Help! Another Virtumonde problem (and 3 viruses?)

**rosemary2468** · 2008-05-11, 16:40

Hello. I hope someone can help. On running Spybot it now freezes at the following point: "Running bot-check (128840/150537: Virtumonde.dll). The scan moves no further and I have to use Task Manager to quit the application. I have run Kaspersky on-line virus scanner and it states I have 3 viruses. AVG does not pick these up! I have read previous thread posted by griffin 99 on 07/05/08 and have run avz4 but when I try to attach the AVZ4 .htm log I am told it is an invalid file type. HJT and Kaspersky logs below. Any help would be very much appreciated. Many thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:40:35, on 11/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Windows Live\Family Safety\fsssvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Windows Live\Family Safety\fssui.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\My Kazaa Gold\MyGoldKazaa.exe
C:\Program Files\My Kazaa Gold\giFT\giFTl.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [My Kazaa Gold] C:\Program Files\My Kazaa Gold\MyGoldKazaa.exe /hide
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) - https://secure.logmeinrescue.com/Tec...cueControl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1197411738875
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 9872 bytes

----------------------------------------

KASPERSKY ONLINE SCANNER REPORT
Sunday, May 11, 2008 3:05:07 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/05/2008
Kaspersky Anti-Virus database records: 755935
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 97082
Number of viruses found: 3
Number of infected objects: 14
Number of suspicious objects: 29
Duration of the scan process: 01:32:06

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Rose\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped
C:\Documents and Settings\Rose\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Rose\Local Settings\Application Data\Identities\{FCEBE413-7EA6-475F-9644-A6FA947415C9}\Microsoft\Outlook Express\Ebay-Paypal (1).dbx/[From "eBay" <watchnotice@ebay.co.uk>][Date Sun, 16 Apr 2006 07:29:41 PDT]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Rose\Local Settings\Application Data\Identities\{FCEBE413-7EA6-475F-9644-A6FA947415C9}\Microsoft\Outlook Express\Ebay-Paypal (1).dbx/[From "eBay" <watchnotice@ebay.co.uk>][Date Sun, 16 Apr 2006 07:29:41 PDT]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Rose\Local Settings\Application Data\Identities\{FCEBE413-7EA6-475F-9644-A6FA947415C9}\Microsoft\Outlook Express\Ebay-Paypal (1).dbx MailMSOutlook5: suspicious - 2 skipped
C:\Documents and Settings\Rose\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Rose\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Rose\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Ebay-Paypal\61AE5012-0000005D.eml/[From "eBay" <watchnotice@ebay.co.uk>][Date Sun, 16 Apr 2006 07:29:41 PDT]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Rose\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Ebay-Paypal\61AE5012-0000005D.eml/[From "eBay" <watchnotice@ebay.co.uk>][Date Sun, 16 Apr 2006 07:29:41 PDT]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Rose\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Ebay-Paypal\61AE5012-0000005D.eml Mail: suspicious - 2 skipped
C:\Documents and Settings\Rose\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Rose\Local Settings\History\History.IE5\MSHist012008051020080511\index.dat Object is locked skipped
C:\Documents and Settings\Rose\Local Settings\History\History.IE5\MSHist012008051120080512\index.dat Object is locked skipped
C:\Documents and Settings\Rose\Local Settings\Temp\~DF4A34.tmp Object is locked skipped
C:\Documents and Settings\Rose\Local Settings\Temp\~DF4A3F.tmp Object is locked skipped
C:\Documents and Settings\Rose\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Rose\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Rose\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Rose\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterInstance.lock Object is locked skipped
C:\Program Files\My Kazaa Gold\giFT\conf\giftd.log Object is locked skipped
C:\RECYCLER\S-1-5-21-1645522239-1500820517-839522115-1003\Dc104.bak/[From "eBay" <watchnotice@ebay.co.uk>][Date Sun, 16 Apr 2006 07:29:41 PDT]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1645522239-1500820517-839522115-1003\Dc104.bak/[From "eBay" <watchnotice@ebay.co.uk>][Date Sun, 16 Apr 2006 07:29:41 PDT]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1645522239-1500820517-839522115-1003\Dc104.bak MailMSOutlook5: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-1645522239-1500820517-839522115-1003\Dc151.bak/[From "eBay" <watchnotice@ebay.co.uk>][Date Sun, 16 Apr 2006 07:29:41 PDT]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1645522239-1500820517-839522115-1003\Dc151.bak/[From "eBay" <watchnotice@ebay.co.uk>][Date Sun, 16 Apr 2006 07:29:41 PDT]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1645522239-1500820517-839522115-1003\Dc151.bak MailMSOutlook5: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-1645522239-1500820517-839522115-1003\Dc191.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\RECYCLER\S-1-5-21-1645522239-1500820517-839522115-1003\Dc198.bak/[From "eBay" <watchnotice@ebay.co.uk>][Date Sun, 16 Apr 2006 07:29:41 PDT]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1645522239-1500820517-839522115-1003\Dc198.bak/[From "eBay" <watchnotice@ebay.co.uk>][Date Sun, 16 Apr 2006 07:29:41 PDT]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1645522239-1500820517-839522115-1003\Dc198.bak MailMSOutlook5: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-1645522239-1500820517-839522115-1003\Dc236.bak/[From "eBay" <watchnotice@ebay.co.uk>][Date Sun, 16 Apr 2006 07:29:41 PDT]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1645522239-1500820517-839522115-1003\Dc236.bak/[From "eBay" <watchnotice@ebay.co.uk>][Date Sun, 16 Apr 2006 07:29:41 PDT]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1645522239-1500820517-839522115-1003\Dc236.bak MailMSOutlook5: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-1645522239-1500820517-839522115-1003\Dc25.bak/[From "eBay" <watchnotice@ebay.co.uk>][Date Sun, 16 Apr 2006 07:29:41 PDT]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1645522239-1500820517-839522115-1003\Dc25.bak/[From "eBay" <watchnotice@ebay.co.uk>][Date Sun, 16 Apr 2006 07:29:41 PDT]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1645522239-1500820517-839522115-1003\Dc25.bak MailMSOutlook5: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-1645522239-1500820517-839522115-1003\Dc290.bak/[From "eBay" <watchnotice@ebay.co.uk>][Date Sun, 16 Apr 2006 07:29:41 PDT]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1645522239-1500820517-839522115-1003\Dc290.bak/[From "eBay" <watchnotice@ebay.co.uk>][Date Sun, 16 Apr 2006 07:29:41 PDT]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1645522239-1500820517-839522115-1003\Dc290.bak MailMSOutlook5: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-1645522239-1500820517-839522115-1003\Dc62.bak/[From "eBay" <watchnotice@ebay.co.uk>][Date Sun, 16 Apr 2006 07:29:41 PDT]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1645522239-1500820517-839522115-1003\Dc62.bak/[From "eBay" <watchnotice@ebay.co.uk>][Date Sun, 16 Apr 2006 07:29:41 PDT]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1645522239-1500820517-839522115-1003\Dc62.bak MailMSOutlook5: suspicious - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{5D4641A4-9BA3-4DC4-AE5C-839C4C458301}\RP174\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{1532154B-7A1A-437B-B456-5FE5EBB41698}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\mail backup\Terrastar.dbx/[From "daugustine" <daugustine@email.msn.com>][Date Thu, 2 Mar 2000 16:35:29 -0800]/UNNAMED/A-Z Infected: Virus.MSWord.Ethan skipped
F:\mail backup\Terrastar.dbx/[From "daugustine" <daugustine@email.msn.com>][Date Thu, 2 Mar 2000 16:35:29 -0800]/UNNAMED Infected: Virus.MSWord.Ethan skipped
F:\mail backup\Terrastar.dbx/[From "david augustine" <dmaugustine@hotmail.com>][Date Mon, 29 May 2000 09:35:49 PDT]/UNNAMED/DELTA.003.doc Infected: Virus.MSWord.Ethan skipped
F:\mail backup\Terrastar.dbx/[From "david augustine" <dmaugustine@hotmail.com>][Date Mon, 29 May 2000 09:35:49 PDT]/UNNAMED Infected: Virus.MSWord.Ethan skipped
F:\mail backup\Terrastar.dbx/[From "David Evans" <dpe@azleisure.com>][Date Tue, 30 May 2000 21:30:30 +0100]/UNNAMED/DELTA.003.doc Infected: Virus.MSWord.Ethan skipped
F:\mail backup\Terrastar.dbx/[From "David Evans" <dpe@azleisure.com>][Date Tue, 30 May 2000 21:30:30 +0100]/UNNAMED Infected: Virus.MSWord.Ethan skipped
F:\mail backup\Terrastar.dbx/[From "david augustine" <dmaugustine@hotmail.com>][Date Wed, 14 Jun 2000 02:07:36 PDT]/UNNAMED/DELTA.003.doc Infected: Virus.MSWord.Ethan skipped
F:\mail backup\Terrastar.dbx/[From "david augustine" <dmaugustine@hotmail.com>][Date Wed, 14 Jun 2000 02:07:36 PDT]/UNNAMED Infected: Virus.MSWord.Ethan skipped
F:\mail backup\Terrastar.dbx/[From "David Evans" <dpe@azleisure.com>][Date Wed, 14 Jun 2000 15:33:06 +0200]/UNNAMED/DELTA.003.doc Infected: Virus.MSWord.Ethan skipped
F:\mail backup\Terrastar.dbx/[From "David Evans" <dpe@azleisure.com>][Date Wed, 14 Jun 2000 15:33:06 +0200]/UNNAMED Infected: Virus.MSWord.Ethan skipped
F:\mail backup\Terrastar.dbx/[From "david augustine" <dmaugustine@hotmail.com>][Date Wed, 19 Jul 2000 07:42:23 PDT]/UNNAMED/DELTA.003.doc Infected: Virus.MSWord.Ethan skipped
F:\mail backup\Terrastar.dbx/[From "david augustine" <dmaugustine@hotmail.com>][Date Wed, 19 Jul 2000 07:42:23 PDT]/UNNAMED Infected: Virus.MSWord.Ethan skipped
F:\mail backup\Terrastar.dbx MailMSOutlook5: infected - 12 skipped
F:\mail backup\Ebay-Paypal.dbx/[From eBay <watchnotice@ebay.co.uk>][Date Sun, 16 Apr 2006 07:29:41 PDT]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
F:\mail backup\Ebay-Paypal.dbx MailMSOutlook5: suspicious - 1 skipped

Scan process completed.

**Blade81** · 2008-05-12, 10:19

Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

**rosemary2468** · 2008-05-12, 12:09

Thanks Blade81

ComboFix log
ComboFix 08-05-11.1 - Rose 2008-05-12 10:49:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.403 [GMT 1:00]
Running from: C:\Documents and Settings\Rose\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll
C:\WINDOWS\Downloaded Program Files\x64
C:\WINDOWS\Downloaded Program Files\x64\racodec.ax
C:\WINDOWS\Downloaded Program Files\x86
C:\WINDOWS\Downloaded Program Files\x86\racodec.ax
C:\WINDOWS\system32\install.exe
C:\WINDOWS\system32\x64

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-12 10:49 . 2008-05-12 10:49 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-11 19:09 . 2008-05-11 19:09 1,024 --ah----- C:\Documents and Settings\Default User\NTUSER.DAT.LOG
2008-05-11 19:01 . 2008-05-11 19:01 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-11 19:01 . 2008-05-11 19:01 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-11 19:01 . 2008-05-11 19:01 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-11 19:01 . 2008-05-11 19:01 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-11 18:59 . 2008-05-11 18:59 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-11 18:12 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-05-11 18:12 . 2004-08-03 22:41 685,056 --------- C:\WINDOWS\system32\drivers\hsfcxts2.sys
2008-05-11 18:12 . 2004-08-03 22:41 220,032 --------- C:\WINDOWS\system32\drivers\hsfbs2s2.sys
2008-05-11 18:12 . 2004-07-17 22:55 129,045 --------- C:\WINDOWS\system32\drivers\cxthsfs2.cty
2008-05-11 11:49 . 2008-05-11 11:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-11 11:49 . 2008-05-11 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-11 11:43 . 2008-05-11 11:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-10 10:53 . 2008-05-10 10:53 268 --ah----- C:\sqmdata19.sqm
2008-05-10 10:53 . 2008-05-10 10:53 244 --ah----- C:\sqmnoopt19.sqm
2008-05-10 09:25 . 2008-05-10 09:25 268 --ah----- C:\sqmdata18.sqm
2008-05-10 09:25 . 2008-05-10 09:25 244 --ah----- C:\sqmnoopt18.sqm
2008-05-08 08:52 . 2008-05-08 08:52 268 --ah----- C:\sqmdata17.sqm
2008-05-08 08:52 . 2008-05-08 08:52 244 --ah----- C:\sqmnoopt17.sqm
2008-05-08 08:38 . 2008-05-08 08:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-08 08:38 . 2008-05-08 08:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-07 23:47 . 2008-05-07 23:47 268 --ah----- C:\sqmdata16.sqm
2008-05-07 23:47 . 2008-05-07 23:47 244 --ah----- C:\sqmnoopt16.sqm
2008-05-07 23:17 . 2008-05-07 23:17 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-22 09:29 . 2008-04-22 09:36 <DIR> d-------- C:\Program Files\Common Files\InstallEngine
2008-04-22 09:25 . 2008-04-22 09:27 <DIR> d-------- C:\Program Files\Common Files\Sage Report Designer 2007
2008-04-22 09:25 . 2008-04-22 09:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sage
2008-04-22 09:24 . 2008-04-22 09:24 <DIR> d-------- C:\Program Files\Sagev14
2008-04-14 01:11 . 2008-04-14 01:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-04-14 01:09 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdpash.dll
2008-04-14 01:09 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdnepr.dll
2008-04-14 01:09 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdiultn.dll
2008-04-14 01:09 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdbhc.dll
2008-04-13 19:56 . 2008-04-13 19:56 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 19:56 . 2008-04-13 19:56 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 19:51 . 2008-04-13 19:51 101,120 --------- C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 19:46 . 2008-04-13 19:46 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-04-13 19:46 . 2008-04-13 19:46 121,984 --------- C:\WINDOWS\system32\drivers\usbvideo.sys
2008-04-13 19:46 . 2008-04-13 19:46 59,136 --------- C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-13 19:46 . 2008-04-13 19:46 37,888 --------- C:\WINDOWS\system32\drivers\bthmodem.sys
2008-04-13 19:46 . 2008-04-13 19:46 36,480 --------- C:\WINDOWS\system32\drivers\bthprint.sys
2008-04-13 19:46 . 2008-04-13 19:46 25,600 --------- C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-13 19:46 . 2008-04-13 19:46 18,944 --------- C:\WINDOWS\system32\drivers\bthusb.sys
2008-04-13 19:46 . 2008-04-13 19:46 17,024 --------- C:\WINDOWS\system32\drivers\bthenum.sys
2008-04-13 19:45 . 2008-04-13 19:45 46,592 --------- C:\WINDOWS\system32\drivers\irbus.sys
2008-04-13 19:45 . 2008-04-13 19:45 19,200 --------- C:\WINDOWS\system32\drivers\hidir.sys
2008-04-13 19:43 . 2008-04-13 19:43 14,208 --------- C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-13 19:43 . 2008-04-13 19:43 12,672 --------- C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-13 19:43 . 2008-04-13 19:43 9,728 --------- C:\WINDOWS\system32\comsdupd.exe
2008-04-13 19:40 . 2008-04-13 19:40 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-04-13 19:36 . 2008-04-13 19:36 46,464 --------- C:\WINDOWS\system32\drivers\gagp30kx.sys
2008-04-13 19:36 . 2008-04-13 19:36 44,928 --------- C:\WINDOWS\system32\drivers\agpcpq.sys
2008-04-13 19:36 . 2008-04-13 19:36 44,672 --------- C:\WINDOWS\system32\drivers\uagp35.sys
2008-04-13 19:36 . 2008-04-13 19:36 43,008 --------- C:\WINDOWS\system32\drivers\amdagp.sys
2008-04-13 19:36 . 2008-04-13 19:36 42,752 --------- C:\WINDOWS\system32\drivers\alim1541.sys
2008-04-13 19:36 . 2008-04-13 19:36 42,368 --------- C:\WINDOWS\system32\drivers\agp440.sys
2008-04-13 19:36 . 2008-04-13 19:36 42,240 --------- C:\WINDOWS\system32\drivers\viaagp.sys
2008-04-13 19:36 . 2008-04-13 19:36 40,960 --------- C:\WINDOWS\system32\drivers\sisagp.sys
2008-04-13 19:36 . 2008-04-13 19:36 5,888 --------- C:\WINDOWS\system32\drivers\smbali.sys
2008-04-13 19:14 . 2008-04-13 19:14 76,800 --------- C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 18:27 . 2008-04-13 18:27 79,872 --------- C:\WINDOWS\system32\msxml6r.dll
2008-04-13 18:27 . 2008-04-13 18:27 79,872 -----c--- C:\WINDOWS\system32\dllcache\msxml6r.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 09:55 --------- d-----w C:\Documents and Settings\Rose\Application Data\AVG7
2008-05-10 09:55 --------- d-----w C:\Documents and Settings\Rose\Application Data\AdobeUM
2008-05-09 15:41 --------- d-----w C:\Documents and Settings\Rose\Application Data\U3
2008-04-22 08:30 --------- d-----w C:\Program Files\Common Files\Sage SBD
2008-04-22 08:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-22 08:27 --------- d-----w C:\Program Files\Common Files\Sage Shared
2008-04-22 08:27 --------- d-----w C:\Program Files\Common Files\Sage Line50
2008-04-14 04:42 985,088 ------w C:\WINDOWS\system32\setupapi.dll
2008-04-14 04:42 11,264 ------w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 04:41 423,936 ------w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ------w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ------w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ------w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ------w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 40,840 ------w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 299,520 ------w C:\WINDOWS\system32\drmclien.dll
2008-04-14 00:13 21,896 ------w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ------w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,168 ------w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:13 12,040 ------w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ------w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ------w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ------w C:\WINDOWS\system32\msafd.dll
2008-04-13 19:30 1,845,632 ------w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:28 175,744 ------w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:27 2,188,928 ------w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 19:21 162,816 ------w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ------w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ------w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ------w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ------w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ------w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ------w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ------w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ------w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ------w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ------w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ------w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ------w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ------w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ------w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ------w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ------w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ------w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ------w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ------w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ------w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ------w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ------w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ------w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ------w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ------w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ------w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ------w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ------w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ------w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ------w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ------w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ------w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ------w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ------w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,288 ------w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ------w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ------w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ------w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ------w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ------w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ------w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ------w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ------w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ------w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ------w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ------w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:46 25,344 ------w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-04-13 18:44 81,664 ------w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ------w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ------w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 17,664 ------w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:44 153,344 ------w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 18:43 12,800 ------w C:\WINDOWS\system32\spiisupd.exe
2008-04-13 18:41 52,352 ------w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-13 18:39 92,544 ------w C:\WINDOWS\system32\drivers\mqac.sys
2008-04-13 18:39 7,552 ------w C:\WINDOWS\system32\drivers\mskssrv.sys
2008-04-13 18:39 5,376 ------w C:\WINDOWS\system32\drivers\mspclock.sys
2008-04-13 18:39 42,368 ------w C:\WINDOWS\system32\drivers\mountmgr.sys
2008-04-13 18:39 4,992 ------w C:\WINDOWS\system32\drivers\mspqm.sys
2008-04-13 18:39 4,352 ------w C:\WINDOWS\system32\drivers\swenum.sys
2008-04-13 18:39 384,768 ------w C:\WINDOWS\system32\drivers\update.sys
2008-04-13 18:39 24,576 ------w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-13 18:39 23,040 ------w C:\WINDOWS\system32\drivers\mouclass.sys
2008-04-13 18:39 14,592 ------w C:\WINDOWS\system32\drivers\kbdhid.sys
2008-04-13 18:38 71,168 ------w C:\WINDOWS\system32\drivers\dxg.sys
2008-04-13 18:36 79,232 ------w C:\WINDOWS\system32\drivers\sdbus.sys
2008-04-13 18:36 73,472 ------w C:\WINDOWS\system32\drivers\sr.sys
2008-04-13 18:36 68,224 ------w C:\WINDOWS\system32\drivers\pci.sys
2008-04-13 18:36 63,744 ------w C:\WINDOWS\system32\drivers\mf.sys
2008-04-13 18:36 37,248 ------w C:\WINDOWS\system32\drivers\isapnp.sys
2002-04-16 09:27 5 --sha-w C:\WINDOWS\system32\CdI5T.drv
1998-03-19 23:00 1,048 --sha-w C:\WINDOWS\system32\flfnlf.sys
1998-03-19 23:00 1,048 --sha-w C:\WINDOWS\system32\rlfnlf.sys
1998-03-19 23:00 1,048 --sha-w C:\WINDOWS\system32\TMailRL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4f3ed5cd-0726-42a9-87f5-d13f3d2976ac}]
2007-12-17 12:12 56360 --------- C:\Program Files\Windows Live\Family Safety\fssbho.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-11-18 03:28 2084688]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [ ]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]
"My Kazaa Gold"="C:\Program Files\My Kazaa Gold\MyGoldKazaa.exe" [2007-01-14 23:48 2445312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-18 23:27 16207872 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-17 03:04 2879488 C:\WINDOWS\SkyTel.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:43 579584]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-12-10 17:39 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-12-10 17:39 106496]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-12-10 17:39 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 04:51 39792]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 10:01 110592]
"fssui"="C:\Program Files\Windows Live\Family Safety\fssui.exe" [2007-12-17 12:12 243240]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-01-23 15:47 847872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 01:12 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-10 16:59 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [12/10/2007 10:27:34 PM 25214]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\My Kazaa Gold\\giFT\\giFTl.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 fssfltr;FssFltr;C:\WINDOWS\system32\DRIVERS\fssfltr.sys [2007-10-17 14:53]
R2 fsssvc;Windows Live OneCare Family Safety;"C:\Program Files\Windows Live\Family Safety\fsssvc.exe" [2007-12-17 12:13]
S3 igfx;igfx;C:\WINDOWS\system32\DRIVERS\igdkmd32.sys [2007-12-10 17:39]
S3 PLCMPR5;PLCMPR5 NDIS Protocol Driver;C:\WINDOWS\system32\PLCMPR5.SYS []
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\PLCNDIS5.SYS [2004-04-26 11:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 09:21:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 10:55:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
.
**************************************************************************
.
Completion time: 2008-05-12 11:01:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-12 10:00:25

Pre-Run: 62,811,324,416 bytes free
Post-Run: 63,344,279,552 bytes free

273 --- E O F --- 2008-04-11 02:05:31

---------------
and new HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:49, on 12/05/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Windows Live\Family Safety\fssui.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\My Kazaa Gold\MyGoldKazaa.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [My Kazaa Gold] C:\Program Files\My Kazaa Gold\MyGoldKazaa.exe /hide
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) - https://secure.logmeinrescue.com/Tec...cueControl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1197411738875
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 9267 bytes

**Blade81** · 2008-05-12, 16:42

Hi

Copy C:\QooBox\Quarantine\C\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll file back to C:\Program Files\Enigma Software Group\SpyHunter folder.

Does OneCare Live include antivirus protection? If it does you should either remove it or AVG. Having more than one antivirus product active in same system eats up resources and causes unexpected behaviour.

Have you defragged hard drive(s) lately? If not that might be causing the jam with Spybot since your log didn't show a sign of Vundo (Virtumonde). You can remove those mail messages found by Kaspersky.

**rosemary2468** · 2008-05-12, 17:03

Hi
I couldn't find SpyHunterMonitor.dll file at location C:\QooBox\Quarantine\C\Program Files\Enigma Software Group\SpyHunter - SpyHunter folder here was empty. I did find it C:\Program Files/Enigma Software Group\SpyHunter - so presumably that's OK?

I'll remove OneCare Live - not sure if it does anti-virus protection, but can do without it - so will use AVG. Will defrag and run Spybot again, and also remove messages found by Kaspersky. Thanks again for now - will report back later.

**Blade81** · 2008-05-12, 17:11

so presumably that's OK?

Yes, that's ok. I'll be waiting for your input

**rosemary2468** · 2008-05-12, 21:48

Kaspersky now giving clean report - thanks for your advice re:virus/suspicious object removal.
I have defragged C drive, but Spybot S&D still stalling at - Running bot-check 128943/150799 Virtumonde.dll. Spybot S&D becomes unresponsive and has to be closed using Task Manager.
Any more ideas?
Thanks

**Blade81** · 2008-05-13, 07:59

Hi

Have you tried running Spybot in safe mode? Does it jam there too?

**rosemary2468** · 2008-05-13, 09:59

Good Morning Blade81
Spybot S&D still jamming at exactly same point in Safe Mode and has to be closed with Task Manager.

**Blade81** · 2008-05-13, 10:12

Hi

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.

If Spybot still jams at same location after that I recommend to uninstall it and then reinstall to see if it makes any difference.

Thread: Help! Another Virtumonde problem (and 3 viruses?)

Thread Tools

Display

Help! Another Virtumonde problem (and 3 viruses?)

Posting Permissions