Smitfraud-C.CoreService & Virtumonde

**nyteri** · 2008-04-29, 20:04

I haven't been able to run the online virus check as advised (the pop-up windows seem to interfere with the scan and it doesn't progress) - and when I load into safe mode and run S&D it detects the infections but can't remove them - it instead hangs and hangs and eventually has to be terminated (I waited 45 minutes that last time just to make sure I wasn't being too impatient).

The virus' detected at Virtumonde.dll, Virtumonde, Smitfraud-C.CoreService, and SpyHunter.

I'm aware that the spyhunter is a program someone installed and we can remove it if necessary, but i think it was installed when the problems started and I don't believe is responsible for the popups.

HJT long attached - I ran it in Normal Windows bootup, not safe mode, hope this is correct & THANKS!
====================
Logfile of HijackThis v1.99.1
Scan saved at 12:53:45 PM, on 4/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {09AC1D95-F992-40AB-A192-D29B81EBC8E0} - (no file)
O2 - BHO: (no name) - {120B82BC-0420-4242-A1EA-0F05C4512445} - C:\WINDOWS\system32\cbXPgEvV.dll (file missing)
O2 - BHO: (no name) - {1D3B1E7A-6A76-45F0-8E0E-1E4BB0417707} - (no file)
O2 - BHO: (no name) - {39D0C9C5-82FD-4B5D-9714-F986FC89EE37} - (no file)
O2 - BHO: (no name) - {3C3A0C86-0106-4601-9F29-1FA7951A6FA7} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {58A0F295-A255-4E24-A499-0EB83874424E} - (no file)
O2 - BHO: (no name) - {85C2A502-6A1B-4D2C-8286-FDB0CC148A86} - (no file)
O2 - BHO: (no name) - {912102BB-78DC-416E-98A6-EFB46ED65060} - C:\WINDOWS\system32\jkkIAPIB.dll (file missing)
O2 - BHO: {d50dde75-a333-f54a-83d4-c28068c07c5a} - {a5c70c86-082c-4d38-a45f-333a57edd05d} - C:\WINDOWS\system32\tnlnaage.dll (file missing)
O2 - BHO: (no name) - {B28A402D-4F3B-4073-BD54-E7A4458778D9} - (no file)
O2 - BHO: (no name) - {BEDD7628-410B-4174-B776-D0B7CDC50A6E} - C:\WINDOWS\system32\ljJCtrpQ.dll (file missing)
O2 - BHO: (no name) - {CE0F3039-1A76-4321-9CA3-AEB5984C296A} - (no file)
O2 - BHO: (no name) - {F50B3F5E-856E-4757-9BB1-B35D46CA7719} - C:\WINDOWS\system32\iifcCtUn.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ace79974] rundll32.exe "C:\WINDOWS\system32\tuyopvgp.dll",b
O4 - HKLM\..\Run: [BMafd4aae8] Rundll32.exe "C:\WINDOWS\system32\crysyxpf.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: America Online 9.0 Tray Icon.lnk.disabled
O4 - Global Startup: Corel Registration.lnk.disabled
O4 - Global Startup: CorelCENTRAL 9.LNK.disabled
O4 - Global Startup: CorelCENTRAL Alarms.LNK.disabled
O4 - Global Startup: Desktop Application Director 9.LNK.disabled
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: QuickBooks Update Agent.lnk.disabled
O4 - Global Startup: QuickBooks Web Connector.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - https://reports.expertpay.com/crysta...ivexviewer.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...lscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1147982486781
O16 - DPF: {76392179-60A8-462D-8961-B95C14DAADF4} (PrintEngine ActiveX Control v4.2) - https://reports.illinois.gov/dhs/con...rintengine.cab
O16 - DPF: {C2ED62BE-4FF5-4FAF-9274-3BA328DCA35C} (TimeTrackingV2.UserControl1) - https://timetracking.quickbooks.com/...TrackingV2.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://blackbaud.webex.com/client/v...ex/ieatgpc.cab
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - http://map.ezlistmls.com/PUBLICREPOR...pType=PrintCab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 7.0\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: GoToMyPC - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: iifcCtUn - C:\WINDOWS\SYSTEM32\iifcCtUn.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB - Unknown owner - C:\PROGRA~1\Intuit\QUICKB~2.0\QBDBMgrN.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

**Rorschach112** · 2008-04-29, 20:07

Hello

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/comb...o-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

**nyteri** · 2008-04-29, 22:00

Sorry for the delay.

