PDA

View Full Version : My machine has Virtumonde problems



cmoyden
2007-12-29, 10:58
Hi,
Spybot S&D is throwing up several Virtumonde problems which it tells me it has fixed but they keep coming back. Here is the HJT scan report.
I have the Kaspersky scan report too if you need it but it would not fit into the one post.

Thanks in advance for your help.
Cheers

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:05:30, on 29/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\WinTV\EPG Services\System\EPGClient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe
C:\Program Files\Belkin\F5D7011\Belkinwcui.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\SJLabs\SJphone\SJphone.exe
C:\Program Files\WinTV\Scheduler\EPG\TvTv\HcwSyncIt.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [EPGServiceTool] C:\Program Files\WinTV\EPG Services\System\EPGClient.exe /Minimize
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: HcwSyncIt.lnk = C:\Program Files\WinTV\Scheduler\EPG\TvTv\HcwSyncIt.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice Automatic Updates Agent.lnk = ?
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: SJphone.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: SIM Card Manager - {5F2F8F24-DA89-4DD2-AFB3-F516D4CD6558} - C:\Program Files\emobile\SIM Card Manager.exe
O9 - Extra 'Tools' menuitem: SIM Card Manager - {5F2F8F24-DA89-4DD2-AFB3-F516D4CD6558} - C:\Program Files\emobile\SIM Card Manager.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malware-scan.com/setup/webinst.cab
O18 - Protocol: t-mobile - {C6D89159-3467-4C2F-9918-3362DA57BCD2} - C:\PROGRA~1\T-Mobile\HOTSPO~1\TMOBIL~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: EPGService - Hauppauge Computer Works - C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6921 bytes

cmoyden
2007-12-29, 21:50
Hi guys,
I was hoping to have heard from someone by now and really needed to get my machine sorted out. Whilst waiting for a response I have tried a few things that have really helped I think.

I would like to help now to check that all is now well with my system and that I have the right tools installed to keep it that way.

Here's what I have done since posting this HJT report:

1. Downloaded and ran ComboFix which seemed to clear all of the Virtumonde issues.
2. I then ran Spybot which found a couple of minor issues which it was able to remove. I then ran it a couple more times and it found no problems both times. I made a log file for the results.
3. Downloaded and ran AVG and made a log file
4. Re-ran HJT and made a log file
5. Re-ran Kaspersky and made a log file.

I have since followed all of the tips on your sticky "so how did I get infected in the first place" and think I have completed all tasks and installs that were listed there.

Here are all the log files:

ComboFix 07-12-21.4 - Accelerate 1 2007-12-29 13:48:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.514 [GMT 0:00]
Running from: C:\Documents and Settings\Accelerate 1\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\UPCTP_0001_91M1101NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\USDR6_9999_N18M1603NetInstaller.exe
C:\WINDOWS\system32\__c009C0ED.dll
C:\WINDOWS\system32\__c009C0ED.exe
C:\WINDOWS\system32\_000103_.tmp.dll
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 )))))))))))))))))))))))))))))))
.

