14 13:24 5,773 ----a-w C:\WINDOWS\system32\vxfivyeb.dll
2008-01-14 13:18 5,735 ----a-w C:\WINDOWS\system32\pldtbidv.dll
2008-01-13 01:25 5,773 ----a-w C:\WINDOWS\system32\lubturan.dll
2008-01-13 01:16 5,735 ----a-w C:\WINDOWS\system32\cjpphwmf.dll
2008-01-11 13:25 5,773 ----a-w C:\WINDOWS\system32\pqnyfjee.dll
2008-01-11 13:22 5,735 ----a-w C:\WINDOWS\system32\xjwdtssl.dll
2008-01-11 00:48 5,773 ----a-w C:\WINDOWS\system32\sbofkcow.dll
2008-01-11 00:45 5,735 ----a-w C:\WINDOWS\system32\obdmiasb.dll
2008-01-08 06:58 5,773 ----a-w C:\WINDOWS\system32\rodtfkjl.dll
2007-12-25 15:11 5,773 ----a-w C:\WINDOWS\system32\cgqvmgtq.dll
2007-12-23 07:27 5,773 ----a-w C:\WINDOWS\system32\mdeumfaf.dll
2007-12-22 01:15 6,691 ----a-w C:\WINDOWS\system32\bmbqdlqt.dll
2007-12-21 01:15 6,691 ----a-w C:\WINDOWS\system32\uiagjadh.dll
2007-12-19 16:42 6,691 ----a-w C:\WINDOWS\system32\qepcfwec.dll
2007-12-14 20:31 6,691 ----a-w C:\WINDOWS\system32\wffnuaqb.dll
.

((((((((((((((((((((((((((((( snapshot@2008-03-12_20.13.46.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-12 07:35:36 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-03-14 04:44:42 7,434,240 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-03-14 04:44:42 225,280 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-03-12 07:35:36 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-03-14 04:44:29 7,434,240 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-03-14 04:44:29 225,280 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-03-12 22:46:28 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-14 12:52:09 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-12 22:46:28 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-14 12:52:09 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= "C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll" [2007-09-16 09:21 103760]

[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"SureCleanProfessional"="C:\PROGRA~1\PANICW~1\SURECL~1\SRClean.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-12 17:47 1481968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [ ]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [ ]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-18 20:56 4841472]
"AGRSMMSG"="AGRSMMSG.exe" []
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [ ]
"LXBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-02-23 08:47 61440]
"GhostSurfDelSatellite"="C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" [ ]

C:\Documents and Settings\Steve Kulcsar\Start Menu\Programs\Startup\
Scheduler.lnk - C:\Program Files\GhostSurf 2005\Scheduler daemon.exe [2004-03-09 16:47:16 86133]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2004-02-25 02:35:22 10872]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-06-25 06:25:38 614531]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]
WinZip Quick Pick.lnk - C:\WinZip\WZQKPICK.EXE [2005-01-10 21:35:02 106560]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-12 17:47 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\GhostSurf 2005\\Proxy.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\WINDOWS\\explorer.exe"=
"C:\\Program Files\\Java\\j2re1.4.2_01\\launch4j-tmp\\yahtzee.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2003-05-14 17:01]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\CBTNDIS5.SYS [2003-07-16 23:28]
S3 IPN2120;Wireless-B PCI Adapter Driver;C:\WINDOWS\system32\DRIVERS\LSIPNDS.sys []
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2007-12-04 06:56]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-14 17:04:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-14 17:05:22
ComboFix-quarantined-files.txt 2008-03-14 22:05:19
ComboFix2.txt 2008-03-14 12:44:06
ComboFix3.txt 2008-03-13 01:14:18
.
2008-03-12 14:02:53 --- E O F ---

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, March 14, 2008 9:05:35 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/03/2008
Kaspersky Anti-Virus database records: 630343
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 90729
Number of viruses found: 10
Number of infected objects: 239
Number of suspicious objects: 0
Duration of the scan process: 01:31:54