I don't know if it's worth mentioning, but when ComboFix rebooted my system, it automatically went into a scan of my D:\, and when it booted up a popup came up that said "The system has recovered from a serious error" and asked if I wanted to send a report to Microsoft.

I did have to restart combofix twice (the first time the system hung during reboot, and the second time I don't think I had all the anti-virus software shut off properly and it hung up.

Logs attached.
==================

Logfile of HijackThis v1.99.1
Scan saved at 02:57, on 2008-04-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {120B82BC-0420-4242-A1EA-0F05C4512445} - C:\WINDOWS\system32\cbXPgEvV.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {912102BB-78DC-416E-98A6-EFB46ED65060} - C:\WINDOWS\system32\jkkIAPIB.dll (file missing)
O2 - BHO: (no name) - {BEDD7628-410B-4174-B776-D0B7CDC50A6E} - C:\WINDOWS\system32\ljJCtrpQ.dll (file missing)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: America Online 9.0 Tray Icon.lnk.disabled
O4 - Global Startup: Corel Registration.lnk.disabled
O4 - Global Startup: CorelCENTRAL 9.LNK.disabled
O4 - Global Startup: CorelCENTRAL Alarms.LNK.disabled
O4 - Global Startup: Desktop Application Director 9.LNK.disabled
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: QuickBooks Update Agent.lnk.disabled
O4 - Global Startup: QuickBooks Web Connector.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - https://reports.expertpay.com/crysta...ivexviewer.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...lscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1147982486781
O16 - DPF: {76392179-60A8-462D-8961-B95C14DAADF4} (PrintEngine ActiveX Control v4.2) - https://reports.illinois.gov/dhs/con...rintengine.cab
O16 - DPF: {C2ED62BE-4FF5-4FAF-9274-3BA328DCA35C} (TimeTrackingV2.UserControl1) - https://timetracking.quickbooks.com/...TrackingV2.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://blackbaud.webex.com/client/v...ex/ieatgpc.cab
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - http://map.ezlistmls.com/PUBLICREPOR...pType=PrintCab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 7.0\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: GoToMyPC - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB - Unknown owner - C:\PROGRA~1\Intuit\QUICKB~2.0\QBDBMgrN.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

=========================

ComboFix 08-04-28.2 - start101 2008-04-29 14:37:58.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.196 [GMT -5:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\CPV
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aHhiPqru.ini
C:\WINDOWS\system32\aHhiPqru.ini2
C:\WINDOWS\system32\apmeqbdu.dll
C:\WINDOWS\system32\BIPAIkkj.ini
C:\WINDOWS\system32\BIPAIkkj.ini2
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\drivers\atmlanee.sys
C:\WINDOWS\system32\ebkogugg.ini
C:\WINDOWS\system32\efcDtSMF.dll
C:\WINDOWS\system32\fifrktcd.ini
C:\WINDOWS\system32\FMStDcfe.ini
C:\WINDOWS\system32\FMStDcfe.ini2
C:\WINDOWS\system32\ggugokbe.dll
C:\WINDOWS\system32\gnssbcit.ini
C:\WINDOWS\system32\hlmnebgu.ini
C:\WINDOWS\system32\iifcCtUn.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlvjusiu.ini
C:\WINDOWS\system32\mvclfvum.ini
C:\WINDOWS\system32\nnnLcbcd.dll
C:\WINDOWS\system32\NTAyycdd.ini
C:\WINDOWS\system32\NTAyycdd.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pgvpoyut.ini
C:\WINDOWS\system32\pljbfqsw.ini
C:\WINDOWS\system32\QprtCJjl.ini
C:\WINDOWS\system32\QprtCJjl.ini2
C:\WINDOWS\system32\rqWGPXyb.ini
C:\WINDOWS\system32\rqWGPXyb.ini2
C:\WINDOWS\system32\sroxmtwa.ini
C:\WINDOWS\system32\tdpldaft.ini
C:\WINDOWS\system32\tfjcdgyc.ini
C:\WINDOWS\system32\vdoljmco.ini
C:\WINDOWS\system32\VvEgPXbc.ini
C:\WINDOWS\system32\VvEgPXbc.ini2
C:\WINDOWS\system32\whvagenp.dll
C:\WINDOWS\system32\wvUljIyV.dll
C:\WINDOWS\system32\wwwycccf.ini
C:\WINDOWS\system32\wwwycccf.ini2
C:\WINDOWS\system32\XFOWayay.ini
C:\WINDOWS\system32\XFOWayay.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ATMLANEE
-------\Service_atmlanee

((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.

2008-04-29 11:12 . 2008-04-29 11:12 107,072 --a------ C:\WINDOWS\system32\tnlnaage.dll_old
2008-04-28 16:30 . 2008-04-28 16:30 108,608 --a------ C:\WINDOWS\system32\wfalfnwi.dll_old
2008-04-28 15:41 . 2008-04-28 15:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-28 15:40 . 2008-04-28 15:40 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-28 15:19 . 2008-04-28 15:19 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-04-28 09:09 . 2008-04-28 09:09 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-25 09:28 . 2008-04-25 09:51 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-24 12:13 . 2008-04-24 12:13 <DIR> d-------- C:\Program Files\CCleaner
2008-04-24 11:48 . 2008-04-24 11:48 <DIR> d-------- C:\WINDOWS\system32\pnVes01
2008-04-24 11:48 . 2008-04-24 11:48 <DIR> d-------- C:\Temp\zvebs14
2008-04-24 11:48 . 2008-04-24 11:48 <DIR> d-------- C:\Temp\kvebs14
2008-04-23 15:13 . 2008-04-25 15:38 <DIR> d-------- C:\VundoFix Backups
2008-04-23 12:48 . 2008-04-23 12:48 <DIR> d-------- C:\Documents and Settings\user\Application Data\Comodo
2008-04-23 12:48 . 2008-04-23 12:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2008-04-23 12:45 . 2004-11-09 15:12 220 --a------ C:\boot.ini.comodofirewall
2008-04-23 12:44 . 2008-04-24 08:24 <DIR> d-------- C:\Program Files\Comodo
2008-04-23 11:30 . 2008-04-28 10:36 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-04-23 11:30 . 2008-04-28 10:36 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-23 11:15 . 2008-04-23 11:15 148 --ah----- C:\aaw7boot.cmd
2008-04-22 15:38 . 2008-04-29 12:27 1,236 --a------ C:\WINDOWS\wininit.ini
2008-04-22 13:39 . 2008-04-22 13:39 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-22 13:38 . 2008-04-22 13:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-22 13:19 . 2008-04-22 13:19 <DIR> d-------- C:\Documents and Settings\user\.housecall6.6
2008-04-22 10:35 . 2008-04-22 10:35 <DIR> d-------- C:\Program Files\Inet_Get_2
2008-04-22 10:17 . 2008-04-29 13:44 109,770 --a------ C:\WINDOWS\BMafd4aae8.xml
2008-04-22 10:13 . 2008-04-22 10:40 <DIR> d-------- C:\Documents and Settings\user\Application Data\.purple
2008-04-22 10:11 . 2008-04-22 10:11 <DIR> d-------- C:\WINDOWS\system32\xcsDd01
2008-04-22 10:11 . 2008-04-22 10:11 <DIR> d-------- C:\WINDOWS\system32\Vb1
2008-04-22 10:11 . 2008-04-22 10:13 <DIR> d-------- C:\WINDOWS\system32\trcTMP
2008-04-22 10:11 . 2008-04-24 13:51 <DIR> d-------- C:\WINDOWS\system32\slNew
2008-04-22 10:11 . 2008-04-22 10:11 <DIR> d-------- C:\WINDOWS\system32\iTmp
2008-04-22 10:11 . 2008-04-22 10:11 <DIR> d-------- C:\Temp\berDrv11
2008-04-22 10:11 . 2008-04-22 10:11 209,031 --a------ C:\Temp\bPccE7001.exe
2008-04-22 10:10 . 2008-04-22 10:10 <DIR> d-------- C:\Program Files\Common Files\GTK
2008-04-21 11:16 . 2008-04-21 11:14 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-21 11:16 . 2008-04-21 11:16 2,544 --a------ C:\WINDOWS\unins000.dat
2008-04-17 12:03 . 2008-04-17 12:03 78,960 --a------ C:\WINDOWS\system32\xceed_uninstaller.exe
2008-04-17 12:02 . 2008-04-17 12:02 <DIR> d-------- C:\Program Files\Wagers And Associates
2008-04-15 13:36 . 2008-04-15 13:36 <DIR> d-------- C:\Program Files\MozyHome
2008-04-15 13:36 . 2008-01-04 18:47 52,728 --a------ C:\WINDOWS\system32\drivers\mozy.sys
2008-04-15 13:36 . 2008-04-29 14:14 3,672 --a------ C:\WINDOWS\mozy.blk
2008-04-15 13:36 . 2008-04-29 14:14 3,608 --a------ C:\WINDOWS\mozy.flt
2008-04-11 09:48 . 2008-04-11 06:48 11,264 --a------ C:\WINDOWS\b138.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 13:20 --------- d-----w C:\Program Files\LogMeIn
2008-04-28 20:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-28 16:18 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-22 18:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-06-07 17:46 60,968 ----a-w C:\Documents and Settings\user\GoToAssistDownloadHelper.exe
2005-04-28 19:21 2,449,408 ------w C:\Documents and Settings\user\gosetup.exe
2004-10-27 21:14 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{120B82BC-0420-4242-A1EA-0F05C4512445}]
C:\WINDOWS\system32\cbXPgEvV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{912102BB-78DC-416E-98A6-EFB46ED65060}]
C:\WINDOWS\system32\jkkIAPIB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BEDD7628-410B-4174-B776-D0B7CDC50A6E}]
C:\WINDOWS\system32\ljJCtrpQ.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@={747E722C-CB46-4A9D-BDFE-192AAD5099B1}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@={EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4A9D-BDFE-192AAD5099B1}]
2008-01-04 18:47 2389296 --a------ C:\Program Files\MozyHome\mozyshell.dll

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}]
2008-01-04 18:47 2389296 --a------ C:\Program Files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 16:51 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-08-11 22:01 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-11 22:55 180269]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 22:43 233472]
"VTTimer"="VTTimer.exe" []
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 22:13 98304]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-03 14:56 188416]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 16:55 155648]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 14:03 63048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Adobe Reader Speed Launch.lnk.disabled [2005-05-09 09:33:53 1799]
America Online 9.0 Tray Icon.lnk.disabled [2004-10-18 14:56:43 873]
Corel Registration.lnk.disabled [2004-10-13 15:51:25 960]
CorelCENTRAL 9.LNK.disabled [2004-10-13 15:45:42 1996]
CorelCENTRAL Alarms.LNK.disabled [2004-10-13 15:45:42 1979]
Desktop Application Director 9.LNK.disabled [2004-10-13 15:45:42 1994]
MozyHome Status.lnk - C:\Program Files\MozyHome\mozystat.exe [2008-04-15 13:36:04 1877296]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-02-27 08:00:46 972064]
QuickBooks Update Agent.lnk.disabled [2005-11-16 16:23:37 2151]
QuickBooks Web Connector.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe [2008-02-15 20:12:50 300320]
Quicken Scheduled Updates.lnk.disabled [2005-03-08 12:34:21 717]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 2005-12-06 16:47 10848 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-26 09:11 87352 C:\WINDOWS\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 7.0\\QBDBMgrN.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31]
R1 mozyFilter;mozyFilter;C:\WINDOWS\system32\DRIVERS\mozy.sys [2008-01-04 18:47]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 14:00]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 11:55]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 14:43:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\MozyHome\mozyshell.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-29 14:49:09 - machine was rebooted [start101]
ComboFix-quarantined-files.txt 2008-04-29 19:49:04

Pre-Run: 56,809,787,392 bytes free
Post-Run: 56,712,003,584 bytes free

221 --- E O F --- 2008-04-24 17:11:10

**Rorschach112** · 2008-04-30, 00:24

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\tnlnaage.dll_old
C:\WINDOWS\system32\wfalfnwi.dll_old
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\b138.exe
C:\WINDOWS\BMafd4aae8.xml
C:\Temp\bPccE7001.exe

Folder::
C:\WINDOWS\system32\pnVes01
C:\Temp\zvebs14
C:\Temp\kvebs14
C:\WINDOWS\system32\xcsDd01
C:\WINDOWS\system32\Vb1
C:\WINDOWS\system32\trcTMP
C:\WINDOWS\system32\slNew
C:\WINDOWS\system32\iTmp
C:\Temp\berDrv11

Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Reboot and post a new HijackThis log

**nyteri** · 2008-04-30, 15:17

If you want the ComboFix log let me know - I didn't want to post more than you needed.

================================
Logfile of HijackThis v1.99.1
Scan saved at 08:15, on 2008-04-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {120B82BC-0420-4242-A1EA-0F05C4512445} - C:\WINDOWS\system32\cbXPgEvV.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {912102BB-78DC-416E-98A6-EFB46ED65060} - C:\WINDOWS\system32\jkkIAPIB.dll (file missing)
O2 - BHO: (no name) - {BEDD7628-410B-4174-B776-D0B7CDC50A6E} - C:\WINDOWS\system32\ljJCtrpQ.dll (file missing)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: America Online 9.0 Tray Icon.lnk.disabled
O4 - Global Startup: Corel Registration.lnk.disabled
O4 - Global Startup: CorelCENTRAL 9.LNK.disabled
O4 - Global Startup: CorelCENTRAL Alarms.LNK.disabled
O4 - Global Startup: Desktop Application Director 9.LNK.disabled
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: QuickBooks Update Agent.lnk.disabled
O4 - Global Startup: QuickBooks Web Connector.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - https://reports.expertpay.com/crysta...ivexviewer.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...lscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1147982486781
O16 - DPF: {76392179-60A8-462D-8961-B95C14DAADF4} (PrintEngine ActiveX Control v4.2) - https://reports.illinois.gov/dhs/con...rintengine.cab
O16 - DPF: {C2ED62BE-4FF5-4FAF-9274-3BA328DCA35C} (TimeTrackingV2.UserControl1) - https://timetracking.quickbooks.com/...TrackingV2.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://blackbaud.webex.com/client/v...ex/ieatgpc.cab
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - http://map.ezlistmls.com/PUBLICREPOR...pType=PrintCab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 7.0\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: GoToMyPC - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB - Unknown owner - C:\PROGRA~1\Intuit\QUICKB~2.0\QBDBMgrN.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

**Rorschach112** · 2008-04-30, 15:20

Yeah lets see the ComboFix log

Also do this

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {120B82BC-0420-4242-A1EA-0F05C4512445} - C:\WINDOWS\system32\cbXPgEvV.dll (file missing)
O2 - BHO: (no name) - {912102BB-78DC-416E-98A6-EFB46ED65060} - C:\WINDOWS\system32\jkkIAPIB.dll (file missing)
O2 - BHO: (no name) - {BEDD7628-410B-4174-B776-D0B7CDC50A6E} - C:\WINDOWS\system32\ljJCtrpQ.dll (file missing)
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Reboot and post a new HijackThis log

**nyteri** · 2008-04-30, 15:58

I suspect this is part of the Script that we ran in ComboFix- but in case it's not, when my computer rebooted my default printer booted as offline. Just FYI in case it's abnormal.

=====================
ComboFix 08-04-28.2 - start101 2008-04-30 7:55:18.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.238 [GMT -5:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Temp\bPccE7001.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\BMafd4aae8.xml
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\tnlnaage.dll_old
C:\WINDOWS\system32\wfalfnwi.dll_old
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\berDrv11
C:\Temp\berDrv11\fxpNbu.log
C:\Temp\bPccE7001.exe
C:\Temp\kvebs14
C:\Temp\kvebs14\zvKarru.log
C:\Temp\zvebs14
C:\WINDOWS\b138.exe
C:\WINDOWS\BMafd4aae8.xml
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\iTmp
C:\WINDOWS\system32\pnVes01
C:\WINDOWS\system32\pnVes01\pnVes011065.exe
C:\WINDOWS\system32\slNew
C:\WINDOWS\system32\tnlnaage.dll_old
C:\WINDOWS\system32\trcTMP
C:\WINDOWS\system32\Vb1
C:\WINDOWS\system32\wfalfnwi.dll_old
C:\WINDOWS\system32\xcsDd01
C:\WINDOWS\system32\xcsDd01\xcsDd011065.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-28 15:41 . 2008-04-28 15:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-28 15:40 . 2008-04-28 15:40 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-28 09:09 . 2008-04-28 09:09 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-25 09:28 . 2008-04-25 09:51 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-24 12:13 . 2008-04-24 12:13 <DIR> d-------- C:\Program Files\CCleaner
2008-04-23 15:13 . 2008-04-25 15:38 <DIR> d-------- C:\VundoFix Backups
2008-04-23 12:48 . 2008-04-23 12:48 <DIR> d-------- C:\Documents and Settings\user\Application Data\Comodo
2008-04-23 12:48 . 2008-04-23 12:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2008-04-23 12:45 . 2004-11-09 15:12 220 --a------ C:\boot.ini.comodofirewall
2008-04-23 12:44 . 2008-04-24 08:24 <DIR> d-------- C:\Program Files\Comodo
2008-04-23 11:30 . 2008-04-28 10:36 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-04-23 11:30 . 2008-04-28 10:36 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-23 11:15 . 2008-04-23 11:15 148 --ah----- C:\aaw7boot.cmd
2008-04-22 15:38 . 2008-04-29 12:27 1,236 --a------ C:\WINDOWS\wininit.ini
2008-04-22 13:39 . 2008-04-22 13:39 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-22 13:38 . 2008-04-22 13:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-22 13:19 . 2008-04-22 13:19 <DIR> d-------- C:\Documents and Settings\user\.housecall6.6
2008-04-22 10:35 . 2008-04-22 10:35 <DIR> d-------- C:\Program Files\Inet_Get_2
2008-04-22 10:13 . 2008-04-22 10:40 <DIR> d-------- C:\Documents and Settings\user\Application Data\.purple
2008-04-22 10:10 . 2008-04-22 10:10 <DIR> d-------- C:\Program Files\Common Files\GTK
2008-04-21 11:16 . 2008-04-21 11:14 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-21 11:16 . 2008-04-21 11:16 2,544 --a------ C:\WINDOWS\unins000.dat
2008-04-17 12:03 . 2008-04-17 12:03 78,960 --a------ C:\WINDOWS\system32\xceed_uninstaller.exe
2008-04-17 12:02 . 2008-04-17 12:02 <DIR> d-------- C:\Program Files\Wagers And Associates
2008-04-15 13:36 . 2008-04-15 13:36 <DIR> d-------- C:\Program Files\MozyHome
2008-04-15 13:36 . 2008-01-04 18:47 52,728 --a------ C:\WINDOWS\system32\drivers\mozy.sys
2008-04-15 13:36 . 2008-04-29 14:14 3,672 --a------ C:\WINDOWS\mozy.blk
2008-04-15 13:36 . 2008-04-29 14:14 3,608 --a------ C:\WINDOWS\mozy.flt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 12:47 --------- d-----w C:\Program Files\LogMeIn
2008-04-28 20:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-28 16:18 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-22 18:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-07 17:46 60,968 ----a-w C:\Documents and Settings\user\GoToAssistDownloadHelper.exe
2005-04-28 19:21 2,449,408 ------w C:\Documents and Settings\user\gosetup.exe
2004-10-27 21:14 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{120B82BC-0420-4242-A1EA-0F05C4512445}]
C:\WINDOWS\system32\cbXPgEvV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{912102BB-78DC-416E-98A6-EFB46ED65060}]
C:\WINDOWS\system32\jkkIAPIB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BEDD7628-410B-4174-B776-D0B7CDC50A6E}]
C:\WINDOWS\system32\ljJCtrpQ.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@={747E722C-CB46-4A9D-BDFE-192AAD5099B1}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@={EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4A9D-BDFE-192AAD5099B1}]
2008-01-04 18:47 2389296 --a------ C:\Program Files\MozyHome\mozyshell.dll

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}]
2008-01-04 18:47 2389296 --a------ C:\Program Files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 16:51 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-08-11 22:01 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-11 22:55 180269]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 22:43 233472]
"VTTimer"="VTTimer.exe" []
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 22:13 98304]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-03 14:56 188416]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 16:55 155648]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 14:03 63048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Adobe Reader Speed Launch.lnk.disabled [2005-05-09 09:33:53 1799]
America Online 9.0 Tray Icon.lnk.disabled [2004-10-18 14:56:43 873]
Corel Registration.lnk.disabled [2004-10-13 15:51:25 960]
CorelCENTRAL 9.LNK.disabled [2004-10-13 15:45:42 1996]
CorelCENTRAL Alarms.LNK.disabled [2004-10-13 15:45:42 1979]
Desktop Application Director 9.LNK.disabled [2004-10-13 15:45:42 1994]
MozyHome Status.lnk - C:\Program Files\MozyHome\mozystat.exe [2008-04-15 13:36:04 1877296]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-02-27 08:00:46 972064]
QuickBooks Update Agent.lnk.disabled [2005-11-16 16:23:37 2151]
QuickBooks Web Connector.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe [2008-02-15 20:12:50 300320]
Quicken Scheduled Updates.lnk.disabled [2005-03-08 12:34:21 717]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 2005-12-06 16:47 10848 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-26 09:11 87352 C:\WINDOWS\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 7.0\\QBDBMgrN.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31]
R1 mozyFilter;mozyFilter;C:\WINDOWS\system32\DRIVERS\mozy.sys [2008-01-04 18:47]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 14:00]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 11:55]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 08:00:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\MozyHome\mozyshell.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-04-30 8:05:59 - machine was rebooted [start101]
ComboFix-quarantined-files.txt 2008-04-30 13:05:52
ComboFix2.txt 2008-04-29 19:49:10

Pre-Run: 56,675,426,304 bytes free
Post-Run: 56,677,400,576 bytes free

178 --- E O F --- 2008-04-24 17:11:10

**nyteri** · 2008-04-30, 15:59

Logfile of HijackThis v1.99.1
Scan saved at 08:56, on 2008-04-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: America Online 9.0 Tray Icon.lnk.disabled
O4 - Global Startup: Corel Registration.lnk.disabled
O4 - Global Startup: CorelCENTRAL 9.LNK.disabled
O4 - Global Startup: CorelCENTRAL Alarms.LNK.disabled
O4 - Global Startup: Desktop Application Director 9.LNK.disabled
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: QuickBooks Update Agent.lnk.disabled
O4 - Global Startup: QuickBooks Web Connector.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - https://reports.expertpay.com/crysta...ivexviewer.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...lscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1147982486781
O16 - DPF: {76392179-60A8-462D-8961-B95C14DAADF4} (PrintEngine ActiveX Control v4.2) - https://reports.illinois.gov/dhs/con...rintengine.cab
O16 - DPF: {C2ED62BE-4FF5-4FAF-9274-3BA328DCA35C} (TimeTrackingV2.UserControl1) - https://timetracking.quickbooks.com/...TrackingV2.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://blackbaud.webex.com/client/v...ex/ieatgpc.cab
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - http://map.ezlistmls.com/PUBLICREPOR...pType=PrintCab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 7.0\HelpAsyncPluggableProtocol.dll
O20 - Winlogon Notify: GoToMyPC - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB - Unknown owner - C:\PROGRA~1\Intuit\QUICKB~2.0\QBDBMgrN.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

**Rorschach112** · 2008-04-30, 16:00

Looking good

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Also tell me how your PC is running

**nyteri** · 2008-04-30, 17:13

Computer is running much better - no popups today (I've tried both Mozilla and IE.) Since I ran the most recent fix my browser speed is up - earlier this morning I had to switch to Yahoo Classic - which has been an ongoing problem since these bugs started - and just now when I logged on to respond it right into Yahoo Mail with chat.

you've been super helpful! Log attached
=============================================
Malwarebytes' Anti-Malware 1.11
Database version: 701

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 113933
Time elapsed: 47 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 36

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Inet_Get_2 (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
C:\QooBox\Quarantine\C\Temp\bPccE7001.exe.vir (Trojan.Downloader-) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\b138.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\efcDtSMF.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\iifcCtUn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\nnnLcbcd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wvUljIyV.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\pnVes01\pnVes011065.exe.vir (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xcsDd01\xcsDd011065.exe.vir (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP844\A0054873.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP845\A0055083.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP845\A0055146.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP845\A0055147.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP850\A0055645.exe (Rogue.AntiSpyMaster) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP851\A0055897.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP851\A0055898.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP851\A0055900.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP851\A0055901.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP851\A0055903.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP851\A0055904.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP851\A0055905.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP851\A0055966.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP851\A0055967.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP851\A0055992.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP852\A0056258.exe (Rogue.AntiSpyMaster) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP852\A0056313.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP853\A0056466.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP853\A0056510.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP854\A0058578.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP854\A0058579.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP854\A0058581.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP854\A0058608.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP855\A0059687.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP855\A0059688.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0E2EABD-FCC5-4B0F-91CB-7D32E5E4A677}\RP855\A0059689.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\VundoFix Backups\gkpyqipv.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\rqgxnrsp.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.

Thread: Smitfraud-C.CoreService & Virtumonde

Thread Tools

Display

Smitfraud-C.CoreService & Virtumonde

Posting Permissions