2007-12-29 11:05 . 2007-12-29 11:07 <DIR> d-------- C:\Documents and Settings\Accelerate 1\Application Data\AVG7
2007-12-29 11:04 . 2007-12-29 11:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-29 11:04 . 2007-12-29 11:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-29 11:04 . 2007-12-29 11:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-29 04:04 . 2007-12-29 04:04 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-29 00:06 . 2007-12-29 00:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-29 00:06 . 2007-12-29 00:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-28 22:38 . 2007-12-28 22:38 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-12-28 22:38 . 2007-12-29 13:57 31,767 --ah----- C:\WINDOWS\system32\vsconfig.xml
2007-12-28 22:38 . 2007-12-28 22:40 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2007-12-28 22:18 . 2007-12-29 01:34 <DIR> d-------- C:\Program Files\SpywareGuard
2007-12-28 22:03 . 2007-12-28 22:03 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-12-28 22:03 . 2005-02-25 03:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-28 22:01 . 2007-12-28 22:06 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-28 22:00 . 2007-12-28 22:00 <DIR> d-------- C:\WINDOWS\system32\bits
2007-12-28 15:55 . 2007-12-28 15:55 63 --a------ C:\WINDOWS\system\SysSD.dll
2007-12-28 13:37 . 2007-12-28 14:36 1,031,199 --ahs---- C:\WINDOWS\system32\khfcbobl.ini
2007-12-27 08:59 . 2007-12-28 13:18 1,027,849 --ahs---- C:\WINDOWS\system32\ankgqdyv.ini
2007-12-24 10:54 . 2007-12-27 08:53 989,987 --ahs---- C:\WINDOWS\system32\ftelgvde.ini
2007-12-23 10:47 . 2007-12-24 10:48 989,867 --ahs---- C:\WINDOWS\system32\ctcmkpoh.ini
2007-12-22 21:21 . 2007-12-22 21:21 <DIR> d-------- C:\Program Files\AnswersThatWork
2007-12-22 21:21 . 2007-06-08 13:53 1,753,088 --a------ C:\WINDOWS\system32\ExGrid.dll
2007-12-22 21:21 . 2007-04-03 16:51 614,400 --a------ C:\WINDOWS\system32\ExButton.dll
2007-12-22 21:21 . 2007-06-05 10:20 602,112 --a------ C:\WINDOWS\system32\ExMenu.dll
2007-12-22 21:21 . 2007-06-05 10:19 516,096 --a------ C:\WINDOWS\system32\ExTab.dll
2007-12-22 21:21 . 1998-04-24 00:00 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2007-12-22 21:21 . 2005-10-11 14:40 356,352 --a------ C:\WINDOWS\system32\eSellerateEngine.dll
2007-12-22 21:21 . 2007-04-03 16:51 307,200 --a------ C:\WINDOWS\system32\ExPMenu.dll
2007-12-22 21:21 . 2005-10-04 08:11 118,784 --a------ C:\WINDOWS\system32\eWebControl.dll
2007-12-22 00:00 . 2007-12-22 21:28 991,662 --ahs---- C:\WINDOWS\system32\ljwcvpwq.ini
2007-12-17 21:31 . 2007-12-17 21:32 1,283,960 --a------ C:\Install
2007-12-17 20:45 . 2007-12-21 23:53 971,069 --ahs---- C:\WINDOWS\system32\wqpgxtel.ini
2007-12-14 13:11 . 2007-12-17 20:36 941,765 --ahs---- C:\WINDOWS\system32\jrllrflm.ini
2007-12-13 10:06 . 2007-12-14 13:11 941,645 --ahs---- C:\WINDOWS\system32\dksxbjsg.ini
2007-12-12 20:52 . 2007-12-12 20:52 1,460,814 --a------ C:\WINDOWS\system32\Anfield.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 13:57 --------- d-----w C:\Program Files\WinTV
2007-12-28 20:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-28 14:33 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-09 20:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1204c4eb-9290-4c0e-a210-759855d669c4}]
C:\WINDOWS\System32\qbqhcipk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B06901C0-736E-4C01-9C29-B50A4C592744}]
C:\WINDOWS\System32\geedd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 02:41]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-07 20:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-27 10:27]
"AdobeVersionCue"="C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 15:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-06-24 14:16]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 14:49]
"LVCOMSX"="C:\WINDOWS\System32\LVCOMSX.EXE" [2005-07-19 17:32]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14]
"EPGServiceTool"="C:\Program Files\WinTV\EPG Services\System\EPGClient.exe" [2006-11-28 16:07]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 12:20]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-08-29 19:09]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-29 11:04]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 02:41]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 14:58]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-29 11:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxxwww]
byxxwww.dll

R2 EPGService;EPGService;C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe [2006-11-28 17:17]
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM4.sys [2005-06-10 05:55]
S3 AWINDIS5;AWINDIS5 Protocol Driver;C:\WINDOWS\System32\AWINDIS5.SYS [2002-04-11 17:43]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS []
S3 GTF32BUS;GT F32 BUS;C:\WINDOWS\System32\DRIVERS\gtf32bus.sys [2005-09-01 16:54]
S3 GTPTSER;GT PT SER;C:\WINDOWS\System32\DRIVERS\gtptser.sys [2005-09-01 16:54]
S3 GTSCSER;GT SC SER;C:\WINDOWS\System32\DRIVERS\gtscser.sys [2005-08-29 14:45]
S3 hcw95bda;Hauppauge MOD7700 Tuner Driver;C:\WINDOWS\System32\Drivers\hcw95bda.sys [2006-12-14 23:18]
S3 hcw95rc;Hauppauge MOD7700 IR Driver;C:\WINDOWS\System32\DRIVERS\hcw95rc.sys [2006-12-14 23:22]
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;C:\WINDOWS\System32\DRIVERS\WG511ICB.sys []
S3 Reader_Device;SmartCard Reader Device ;C:\WINDOWS\System32\DRIVERS\usbic2k.sys []
S3 W8335XP;Marvell Libertas 802.11b/g Driver for Windows XP (8335);C:\WINDOWS\System32\DRIVERS\Mrvw125.sys [2005-09-09 20:14]