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.mdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-03-14_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Documents\{499663EE-202C-4468-874C-198A9E0BC058} Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Steve Kulcsar\Application Data\Sun\Java\Deployment\cache\6.0\36\5c192a24-77e884ac/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped
C:\Documents and Settings\Steve Kulcsar\Application Data\Sun\Java\Deployment\cache\6.0\36\5c192a24-77e884ac ZIP: infected - 1 skipped
C:\Documents and Settings\Steve Kulcsar\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-3-14-2008( 17-8-56 ).LOG Object is locked skipped
C:\Documents and Settings\Steve Kulcsar\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Steve Kulcsar\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Steve Kulcsar\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Steve Kulcsar\Local Settings\Application Data\Trend Micro\TrendSecure\Log\TS-COMSVR-20071210-082611-468.log Object is locked skipped
C:\Documents and Settings\Steve Kulcsar\Local Settings\Application Data\Trend Micro\TrendSecure\Log\TS-TGP-20080314-103622-609.log Object is locked skipped
C:\Documents and Settings\Steve Kulcsar\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steve Kulcsar\Local Settings\Temp\me_H4ggRplEBVtd2nk Object is locked skipped
C:\Documents and Settings\Steve Kulcsar\Local Settings\Temp\me_HfyY9jy17CCTsB7 Object is locked skipped
C:\Documents and Settings\Steve Kulcsar\Local Settings\Temp\me_qIgbnlgGMsjdavD Object is locked skipped
C:\Documents and Settings\Steve Kulcsar\Local Settings\Temp\me_th7QTB1ud7aQ1CD Object is locked skipped
C:\Documents and Settings\Steve Kulcsar\ntuser.dat Object is locked skipped
C:\Documents and Settings\Steve Kulcsar\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll Object is locked skipped
C:\Program Files\Internet Explorer\iexplore.exe.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Kodak\Kodak EasyShare software\Catalog\EasyShare.me Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\Catalog\EasyShare.mm Object is locked skipped
C:\Program Files\QuickTime\qttask.exe Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\DB\vpdb.ldb Object is locked skipped
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\DB\vpdb.mdb Object is locked skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1A8.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\28.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\31.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\32.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\33.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\34.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\35.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\36.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\37.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\38.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\39.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\3A.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\3B.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\3C.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\3CF.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\3D.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\3D2.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\3E.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\3EF.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\3F.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\40.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\41.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\42.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\43.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\44.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\45.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\46.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\47.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\48.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\49.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\4A.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\4B.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\4C.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\4D.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\4E.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\4F.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\50.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\51.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\52.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\53.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\54.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\55.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\56.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\57.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\58.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\59.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\5A.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\5B.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\5C.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\5D.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\5E.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\5F.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\60.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\94.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\95.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\96.tmp Infected: Virus.Win32.Trats.b skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\CDTFEARI.DLL Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\HCTP[1]_804.VIR Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\iddqd[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\iddqd[1]_294.VIR Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\iddqd[1]_854.VIR Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\ptch[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\ptch[1]_14c.VIR Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\ptch[1]_824.VIR Infected: not-a-virus:AdWare.Win32.SuperJuan.in skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\ptch[1]_880.VIR Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\ptch[1]_88c.VIR Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\ptch[1]_eb8.VIR Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Internet Security\Trusted.dat Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ctfmon.exe.tmp.vir Infected: Virus.Win32.Trats.b skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX10.tmp.vir Infected: Virus.Win32.Trats.b skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX12.tmp.vir Infected: Virus.Win32.Trats.b skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\RCXD.tmp.vir Infected: Virus.Win32.Trats.b skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\RCXE.tmp.vir Infected: Virus.Win32.Trats.b skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vtsqo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vtsqo.exe.vir Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP801\A0112455.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP801\A0113464.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP801\A0113465.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP801\A0113466.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP801\A0113467.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP802\A0113562.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP802\A0113563.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP802\A0113564.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP802\A0113565.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP804\A0113684.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP804\A0113685.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP804\A0113686.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP804\A0113687.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP805\A0113761.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP805\A0113762.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP805\A0113763.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP805\A0113764.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP806\A0113803.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP806\A0113804.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP806\A0113805.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP806\A0113806.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP807\A0114753.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP807\A0114754.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP807\A0114755.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP807\A0114756.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP807\A0114759.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP807\A0114761.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP807\A0114795.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP807\A0114796.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP807\A0114797.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP807\A0114798.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP807\A0115792.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP807\A0115793.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP807\A0115794.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP807\A0115795.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP807\A0115798.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP807\A0115799.EXE Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP808\A0115838.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP808\A0115839.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP808\A0115840.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP808\A0115841.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP809\A0115882.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP809\A0115883.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP809\A0115884.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP809\A0115885.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP809\A0116879.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP809\A0116880.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP809\A0116881.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP809\A0116882.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP809\A0116885.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP809\A0116886.EXE Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP810\A0116927.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP810\A0116928.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP810\A0116929.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP810\A0116987.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP810\A0116988.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP810\A0116989.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP810\A0116990.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP810\A0117013.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP810\A0117023.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP810\A0117024.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP810\A0117025.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP810\A0117026.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP810\A0117031.EXE Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP811\A0117080.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP811\A0117081.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP811\A0117082.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP811\A0117083.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP811\A0117111.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP811\A0117112.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP811\A0117113.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP811\A0117114.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP811\A0117115.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP811\A0117116.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP811\A0117117.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP811\A0117118.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP811\A0117119.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP811\A0117120.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP811\A0117121.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP811\A0117122.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP811\A0117123.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP811\A0117124.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP811\A0117125.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP811\A0117141.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP811\A0117142.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP811\A0117143.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP811\A0117144.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP813\A0117230.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP813\A0117231.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP813\A0117232.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP813\A0117233.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP813\A0117246.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP813\A0118246.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP813\A0119258.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP813\A0119259.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP813\A0119260.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP813\A0119261.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119298.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119299.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119300.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119301.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119303.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119315.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119316.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119317.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119318.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119319.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119320.EXE Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119321.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119344.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119355.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119357.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119358.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119359.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119361.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119395.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119396.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119397.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119398.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119400.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119428.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119429.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119430.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119431.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP814\A0119434.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP815\A0119460.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP815\A0119461.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP815\A0119462.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP815\A0119463.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP815\A0119465.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP817\A0120537.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP826\A0121965.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP826\A0121966.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP826\A0121999.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP826\A0122002.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP826\A0123002.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP826\A0123010.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP826\A0123011.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP828\A0123196.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP830\A0123234.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP831\A0123275.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP831\A0123281.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP831\A0123283.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP831\A0123287.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP831\A0123305.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP831\A0125345.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP833\A0125359.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP834\A0125436.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP834\A0125439.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP836\A0125636.exe Infected: Virus.Win32.Trats.b skipped
C:\System Volume Information\_restore{45892D38-A0BF-43F9-8C9F-96715222A8FE}\RP837\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itircl.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{4021A8C3-883F-45CA-947C-796305CA9FB8}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GHU7CV8X\js[1].html Infected: Exploit.HTML.CodeBaseExec skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\MRT.exe Infected: Virus.Win32.Trats.b skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JET7F9F.tmp Object is locked skipped
C:\WINDOWS\Temp\JET8FAD.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Bday\New Folder\Quarantine\478F16BC Infected: not-a-virus:RiskTool.Win32.HideRun skipped
D:\Bday\New Folder\Quarantine\4F037FA3.exe Infected: Trojan-Proxy.Win32.Bobax.c skipped
D:\Bday\New Folder\Quarantine\4F0629A0.exe Infected: Trojan-Proxy.Win32.Bobax.c skipped
D:\Bday\New Folder\Quarantine\51311B3D Infected: Trojan-Spy.Win32.Briss.c skipped
D:\Bday\New Folder\Quarantine\51354539 Infected: Trojan-Spy.Win32.Briss.h skipped
D:\Bday\New Folder\Quarantine\51386F35 Infected: Trojan-Spy.Win32.Briss.h skipped
D:\Program Files\Internet Explorer Temporary Files\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
D:\Program Files\Internet Explorer Temporary Files\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Program Files\Outlook Express\Email Files\Folders.dbx Object is locked skipped
D:\Program Files\Outlook Express\Email Files\Inbox.dbx Object is locked skipped
D:\Program Files\Outlook Express\Email Files\Offline.dbx Object is locked skipped
D:\Program Files\Outlook Express\Email Files\Passwords.dbx/[From MidAmerica Bank <[email protected]>][Date Wed, 05 Jul 2006 09:32:06 -0400]/UNNAMED/html Infected: Trojan-Spy.HTML.Bankfraud.pd skipped
D:\Program Files\Outlook Express\Email Files\Passwords.dbx/[From MidAmerica Bank <[email protected]>][Date Wed, 05 Jul 2006 09:32:06 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.pd skipped
D:\Program Files\Outlook Express\Email Files\Passwords.dbx Mail MS Outlook 5: infected - 2 skipped
D:\Program Files\Outlook Express\Email Files\Pop3uidl.dbx Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:06:35 PM, on 03/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program

#8
Rorschach112

Posted 15 March 2008 - 07:33 AM

Ralphie

Retired Staff
47,710 posts

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\nqorypcx.dll
C:\WINDOWS\system32\cmxukhjp.dll
C:\WINDOWS\system32\pcqudhjc.dll
C:\WINDOWS\system32\esgisdsf.dll
C:\WINDOWS\system32\hgcftels.dll
C:\WINDOWS\system32\ekcoemhd.dll
C:\WINDOWS\system32\enkpkqph.dll
C:\WINDOWS\system32\lfbyqdoq.dll
C:\WINDOWS\system32\gloxspmx.dll
C:\WINDOWS\system32\eyraigyp.dll
C:\WINDOWS\system32\ajccykos.dll
C:\WINDOWS\system32\wteioiyb.dll
C:\WINDOWS\system32\vxfivyeb.dll
C:\WINDOWS\system32\pldtbidv.dll
C:\WINDOWS\system32\lubturan.dll
C:\WINDOWS\system32\cjpphwmf.dll
C:\WINDOWS\system32\pqnyfjee.dll
C:\WINDOWS\system32\xjwdtssl.dll
C:\WINDOWS\system32\sbofkcow.dll
C:\WINDOWS\system32\obdmiasb.dll
C:\WINDOWS\system32\rodtfkjl.dll
C:\WINDOWS\system32\cgqvmgtq.dll
C:\WINDOWS\system32\mdeumfaf.dll
C:\WINDOWS\system32\bmbqdlqt.dll
C:\WINDOWS\system32\uiagjadh.dll
C:\WINDOWS\system32\qepcfwec.dll
C:\WINDOWS\system32\wffnuaqb.dll
C:\Program Files\Internet Explorer\iexplore.exe.tmp
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\MRT.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

#9
rascluk

Posted 15 March 2008 - 11:22 AM

Member

Topic Starter
Member
14 posts

Right now my pc is running great. Programs open up in half the time and so far no pop ups or ads changing on websites. Thanks for your help so far! Do you think that Vundo never got deleted totally before and thats why it resurfaced? What programs should I be running to prevent further problems? Thanks for your help!

Here are the logs:

ComboFix 08-03-10.1 - Steve Kulcsar 2008-03-15 11:24:41.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.213 [GMT -5:00]
Running from: C:\Documents and Settings\Steve Kulcsar\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steve Kulcsar\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\Internet Explorer\iexplore.exe.tmp
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ajccykos.dll
C:\WINDOWS\system32\bmbqdlqt.dll
C:\WINDOWS\system32\cgqvmgtq.dll
C:\WINDOWS\system32\cjpphwmf.dll
C:\WINDOWS\system32\cmxukhjp.dll
C:\WINDOWS\system32\ekcoemhd.dll
C:\WINDOWS\system32\enkpkqph.dll
C:\WINDOWS\system32\esgisdsf.dll
C:\WINDOWS\system32\eyraigyp.dll
C:\WINDOWS\system32\gloxspmx.dll
C:\WINDOWS\system32\hgcftels.dll
C:\WINDOWS\system32\lfbyqdoq.dll
C:\WINDOWS\system32\lubturan.dll
C:\WINDOWS\system32\mdeumfaf.dll
C:\WINDOWS\system32\MRT.exe
C:\WINDOWS\system32\nqorypcx.dll
C:\WINDOWS\system32\obdmiasb.dll
C:\WINDOWS\system32\pcqudhjc.dll
C:\WINDOWS\system32\pldtbidv.dll
C:\WINDOWS\system32\pqnyfjee.dll
C:\WINDOWS\system32\qepcfwec.dll
C:\WINDOWS\system32\rodtfkjl.dll
C:\WINDOWS\system32\sbofkcow.dll
C:\WINDOWS\system32\uiagjadh.dll
C:\WINDOWS\system32\vxfivyeb.dll
C:\WINDOWS\system32\wffnuaqb.dll
C:\WINDOWS\system32\wteioiyb.dll
C:\WINDOWS\system32\xjwdtssl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Internet Explorer\iexplore.exe.tmp
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ajccykos.dll
C:\WINDOWS\system32\bmbqdlqt.dll
C:\WINDOWS\system32\cgqvmgtq.dll
C:\WINDOWS\system32\cjpphwmf.dll
C:\WINDOWS\system32\cmxukhjp.dll
C:\WINDOWS\system32\ekcoemhd.dll
C:\WINDOWS\system32\enkpkqph.dll
C:\WINDOWS\system32\esgisdsf.dll
C:\WINDOWS\system32\eyraigyp.dll
C:\WINDOWS\system32\gloxspmx.dll
C:\WINDOWS\system32\hgcftels.dll
C:\WINDOWS\system32\lfbyqdoq.dll
C:\WINDOWS\system32\lubturan.dll
C:\WINDOWS\system32\mdeumfaf.dll
C:\WINDOWS\system32\MRT.exe
C:\WINDOWS\system32\nqorypcx.dll
C:\WINDOWS\system32\obdmiasb.dll
C:\WINDOWS\system32\pcqudhjc.dll
C:\WINDOWS\system32\pldtbidv.dll
C:\WINDOWS\system32\pqnyfjee.dll
C:\WINDOWS\system32\qepcfwec.dll
C:\WINDOWS\system32\rodtfkjl.dll
C:\WINDOWS\system32\sbofkcow.dll
C:\WINDOWS\system32\uiagjadh.dll
C:\WINDOWS\system32\vxfivyeb.dll
C:\WINDOWS\system32\wffnuaqb.dll
C:\WINDOWS\system32\wteioiyb.dll
C:\WINDOWS\system32\xjwdtssl.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-15 to 2008-03-15 )))))))))))))))))))))))))))))))
.

2008-03-14 17:11 . 2008-03-14 17:11 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-14 17:11 . 2008-03-14 17:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2008-03-13 23:44 . 2008-03-13 23:44 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-13 23:43 . 2008-03-13 23:43 <DIR> d-------- C:\SDFIX
2008-03-11 06:07 . 2007-06-05 11:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-05 20:20 . 2008-03-05 20:20 <DIR> d-------- C:\WINDOWS\system32\Quarantine
2008-03-03 13:40 . 2008-03-03 13:40 <DIR> d-------- C:\House
2008-03-03 13:38 . 2008-03-03 13:41 265,042 --a------ C:\WINDOWS\house.jpg
2008-02-27 19:46 . 2008-02-27 19:46 <DIR> d-------- C:\Program Files\vso
2008-02-27 19:46 . 2008-02-27 19:46 68,608 --a------ C:\WINDOWS\system32\drivers\Pcatip.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 16:24 --------- d-----w C:\Program Files\QuickTime
2008-03-15 13:07 --------- d-----w C:\Program Files\Lx_cats
2008-03-11 11:27 --------- d-----w C:\Program Files\Lexmark 5200 Series
2008-03-11 11:25 --------- d-----w C:\Program Files\Google
2008-03-11 11:22 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-02-28 00:46 34,528 ----a-w C:\WINDOWS\system32\drivers\Pcouffin.sys
2008-02-25 22:07 --------- d-----w C:\Program Files\GhostSurf 2005
.

((((((((((((((((((((((((((((( snapshot@2008-03-12_20.13.46.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-12 07:35:36 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-03-14 04:44:42 7,434,240 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-03-14 04:44:42 225,280 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-03-12 07:35:36 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-03-14 04:44:29 7,434,240 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-03-14 04:44:29 225,280 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-03-15 16:53:04 38,224 ----a-w C:\WINDOWS\system32\drivers\neokdss.sys
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-03-12 22:52:01 77,824 ----a-w C:\WINDOWS\system32\kdfapi.dll
+ 2008-03-15 16:52:54 77,824 ----a-w C:\WINDOWS\system32\kdfapi.dll
- 2008-03-12 22:52:01 53,248 ----a-w C:\WINDOWS\system32\Kdfhok.dll
+ 2008-03-15 16:52:53 53,248 ----a-w C:\WINDOWS\system32\Kdfhok.dll
- 2008-03-12 22:52:01 726,568 ----a-w C:\WINDOWS\system32\kdfmgr.exe
+ 2008-03-15 16:52:49 726,568 ----a-w C:\WINDOWS\system32\kdfmgr.exe
- 2008-03-12 22:52:01 192,512 ----a-w C:\WINDOWS\system32\kdfvmgr.exe
+ 2008-03-15 16:52:55 192,512 ----a-w C:\WINDOWS\system32\kdfvmgr.exe
- 2008-03-12 22:46:28 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-15 16:52:52 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-12 22:46:28 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-15 16:52:53 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= "C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll" [2007-09-16 09:21 103760]

[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"SureCleanProfessional"="C:\PROGRA~1\PANICW~1\SURECL~1\SRClean.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-12 17:47 1481968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [ ]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [ ]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-18 20:56 4841472]
"AGRSMMSG"="AGRSMMSG.exe" []
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [ ]
"LXBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-02-23 08:47 61440]
"GhostSurfDelSatellite"="C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" [ ]

C:\Documents and Settings\Steve Kulcsar\Start Menu\Programs\Startup\
Scheduler.lnk - C:\Program Files\GhostSurf 2005\Scheduler daemon.exe [2004-03-09 16:47:16 86133]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2004-02-25 02:35:22 10872]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-06-25 06:25:38 614531]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]
WinZip Quick Pick.lnk - C:\WinZip\WZQKPICK.EXE [2005-01-10 21:35:02 106560]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-12 17:47 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\GhostSurf 2005\\Proxy.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\WINDOWS\\explorer.exe"=
"C:\\Program Files\\Java\\j2re1.4.2_01\\launch4j-tmp\\yahtzee.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2003-05-14 17:01]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\CBTNDIS5.SYS [2003-07-16 23:28]
S3 IPN2120;Wireless-B PCI Adapter Driver;C:\WINDOWS\system32\DRIVERS\LSIPNDS.sys []
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2007-12-04 06:56]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 11:51:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\WINDOWS\system32\kdfmgr.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
.
**************************************************************************
.
Completion time: 2008-03-15 11:55:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-15 16:54:54
ComboFix2.txt 2008-03-14 22:05:23
ComboFix3.txt 2008-03-14 12:44:06
ComboFix4.txt 2008-03-13 01:14:18
.
2008-03-12 14:02:53 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:08 PM, on 03/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
N3 - Netscape 7: user_pref("browser.startup.homepage","http://www.sony.com/vaiopeople"); (C:\Documents and Settings\STEVE KULCSAR\Application Data\Mozilla\Profiles\default\n7ass3bz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\STEVE KULCSAR\Application Data\Mozilla\Profiles\default\n7ass3bz.slt\prefs.js)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRClean.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony...ct/VaioInfo.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral....bs/pmupd806.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://mooley.axisca...activex/AMC.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - http://moneycentral....s/pmupdate2.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - D:\iPod\Debs Ipod\iPod Updater 2005-11-17\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (file missing)
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

--
End of file - 12276 bytes

#10
Rorschach112

Posted 15 March 2008 - 02:10 PM

Ralphie

Retired Staff
47,710 posts

Your logs are clean ! We need to do a few things

Now lets uninstall Combofix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

The above procedure will do the following:

Delete ComboFix and its associated files and folders.
Delete VundoFix backups, if present
Delete the C:\Deckard folder, if present
Delete the C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here

Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html

Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

#11
rascluk

Posted 15 March 2008 - 03:58 PM

Member

Topic Starter
Member
14 posts

I've completed all tasks, including adding the additional software you recommended. Thank you again for your help! I've sent a donation in so you can continue to help people like me. Thank you for taking the time and effort in helping me out - you guys are awesome!

#12
Rorschach112

Posted 15 March 2008 - 05:37 PM

Ralphie

Retired Staff
47,710 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.