Okay I hope I did everything correctly so far.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:48 AM, on 01/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft....k/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://windowsupdate.microsoft.com/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
http://messenger.zon...kr.cab31267.cabO16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) -
http://www.alternati.../00/alttiff.cabO16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) -
http://messenger.zon...kr.cab56986.cabO16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) -
http://musicmix.mess.../Medialogic.CABO16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) -
http://gamingzone.ub...s/GSManager.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) -
http://zone.msn.com/...pcaploader1.cabO16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) -
http://messenger.zon...wn.cab56986.cabO16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) -
http://fulfillment.p...onager_smms.cabO16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) -
http://messenger.zon...1/GAME_UNO1.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.mi...b?1201536110079O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://www.update.mi...b?1201536100516O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
http://messenger.zon...nt.cab31267.cabO16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) -
http://cdn2.zone.msn...gr.cab31267.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) -
http://cdn2.zone.msn...ro.cab56649.cabO16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) -
http://zone.msn.com/...tg.1.0.0.37.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -
http://messenger.zon...nt.cab56907.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.m...ash/swflash.cabO16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) -
http://zone.msn.com/...inematycoon.cabO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
O24 - Desktop Component 1: (no name) -
http://gamercard.xbo...m/FacesMan.card--
End of file - 10637 bytes
Avira AntiVir Personal
Report file date: July 31, 2008 23:18
Scanning for 1523821 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: JUSTIN
Version information:
BUILD.DAT : 8.1.0.326 16933 Bytes 11/07/2008 12:57:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 26/06/2008 14:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 26/05/2008 13:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 12/06/2008 18:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 26/05/2008 13:58:52
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 16:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 24/06/2008 19:54:15
ANTIVIR2.VDF : 7.0.5.174 2027008 Bytes 25/07/2008 03:16:37
ANTIVIR3.VDF : 7.0.5.200 212480 Bytes 31/07/2008 03:16:40
Engineversion : 8.1.1.15
AEVDF.DLL : 8.1.0.5 102772 Bytes 09/07/2008 14:46:50
AESCRIPT.DLL : 8.1.0.61 311675 Bytes 01/08/2008 03:17:10
AESCN.DLL : 8.1.0.23 119156 Bytes 01/08/2008 03:17:07
AERDL.DLL : 8.1.0.20 418165 Bytes 09/07/2008 14:46:50
AEPACK.DLL : 8.1.2.1 364917 Bytes 01/08/2008 03:17:05
AEOFFICE.DLL : 8.1.0.21 192891 Bytes 01/08/2008 03:17:02
AEHEUR.DLL : 8.1.0.44 1343863 Bytes 01/08/2008 03:16:59
AEHELP.DLL : 8.1.0.15 115063 Bytes 09/07/2008 14:46:50
AEGEN.DLL : 8.1.0.32 315765 Bytes 01/08/2008 03:16:51
AEEMU.DLL : 8.1.0.7 430452 Bytes 01/08/2008 03:16:48
AECORE.DLL : 8.1.1.8 172406 Bytes 01/08/2008 03:16:45
AEBB.DLL : 8.1.0.1 53617 Bytes 24/04/2008 14:50:42
AVWINLL.DLL : 1.0.0.12 15105 Bytes 09/07/2008 14:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 16/05/2008 15:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 01/08/2008 03:16:43
AVREG.DLL : 8.0.0.1 33537 Bytes 09/05/2008 17:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 12/02/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 12/06/2008 18:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 22/01/2008 23:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 12/06/2008 18:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 25/01/2008 18:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 12/06/2008 19:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 27/06/2008 19:34:37
Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: July 31, 2008 23:18
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'usnsvc.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'SbPFCl.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'ZuneNss.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'CTHELPER.EXE' - '1' Module(s) have been scanned
Scan process 'GrooveMonitor.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'CTDVDDET.exe' - '1' Module(s) have been scanned
Scan process 'CTSysVol.exe' - '1' Module(s) have been scanned
Scan process 'BCMSMMSG.exe' - '1' Module(s) have been scanned
Scan process 'SbPFSvc.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'SbPFLnch.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'a2service.exe' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
44 processes with 44 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Starting to scan the registry.
The registry was scanned ( '62' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\37c5d9446a3a875d294ff4a544b5133c\update\update.exe
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\PopCap\PopCapLoader\zone\peggle\tempdownload.cab
[0] Archive type: CAB (Microsoft)
--> levels\beans.jpg
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\All Users\Application Data\PopCap\PopCapLoader\zone\rocketmania\rocketmania.cab
[0] Archive type: CAB (Microsoft)
--> sounds\Block Rotating 03.ogg
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Justin\Shared\02 Track 2.wma
[DETECTION] Is the TR/Dldr.WMA.Wimad.L Trojan
[NOTE] The file was deleted!
C:\Program Files\Common Files\Enterbrain\RGSS\Standard\Graphics.exe
[0] Archive type: CAB SFX (self extracting)
--> Graphics\Animations\002-Action02.png
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\QooBox\Quarantine\C\WINDOWS\system32\artajs.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\system32\awtusQgF.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\system32\pjjvctfm.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\system32\qlddqbke.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\Winiw88.sys.zip
[0] Archive type: ZIP
--> Winiw88.sys
[1] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{3224B713-593F-47AB-953E-17D636D2CACA}\RP2\A0000009.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{3224B713-593F-47AB-953E-17D636D2CACA}\RP2\A0000016.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{3224B713-593F-47AB-953E-17D636D2CACA}\RP4\A0000127.dll
[DETECTION] Is the TR/Monder.bdx Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{3224B713-593F-47AB-953E-17D636D2CACA}\RP7\A0000216.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{3224B713-593F-47AB-953E-17D636D2CACA}\RP7\A0000222.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
End of the scan: August 1, 2008 00:13
Used time: 54:57 Minute(s)
The scan has been done completely.
11306 Scanning directories
468540 Files were scanned
11 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
11 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
4 Files cannot be scanned
468525 Files not concerned
3195 Archives were scanned
7 Warnings
11 Notes
ComboFix 08-07-31.01 - Justin 2008-07-31 22:44:46.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2015 [GMT -4:00]
Running from: C:\Documents and Settings\Justin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Justin\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\awtusQgF.dll
C:\WINDOWS\system32\btitte.dll
C:\WINDOWS\system32\cpkbpsyv.ini
C:\WINDOWS\system32\FgQsutwa.ini
C:\WINDOWS\system32\FgQsutwa.ini2
C:\WINDOWS\system32\kniweogf.dll
C:\WINDOWS\system32\mbesxbkr.dll
C:\WINDOWS\system32\msvcr80.dll
C:\WINDOWS\system32\pjjvctfm.dll
C:\WINDOWS\system32\rkbxsebm.ini
C:\WINDOWS\system32\vyspbkpc.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\awtusQgF.dll
C:\WINDOWS\system32\btitte.dll
C:\WINDOWS\system32\callqybq.dll
C:\WINDOWS\system32\cpkbpsyv.ini
C:\WINDOWS\system32\FgQsutwa.ini
C:\WINDOWS\system32\FgQsutwa.ini2
C:\WINDOWS\system32\kniweogf.dll
C:\WINDOWS\system32\mbesxbkr.dll
C:\WINDOWS\system32\msvcr80.dll
C:\WINDOWS\system32\pjjvctfm.dll
C:\WINDOWS\system32\rkbxsebm.ini
C:\WINDOWS\system32\vyspbkpc.dll
.
((((((((((((((((((((((((( Files Created from 2008-07-01 to 2008-08-01 )))))))))))))))))))))))))))))))
.
2008-07-30 22:30 . 2008-07-30 22:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-30 19:52 . 2008-07-30 20:55 <DIR> d-------- C:\Program Files\a-squared Free
2008-07-30 19:18 . 2008-07-30 19:18 <DIR> d-------- C:\VundoFix Backups
2008-07-28 23:24 . 2008-07-28 23:24 3,344 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-28 22:01 . 2008-07-28 23:02 291 --a------ C:\WINDOWS\wininit.ini
2008-07-28 15:49 . 2008-07-28 15:48 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-28 15:48 . 2008-07-28 15:56 <DIR> d-------- C:\Documents and Settings\Justin\.housecall6.6
2008-07-27 23:28 . 2008-07-27 23:28 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-27 23:28 . 2005-07-06 17:13 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-07-27 23:28 . 2005-07-06 17:13 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-07-23 15:31 . 2008-07-23 15:31 <DIR> d-------- C:\Program Files\iTunes
2008-07-23 15:31 . 2008-07-23 15:31 <DIR> d-------- C:\Program Files\iPod
2008-07-23 15:30 . 2008-07-23 15:30 <DIR> d-------- C:\Program Files\QuickTime
2008-07-16 21:32 . 2008-07-16 21:41 70,656 --a------ C:\WINDOWS\ScUnin.exe
2008-07-16 21:32 . 2008-07-16 21:42 32,653 --a------ C:\WINDOWS\scunin.dat
2008-07-16 21:32 . 2008-07-16 21:41 967 --a------ C:\WINDOWS\ScUnin.pif
2008-07-16 21:31 . 2008-07-28 23:36 <DIR> d-------- C:\Program Files\Starcraft
2008-07-14 19:54 . 2008-07-14 19:54 <DIR> d-------- C:\Program Files\OpenAL
2008-07-14 19:49 . 2008-07-14 19:49 <DIR> d-------- C:\Program Files\Paradox Interactive
2008-07-07 14:48 . 2008-07-07 14:48 <DIR> d-------- C:\Program Files\Giant
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-28 04:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-28 02:59 --------- d-----w C:\Documents and Settings\Justin\Application Data\uTorrent
2008-07-28 02:58 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-07-27 01:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-29 23:46 --------- d-----w C:\Program Files\Stardock
2008-06-29 23:46 --------- d-----w C:\Program Files\Common Files\Stardock
2008-06-28 02:31 --------- d-----w C:\Program Files\Razor
2008-06-23 01:17 --------- d-----w C:\Program Files\Creative Labs
2008-06-23 01:16 --------- d-----w C:\Program Files\EidosNet
2008-06-23 01:15 --------- d-----w C:\Program Files\Eidos Interactive
2008-06-21 18:35 --------- d-----w C:\Program Files\Square Soft, Inc
2008-06-20 17:16 --------- d-----w C:\Documents and Settings\Justin\Application Data\IceChat
2008-06-20 06:39 1,890 --sha-w C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-06-16 17:29 --------- d-----w C:\Program Files\Enterbrain
2008-06-16 17:28 --------- d-----w C:\Program Files\Common Files\Enterbrain
2008-06-16 17:27 --------- d-----w C:\Program Files\RPGMaker
2008-06-14 00:32 --------- d-----w C:\Documents and Settings\Justin\Application Data\Bioshock
2008-06-10 04:08 88 --sh--r C:\Documents and Settings\All Users\Application Data\4AC86BEDCA.sys
2007-12-17 18:32 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2007-11-14 14:57 21,281 ----a-w C:\Program Files\install.log
2007-08-09 17:08 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 17:10 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Steam"="c:\program files\valve\steam\steam.exe" [2008-03-30 10:57 1271032]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-02-20 22:00 315392]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 10:18 49152]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 02:00 45056]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2006-12-12 15:45 21464]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 15:02 270336]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 03:56 15360]
C:\Documents and Settings\Justin\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.0\\cnc3game.dat"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 16:18]
.
Contents of the 'Scheduled Tasks' folder
2008-07-30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-07-31 22:47:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Zune\ZuneNss.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-07-31 22:55:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-01 02:55:33
ComboFix2.txt 2008-07-31 19:59:22
ComboFix3.txt 2008-07-31 19:38:29
Pre-Run: 14,696,697,856 bytes free
Post-Run: 14,675,251,200 bytes free
170