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-29 13:57:29
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-29 13:58:46 - machine was rebooted

cmoyden
2007-12-29, 21:52
Lavasoft Ad-aware Personal Build 6.181
Logfile created on :29 December 2007 16:15:38
Created with Ad-aware Personal, free for private use.
Using reference-file :01R298 20.04.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry


29-12-2007 16:15:38 - Scan started. (Custom mode)


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Disk scan result for C:\
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0

16:23:20 Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:07:42:365
Objects scanned :88022
Objects identified :0
Objects ignored :0
New objects :0


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:04:07, on 29/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\WinTV\EPG Services\System\EPGClient.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: {4c966d55-8957-012a-e0c4-0929be4c4021} - {1204c4eb-9290-4c0e-a210-759855d669c4} - C:\WINDOWS\System32\qbqhcipk.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B06901C0-736E-4C01-9C29-B50A4C592744} - C:\WINDOWS\System32\geedd.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [EPGServiceTool] C:\Program Files\WinTV\EPG Services\System\EPGClient.exe /Minimize
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: SIM Card Manager - {5F2F8F24-DA89-4DD2-AFB3-F516D4CD6558} - C:\Program Files\emobile\SIM Card Manager.exe
O9 - Extra 'Tools' menuitem: SIM Card Manager - {5F2F8F24-DA89-4DD2-AFB3-F516D4CD6558} - C:\Program Files\emobile\SIM Card Manager.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198924018699
O18 - Protocol: t-mobile - {C6D89159-3467-4C2F-9918-3362DA57BCD2} - C:\PROGRA~1\T-Mobile\HOTSPO~1\TMOBIL~1.DLL
O20 - Winlogon Notify: byxxwww - byxxwww.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: EPGService - Hauppauge Computer Works - C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6883 bytes

cmoyden
2007-12-29, 21:55
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, December 29, 2007 5:51:01 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/12/2007
Kaspersky Anti-Virus database records: 499833
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\

Scan Statistics:
Total number of scanned objects: 44175
Number of viruses found: 2
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 00:56:26

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Accelerate 1\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Accelerate 1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Accelerate 1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Accelerate 1\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Accelerate 1\Local Settings\History\History.IE5\MSHist012007122920071230\index.dat Object is locked skipped
C:\Documents and Settings\Accelerate 1\Local Settings\temp\~DF19A2.tmp Object is locked skipped
C:\Documents and Settings\Accelerate 1\Local Settings\temp\~DF9499.tmp Object is locked skipped
C:\Documents and Settings\Accelerate 1\Local Settings\temp\~DF97E9.tmp Object is locked skipped
C:\Documents and Settings\Accelerate 1\Local Settings\temp\~DFAAD.tmp Object is locked skipped
C:\Documents and Settings\Accelerate 1\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Accelerate 1\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Accelerate 1\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Accelerate 1\UserData\index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\UPCTP_0001_91M1101NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\USDR6_9999_N18M1603NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP265\A0032561.dll Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP266\A0032621.dll Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP266\A0032624.exe Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP267\A0032692.exe Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP268\A0033695.dll Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP268\A0033713.dll Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP272\A0033968.exe Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP272\A0033969.exe Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP272\A0033970.exe Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP272\A0033971.exe Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP272\A0033972.exe Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP272\A0033974.exe Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP272\A0033975.exe Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP272\A0033976.exe Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP272\A0033977.exe Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP284\A0034213.dll Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP284\A0034214.dll Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP284\A0034218.dll Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP284\A0034219.dll Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP284\A0034220.dll Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP284\A0034221.dll Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP284\A0034222.dll Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP284\A0034223.dll Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP284\A0034224.dll Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP284\A0034225.dll Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP284\A0034226.dll Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP284\A0034227.dll Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP284\A0034228.dll Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP284\A0034229.dll Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP284\A0034230.dll Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP284\A0034231.dll Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP284\A0034232.dll Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP284\A0034233.exe Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP284\A0034234.exe Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP284\A0034235.dll Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP284\A0034236.exe Object is locked skipped
C:\System Volume Information\_restore{13294A19-0123-409B-BD8E-0322C0D1CDF6}\RP286\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UPCTP_0001_91M1101NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\WINDOWS\Internet Logs\ACCELERATE1.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\ZLT00e1e.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


I am now hoping I have done all the right things to clean my system up and install the tools to keep it clean.

As experts in this field I would welcome your having a look over the files and letting me know if I am now safe again?

Thanks in advance
:bigthumb::bigthumb::bigthumb:

cmoyden
2007-12-30, 12:59
Hi all,
I'm not sure why it is you guys have decided not to take a look at my post and help me out - I'm petty dissapointed!

I was hoping you may have at least contacted me to offer some help.

Perhaps Spybot is not the tool for me!

Underwhelmed

:nono: