View Full Version : smitfraud c-toolbar888 problem
Spybot continues to identify smitfraud as a problem and my IE jumps to strange places. I've read some of the other threads, and it looks complicated. I would be thankful for any help.
here is my hjtlog
Logfile of HijackThis v1.99.1
Scan saved at 6:25:06 PM, on 30/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q305&bd=presario&pf=laptop
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\plergkmo.dll",realset
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\ahfrebebnfu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ahfrebebnfu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ahfrebebnfu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ahfrebebnfu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ahfrebebnfu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ahfrebebnfu.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q305&bd=presario&pf=laptop
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Hello and welcome to the Forums :)
Looks nasty...
Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
c:\windows\system32\ahfrebebnfu.dll
Click on Send
Wait for the scan to end.
Copy & Paste the scan results to here.
Rename HijackThis.exe to Scanner.exe
Post a fresh HijacKThis (scanner.exe) log to here.
:bigthumb:
Attempting to follow directions i tried to install service pack 1a when my XP was already sp2. It started to crash alot and I had to re install XP. Smitfraud came up on my S&D scan and my IE has started to jump around. How can this be after afresh install? Here is my new hijackthis log.
Logfile of HijackThis v1.99.1
Scan saved at 21:32:29, on 07/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q305&bd=presario&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\cxdyyvwy.dll",realset
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: iPod ?? (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Hello :)
Attempting to follow directions i tried to install service pack 1a when my XP was already sp2. It started to crash alot and I had to re install XP. Smitfraud came up on my S&D scan and my IE has started to jump around. How can this be after afresh install? Here is my new hijackthis log.
When did you do this fresh install ?
I did the install on this last Sun night. I had saved some files to my portable hard drive, could it have come back though there?
Ok you should definately scan the drives with antivirus before using those.
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
:bigthumb:
Here is my Kapersky:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 08, 2007 9:25:42 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/05/2007
Kaspersky Anti-Virus database records: 315648
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 109968
Number of viruses found: 7
Number of infected objects: 18 / 0
Number of suspicious objects: 2
Duration of the scan process: 01:40:57
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Local Settings\Temp\installer.exe Suspicious: Packed.Win32.Morphine.a skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KDM7G1QB\installer[1].exe Suspicious: Packed.Win32.Morphine.a skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0310\values Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cert8.db Object is locked skipped
C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\history.dat Object is locked skipped
C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\key3.db Object is locked skipped
C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\parent.lock Object is locked skipped
C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Charlie.A22F9CA1071340E\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Charlie.A22F9CA1071340E\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Charlie.A22F9CA1071340E\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Charlie.A22F9CA1071340E\Local Settings\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Charlie.A22F9CA1071340E\Local Settings\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Charlie.A22F9CA1071340E\Local Settings\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Charlie.A22F9CA1071340E\Local Settings\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Charlie.A22F9CA1071340E\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Charlie.A22F9CA1071340E\Local Settings\Temp\RarSFX0\vista_patch.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.ac skipped
C:\Documents and Settings\Charlie.A22F9CA1071340E\Local Settings\Temp\RarSFX0\vista_patch.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Charlie.A22F9CA1071340E\Local Settings\Temp\RarSFX0\xp_patch.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\Documents and Settings\Charlie.A22F9CA1071340E\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Charlie.A22F9CA1071340E\Local Settings\Temporary Internet Files\HLB9KZTA\RSMRP0XR\Offline\0x00000001_R Object is locked skipped
C:\Documents and Settings\Charlie.A22F9CA1071340E\Local Settings\Temporary Internet Files\HLB9KZTA\RSMRP0XR\Offline\HashFile.dat Object is locked skipped
C:\Documents and Settings\Charlie.A22F9CA1071340E\My Documents\My Music\iTunes\iTunes 4 Music Library.itl Object is locked skipped
C:\Documents and Settings\Charlie.A22F9CA1071340E\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Charlie.A22F9CA1071340E\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BUWNF58L\lo1[2] Infected: not-a-virus:AdWare.Win32.Virtumonde.iy skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BUWNF58L\lo1[4] Infected: not-a-virus:AdWare.Win32.Virtumonde.iy skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OHIFGHUJ\index[4].htm Infected: Exploit.HTML.IESlice.i skipped
C:\Downloads\PowerISO 3.7 + Keygen\PowerISO37.exe/data.rar/vista_patch.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.ac skipped
C:\Downloads\PowerISO 3.7 + Keygen\PowerISO37.exe/data.rar/vista_patch.exe Infected: Trojan-Downloader.NSIS.Agent.ac skipped
C:\Downloads\PowerISO 3.7 + Keygen\PowerISO37.exe/data.rar/xp_patch.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\Downloads\PowerISO 3.7 + Keygen\PowerISO37.exe/data.rar Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\Downloads\PowerISO 3.7 + Keygen\PowerISO37.exe RarSFX: infected - 4 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{572A9EBB-FFCB-4E41-BE27-DF6E71CEDA3F}\RP23\A0003217.dll Object is locked skipped
C:\System Volume Information\_restore{572A9EBB-FFCB-4E41-BE27-DF6E71CEDA3F}\RP23\A0003218.dll Object is locked skipped
C:\System Volume Information\_restore{572A9EBB-FFCB-4E41-BE27-DF6E71CEDA3F}\RP23\A0003227.exe Object is locked skipped
C:\System Volume Information\_restore{572A9EBB-FFCB-4E41-BE27-DF6E71CEDA3F}\RP23\A0003228.dll Object is locked skipped
C:\System Volume Information\_restore{572A9EBB-FFCB-4E41-BE27-DF6E71CEDA3F}\RP23\A0003229.dll Object is locked skipped
C:\System Volume Information\_restore{572A9EBB-FFCB-4E41-BE27-DF6E71CEDA3F}\RP23\A0003230.exe Object is locked skipped
C:\System Volume Information\_restore{572A9EBB-FFCB-4E41-BE27-DF6E71CEDA3F}\RP23\A0003231.exe Object is locked skipped
C:\System Volume Information\_restore{572A9EBB-FFCB-4E41-BE27-DF6E71CEDA3F}\RP24\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\A22F9CA1071340E.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hobhqean.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\WINDOWS\system32\iifdaxv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hc skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT074f1.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT074f4.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\disk transfer\PowerISO 3.7 + Keygen\PowerISO37.exe/data.rar/vista_patch.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.ac skipped
F:\disk transfer\PowerISO 3.7 + Keygen\PowerISO37.exe/data.rar/vista_patch.exe Infected: Trojan-Downloader.NSIS.Agent.ac skipped
F:\disk transfer\PowerISO 3.7 + Keygen\PowerISO37.exe/data.rar/xp_patch.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
F:\disk transfer\PowerISO 3.7 + Keygen\PowerISO37.exe/data.rar Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
F:\disk transfer\PowerISO 3.7 + Keygen\PowerISO37.exe RarSFX: infected - 4 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
Hello :)
OK not clean yet...
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Here is the combofix log:
"Charlie" - 2007-05-09 14:05:07 Service Pack 2
ComboFix 07-05.09.V - Running from: "C:\Documents and Settings\Charlie.A22F9CA1071340E\Desktop\"
(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\cxdyyvwy.dll
C:\WINDOWS\system32\hobhqean.dll
C:\WINDOWS\system32\ijkkj.bak1
C:\WINDOWS\system32\ijkkj.bak2
C:\WINDOWS\system32\ijkkj.ini
C:\WINDOWS\system32\ywvyydxc.ini
C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\iifdaxv.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((( Files Created from 2007-04-09 to 2007-05-09 ))))))))))))))))))))))))))))))))))
2007-05-09 14:08 49,204 --a------ C:\WINDOWS\system32\rxrlrbtf.dll
2007-05-08 19:29 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-05-08 08:56 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-05-08 08:56 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-05-08 08:56 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-05-08 08:56 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-05-08 08:56 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-05-08 08:56 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-05-08 08:56 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-05-08 08:55 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-05-08 08:55 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2007-05-08 08:55 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys
2007-05-08 08:54 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys
2007-05-08 08:39 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-05-08 08:28 <DIR> d-------- C:\Program Files\Apple Software Update
2007-05-07 22:03 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-07 22:01 5,805,656 --a------ C:\Firefox Setup 2.0.0.3.exe
2007-05-07 20:10 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-05-07 20:10 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-05-07 20:05 21,407,888 --a------ C:\avg75free_467a1008.exe
2007-05-07 20:04 3,873,600 --a------ C:\spybotsd14.exe
2007-05-07 19:54 <DIR> d---s---- C:\DOCUME~1\CHARLI~1.A22\UserData
2007-05-07 19:49 <DIR> d-------- C:\DOCUME~1\CHARLI~1.A22\APPLIC~1\AdobeUM
2007-05-07 19:29 <DIR> d-------- C:\DOCUME~1\CHARLI~1.A22\APPLIC~1\Azureus
2007-05-07 19:04 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-05-07 19:04 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-05-07 19:04 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-05-07 19:04 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-05-07 13:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\hpqwmi
2007-05-07 13:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\InstallShield
2007-05-07 13:12 32,356 --------- C:\WINDOWS\system32\pusbfd1.sys
2007-05-07 13:06 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-05-07 13:04 204,800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2007-05-07 13:04 200,704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2007-05-07 13:04 20,480 --a------ C:\WINDOWS\system32\IVIresize.dll
2007-05-07 13:04 192,512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2007-05-07 13:04 192,512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2007-05-07 13:04 188,416 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2007-05-07 12:56 69,632 --a------ C:\WINDOWS\system32\bcmwlD2K.EXE
2007-05-07 12:56 371,712 --------- C:\WINDOWS\system32\drivers\BCMWL5.SYS
2007-05-07 12:56 176,128 --a------ C:\WINDOWS\system32\bcmwlu00.EXE
2007-05-07 12:50 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-05-07 12:50 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-05-07 12:50 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-05-07 12:49 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-05-07 12:49 69,760 --a------ C:\WINDOWS\system32\drivers\Rtlnicxp.sys
2007-05-07 12:49 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2007-05-07 12:49 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-05-07 12:49 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-05-07 12:49 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2007-05-07 12:49 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2007-05-07 12:49 171,776 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2007-05-07 12:49 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2007-05-07 12:49 <DIR> d-------- C:\WINDOWS\OPTIONS
2007-05-07 12:48 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-05-07 12:48 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-05-07 12:48 145,920 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-05-07 12:38 <DIR> d-------- C:\DOCUME~1\CHARLI~1.A22\APPLIC~1\Apple Computer
2007-05-07 12:37 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2007-05-07 12:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Apple Computer
2007-05-06 23:45 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-05-06 23:36 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-05-06 23:36 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-05-06 23:31 <DIR> dr-h----- C:\MSOCache
2007-05-06 22:15 344,064 -ra------ C:\WINDOWS\system32\msvcr70.dll
2007-05-06 22:15 14,604 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2007-05-06 22:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\QuickTime
2007-05-06 21:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy
2007-05-06 20:18 <DIR> d-------- C:\Zone Labs
2007-05-06 20:17 <DIR> d-------- C:\Spybot - Search & Destroy
2007-05-06 19:57 397,312 --a------ C:\DOCUME~1\ADMINI~1.A22\NTUSER.DAT
2007-05-06 19:53 2,359,296 --ah----- C:\DOCUME~1\CHARLI~1.A22\NTUSER.DAT
2007-05-06 19:50 786,432 --ah----- C:\DOCUME~1\LOCALS~1.NTA\NTUSER.DAT
2007-05-06 19:48 786,432 --ah----- C:\DOCUME~1\NETWOR~1.NTA\NTUSER.DAT
2007-05-06 19:44 225,280 ---h----- C:\DOCUME~1\DEFAUL~1.WIN\NTUSER.DAT
2007-05-06 19:43 112,128 --a------ C:\WINDOWS\system32\mapi32.dll
2007-05-06 19:42 <DIR> d--hs---- C:\DOCUME~1\ALLUSE~1.WIN\DRM
2007-05-06 19:41 11,264 --a------ C:\WINDOWS\system32\atrace.dll
2007-05-06 19:40 81,920 --a------ C:\WINDOWS\system32\isign32.dll
2007-05-06 19:40 81,920 --a------ C:\WINDOWS\system32\ils.dll
2007-05-06 19:40 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2007-05-06 19:40 73,728 --a------ C:\WINDOWS\system32\icwdial.dll
2007-05-06 19:40 73,472 --a------ C:\WINDOWS\system32\drivers\sr.sys
2007-05-06 19:40 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2007-05-06 19:40 69,632 --a------ C:\WINDOWS\system32\msconf.dll
2007-05-06 19:40 678,400 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-06 19:40 67,584 --a------ C:\WINDOWS\system32\srclient.dll
2007-05-06 19:40 65,536 --a------ C:\WINDOWS\system32\icwphbk.dll
2007-05-06 19:40 64,512 --a------ C:\WINDOWS\system32\acctres.dll
2007-05-06 19:40 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-05-06 19:40 48,128 --a------ C:\WINDOWS\system32\inetres.dll
2007-05-06 19:40 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2007-05-06 19:40 45,568 --a------ C:\WINDOWS\system32\safrslv.dll
2007-05-06 19:40 43,520 --a------ C:\WINDOWS\system32\safrcdlg.dll
2007-05-06 19:40 43,520 --a------ C:\WINDOWS\system32\racpldlg.dll
2007-05-06 19:40 41,240 --a------ C:\WINDOWS\system32\wups.dll
2007-05-06 19:40 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2007-05-06 19:40 34,560 --a------ C:\WINDOWS\system32\mnmdd.dll
2007-05-06 19:40 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2007-05-06 19:40 32,768 --a------ C:\WINDOWS\system32\isrdbg32.dll
2007-05-06 19:40 29,696 --a------ C:\WINDOWS\system32\safrdm.dll
2007-05-06 19:40 28,672 --a------ C:\WINDOWS\system32\nmmkcert.dll
2007-05-06 19:40 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2007-05-06 19:40 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll
2007-05-06 19:40 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll
2007-05-06 19:40 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2007-05-06 19:40 22,528 --a------ C:\WINDOWS\system32\fltMc.exe
2007-05-06 19:40 21,640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-05-06 19:40 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-05-06 19:40 190,976 --a------ C:\WINDOWS\system32\schedsvc.dll
2007-05-06 19:40 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-05-06 19:40 173,536 --a------ C:\WINDOWS\system32\wuweb.dll
2007-05-06 19:40 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-05-06 19:40 170,496 --a------ C:\WINDOWS\system32\srsvc.dll
2007-05-06 19:40 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2007-05-06 19:40 16,384 --a------ C:\WINDOWS\system32\icfgnt5.dll
2007-05-06 19:40 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2007-05-06 19:40 124,800 --a------ C:\WINDOWS\system32\drivers\fltMgr.sys
2007-05-06 19:40 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-05-06 19:40 12,288 --a------ C:\WINDOWS\system32\nmevtmsg.dll
2007-05-06 19:40 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2007-05-06 19:40 105,984 --a------ C:\WINDOWS\system32\msoert2.dll
2007-05-06 19:40 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-05-06 19:39 73,216 --a------ C:\WINDOWS\system32\avwav.dll
2007-05-06 19:39 5,632 --a------ C:\WINDOWS\system32\write.exe
2007-05-06 19:39 44,544 --a------ C:\WINDOWS\system32\hticons.dll
2007-05-06 19:39 35,328 --a------ C:\WINDOWS\system32\winchat.exe
2007-05-06 19:39 227,840 --a------ C:\WINDOWS\system32\avtapi.dll
2007-05-06 19:39 16,384 --a------ C:\WINDOWS\system32\avmeter.dll
2007-05-06 19:39 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2007-05-06 19:38 949,248 --a------ C:\WINDOWS\system32\msdtctm.dll
2007-05-06 19:38 93,696 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2007-05-06 19:38 90,112 --a------ C:\WINDOWS\system32\mtxoci.dll
2007-05-06 19:38 9,728 --a------ C:\WINDOWS\system32\reset.exe
2007-05-06 19:38 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-05-06 19:38 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2007-05-06 19:38 82,432 --a------ C:\WINDOWS\system32\comrepl.dll
2007-05-06 19:38 80,384 --a------ C:\WINDOWS\system32\charmap.exe
2007-05-06 19:38 67,072 --a------ C:\WINDOWS\system32\rdshost.exe
2007-05-06 19:38 655,360 --a------ C:\WINDOWS\system32\mstscax.dll
2007-05-06 19:38 628,224 --a------ C:\WINDOWS\system32\catsrvut.dll
2007-05-06 19:38 62,464 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-05-06 19:38 62,464 --a------ C:\WINDOWS\system32\colbact.dll
2007-05-06 19:38 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2007-05-06 19:38 60,416 --a------ C:\WINDOWS\system32\remotepg.dll
2007-05-06 19:38 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2007-05-06 19:38 58,880 --a------ C:\WINDOWS\system32\msdtclog.dll
2007-05-06 19:38 58,880 --a------ C:\WINDOWS\system32\licwmi.dll
2007-05-06 19:38 56,832 --a------ C:\WINDOWS\system32\sol.exe
2007-05-06 19:38 56,320 --a------ C:\WINDOWS\system32\servdeps.dll
2007-05-06 19:38 55,296 --a------ C:\WINDOWS\system32\freecell.exe
2007-05-06 19:38 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2007-05-06 19:38 54,272 --a------ C:\WINDOWS\system32\stclient.dll
2007-05-06 19:38 538,624 --a------ C:\WINDOWS\system32\spider.exe
2007-05-06 19:38 501,248 --a------ C:\WINDOWS\system32\clbcatq.dll
2007-05-06 19:38 5,120 --a------ C:\WINDOWS\system32\dcomcnfg.exe
2007-05-06 19:38 44,544 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-05-06 19:38 425,472 --a------ C:\WINDOWS\system32\msdtcprx.dll
2007-05-06 19:38 407,552 --a------ C:\WINDOWS\system32\mstsc.exe
2007-05-06 19:38 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2007-05-06 19:38 4,096 --a------ C:\WINDOWS\system32\rdpcfgex.dll
2007-05-06 19:38 4,096 --a------ C:\WINDOWS\system32\mtxex.dll
2007-05-06 19:38 38,912 --a------ C:\WINDOWS\system32\cfgbkend.dll
2007-05-06 19:38 345,088 --a------ C:\WINDOWS\system32\hypertrm.dll
2007-05-06 19:38 343,040 --a------ C:\WINDOWS\system32\mspaint.exe
2007-05-06 19:38 33,792 --a------ C:\WINDOWS\system32\regini.exe
2007-05-06 19:38 295,424 --a------ C:\WINDOWS\system32\termsrv.dll
2007-05-06 19:38 25,600 --a------ C:\WINDOWS\system32\comaddin.dll
2007-05-06 19:38 25,088 --a------ C:\WINDOWS\system32\mtxlegih.dll
2007-05-06 19:38 229,888 --a------ C:\WINDOWS\system32\catsrv.dll
2007-05-06 19:38 22,016 --a------ C:\WINDOWS\system32\qwinsta.exe
2007-05-06 19:38 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2007-05-06 19:38 20,992 --a------ C:\WINDOWS\system32\msg.exe
2007-05-06 19:38 20,480 --a------ C:\WINDOWS\system32\qprocess.exe
2007-05-06 19:38 20,480 --a------ C:\WINDOWS\system32\mtxdm.dll
2007-05-06 19:38 196,864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2007-05-06 19:38 19,968 --a------ C:\WINDOWS\system32\rdpsnd.dll
2007-05-06 19:38 185,344 --a------ C:\WINDOWS\system32\cmprops.dll
2007-05-06 19:38 183,808 --a------ C:\WINDOWS\system32\accwiz.exe
2007-05-06 19:38 17,408 --a------ C:\WINDOWS\system32\mmfutil.dll
2007-05-06 19:38 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2007-05-06 19:38 16,896 --a------ C:\WINDOWS\system32\tsshutdn.exe
2007-05-06 19:38 16,896 --a------ C:\WINDOWS\system32\qappsrv.exe
2007-05-06 19:38 16,384 --a------ C:\WINDOWS\system32\tskill.exe
2007-05-06 19:38 15,872 --a------ C:\WINDOWS\system32\rwinsta.exe
2007-05-06 19:38 15,872 --a------
C:\WINDOWS\system32\cdmodem.dll
2007-05-06 19:38 15,360 --a------ C:\WINDOWS\system32\logoff.exe
2007-05-06 19:38 147,968 --a------ C:\WINDOWS\system32\rdchost.dll
2007-05-06 19:38 147,456 --a------ C:\WINDOWS\system32\comsnap.dll
2007-05-06 19:38 140,800 --a------ C:\WINDOWS\system32\sessmgr.exe
2007-05-06 19:38 14,848 --a------ C:\WINDOWS\system32\tsdiscon.exe
2007-05-06 19:38 14,848 --a------ C:\WINDOWS\system32\tscon.exe
2007-05-06 19:38 14,848 --a------ C:\WINDOWS\system32\shadow.exe
2007-05-06 19:38 139,400 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2007-05-06 19:38 131,584 --a------ C:\WINDOWS\system32\sndrec32.exe
2007-05-06 19:38 13,824 --a------ C:\WINDOWS\system32\rdsaddin.exe
2007-05-06 19:38 126,976 --a------ C:\WINDOWS\system32\mshearts.exe
2007-05-06 19:38 123,392 --a------ C:\WINDOWS\system32\mplay32.exe
2007-05-06 19:38 12,040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys
2007-05-06 19:38 119,808 --a------ C:\WINDOWS\system32\winmine.exe
2007-05-06 19:38 114,688 --a------ C:\WINDOWS\system32\calc.exe
2007-05-06 19:38 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2007-05-06 19:38 11,776 --a------ C:\WINDOWS\system32\xolehlp.dll
2007-05-06 19:38 11,264 --a------ C:\WINDOWS\system32\icaapi.dll
2007-05-06 19:38 102,912 --a------ C:\WINDOWS\system32\clipbrd.exe
2007-05-06 19:38 1,251,840 --a------ C:\WINDOWS\system32\comsvcs.dll
2007-05-06 19:38 1,161 --a------ C:\WINDOWS\system32\usrlogon.cmd
2007-05-06 12:30 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-05-06 12:30 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-05-06 12:29 9,344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys
2007-05-06 12:29 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2007-05-06 12:29 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2007-05-06 12:29 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2007-05-06 12:29 14,080 --a------ C:\WINDOWS\system32\drivers\CmBatt.sys
2007-05-06 12:29 14,080 --a------ C:\WINDOWS\system32\drivers\battc.sys
2007-05-06 12:28 8,832 --a------ C:\WINDOWS\system32\drivers\wmiacpi.sys
2007-05-06 12:27 6,144 -ra------ C:\WINDOWS\system32\kbdtuq.dll
2007-05-06 12:27 6,144 -ra------ C:\WINDOWS\system32\kbdtuf.dll
2007-05-06 12:27 5,632 -ra------ C:\WINDOWS\system32\kbdmon.dll
2007-05-06 12:27 5,632 -ra------ C:\WINDOWS\system32\kbdkyr.dll
2007-05-06 12:27 5,632 -ra------ C:\WINDOWS\system32\kbdazel.dll
2007-05-06 12:26 9,936 --a------ C:\WINDOWS\system\LZEXPAND.DLL
2007-05-06 12:26 9,008 --a------ C:\WINDOWS\system\VER.DLL
2007-05-06 12:26 85,020 --a------ C:\WINDOWS\system32\dgsetup.dll
2007-05-06 12:26 82,944 --a------ C:\WINDOWS\system\OLECLI.DLL
2007-05-06 12:26 8,704 --a------ C:\WINDOWS\system32\batt.dll
2007-05-06 12:26 8,192 -ra------ C:\WINDOWS\system32\kbdhept.dll
2007-05-06 12:26 74,752 --a------ C:\WINDOWS\system32\storprop.dll
2007-05-06 12:26 7,168 -ra------ C:\WINDOWS\system32\kbdcz.dll
2007-05-06 12:26 69,584 --a------ C:\WINDOWS\system\AVICAP.DLL
2007-05-06 12:26 69,120 --a------ C:\WINDOWS\NOTEPAD.EXE
2007-05-06 12:26 68,768 --a------ C:\WINDOWS\system\MMSYSTEM.DLL
2007-05-06 12:26 6,656 -ra------ C:\WINDOWS\system32\kbdycl.dll
2007-05-06 12:26 6,656 -ra------ C:\WINDOWS\system32\kbdsl1.dll
2007-05-06 12:26 6,656 -ra------ C:\WINDOWS\system32\kbdsl.dll
2007-05-06 12:26 6,656 -ra------ C:\WINDOWS\system32\kbdpl.dll
2007-05-06 12:26 6,656 -ra------ C:\WINDOWS\system32\kbdhu.dll
2007-05-06 12:26 6,656 -ra------ C:\WINDOWS\system32\kbdhela3.dll
2007-05-06 12:26 6,656 -ra------ C:\WINDOWS\system32\kbdcz2.dll
2007-05-06 12:26 6,656 -ra------ C:\WINDOWS\system32\kbdcz1.dll
2007-05-06 12:26 6,656 -ra------ C:\WINDOWS\system32\kbdcr.dll
2007-05-06 12:26 6,656 -ra------ C:\WINDOWS\system32\KBDAL.DLL
2007-05-06 12:26 6,144 -ra------ C:\WINDOWS\system32\kbdlv1.dll
2007-05-06 12:26 6,144 -ra------ C:\WINDOWS\system32\kbdlv.dll
2007-05-06 12:26 6,144 -ra------ C:\WINDOWS\system32\kbdhela2.dll
2007-05-06 12:26 6,144 -ra------ C:\WINDOWS\system32\kbdgkl.dll
2007-05-06 12:26 6,144 -ra------ C:\WINDOWS\system32\kbdest.dll
2007-05-06 12:26 5,632 -ra------ C:\WINDOWS\system32\kbdro.dll
2007-05-06 12:26 5,632 -ra------ C:\WINDOWS\system32\kbdpl1.dll
2007-05-06 12:26 5,632 -ra------ C:\WINDOWS\system32\kbdlt1.dll
2007-05-06 12:26 5,632 -ra------ C:\WINDOWS\system32\kbdlt.dll
2007-05-06 12:26 5,632 -ra------ C:\WINDOWS\system32\kbdhu1.dll
2007-05-06 12:26 5,632 -ra------ C:\WINDOWS\system32\kbdhe319.dll
2007-05-06 12:26 5,632 -ra------ C:\WINDOWS\system32\kbdhe220.dll
2007-05-06 12:26 5,632 -ra------ C:\WINDOWS\system32\kbdhe.dll
2007-05-06 12:26 5,120 --a------ C:\WINDOWS\system\SHELL.DLL
2007-05-06 12:26 32,816 --a------ C:\WINDOWS\system\COMMDLG.DLL
2007-05-06 12:26 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-05-06 12:26 24,064 --a------ C:\WINDOWS\system\OLESVR.DLL
2007-05-06 12:26 19,200 --a------ C:\WINDOWS\system\TAPI.DLL
2007-05-06 12:26 176,157 --a------ C:\WINDOWS\system32\dgrpsetu.dll
2007-05-06 12:26 15,360 --a------ C:\WINDOWS\TASKMAN.EXE
2007-05-06 12:26 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-05-06 12:26 126,912 --a------ C:\WINDOWS\system\MSVIDEO.DLL
2007-05-06 12:26 11,264 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2007-05-06 12:26 109,456 --a------ C:\WINDOWS\system\AVIFILE.DLL
2007-05-06 12:26 103,424 --a------ C:\WINDOWS\system32\EqnClass.Dll
2007-05-06 12:26 <DIR> dr------- C:\DOCUME~1\ALLUSE~1.WIN\Documents
2007-05-04 13:11 <DIR> d-------- C:\WINDOWS\Prefetch
2007-05-04 13:05 0 --a------ C:\CONFIG.SYS
2007-05-04 13:05 0 --a------ C:\AUTOEXEC.BAT
2007-05-04 12:16 <DIR> d-------- C:\WINDOWS\setupupd
2007-05-03 16:13 <DIR> d-------- C:\WINDOWS\setup.pss
2007-05-01 23:03 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-05-01 23:03 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM
2007-05-01 22:03 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-05-01 22:02 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-04-30 18:20 <DIR> d-------- C:\hijackthis
2007-04-28 11:27 <DIR> d-------- C:\Program Files\PowerISO
2007-04-26 03:07 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Opera
2007-04-25 18:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-04-25 18:53 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-04-25 03:41 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-04-25 03:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AVS4YOU
2007-04-25 03:40 <DIR> d-------- C:\Program Files\AVS4YOU
2007-04-25 00:10 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-04-23 21:05 <DIR> d-------- C:\Downloads
2007-04-23 21:02 <DIR> d-------- C:\Program Files\Azureus
2007-04-23 21:02 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Azureus
2007-04-23 20:39 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\ATI
2007-04-23 19:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-23 18:08 <DIR> d-------- C:\ATI
2007-04-23 17:53 <DIR> d---s---- C:\DOCUME~1\ADMINI~1\UserData
2007-04-23 17:25 1,310,720 --a------ C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-23 17:25 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-04-23 17:25 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2007-04-22 00:15 0 --a------ C:\DOCUME~1\Owner\xxy_tempopt.bin
2007-04-19 23:24 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-04-12 14:13 <DIR> d-------- C:\Program Files\TCWorks
2007-04-12 14:13 <DIR> d-------- C:\Program Files\directx
2007-04-12 14:09 <DIR> d-------- C:\DOCUME~1\Owner\WINDOWS
2007-04-10 23:01 <DIR> d-------- C:\Program Files\Yahoo!
2007-04-09 05:27 31,548 --a------ C:\WINDOWS\system32\drivers\scdemu.sys
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-08 15:31:22 -------- d-----w C:\Program Files\QuickTime
2007-05-07 20:20:45 -------- d-----w C:\Program Files\Common Files\SureThing Shared
2007-05-07 20:14:49 -------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-05-07 20:05:21 -------- d-----w C:\Program Files\CPQ
2007-05-07 20:05:03 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-07 20:05:03 -------- d-----w C:\Program Files\InterVideo
2007-05-07 19:57:08 -------- d-----w C:\Program Files\HPQ
2007-05-07 19:37:24 -------- d-----w C:\Program Files\iTunes
2007-05-07 03:00:27 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2007-05-07 02:39:12 -------- d-----w C:\Program Files\Messenger
2007-04-27 17:41:49 23,552 ----a-w C:\VCdControlTool.exe
2007-04-24 03:46:14 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-04-24 03:43:49 -------- d-----w C:\Program Files\Symantec
2007-04-24 01:51:19 -------- d-----w C:\Program Files\ATI Technologies
2007-04-24 00:27:17 -------- d-----w C:\Program Files\Audacity
2007-04-03 22:05:26 0 --sha-r C:\MSDOS.SYS
2007-04-03 22:05:26 0 --sha-r C:\IO.SYS
2007-04-03 16:47:06 -------- d-----w C:\Program Files\PIXELA
2007-04-03 04:46:34 -------- d-----w C:\Program Files\Hp
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll"
"{5981309A-BC2D-4C11-8878-6D0E74D18213}"="C:\WINDOWS\system32\sabcgvom.dll" [x]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"WatchDog"="C:\\Program Files\\InterVideo\\DVD Check\\DVDCheck.exe"
"HP Software Update"="C:\\Program Files\\Hp\\HP Software Update\\HPWuSchd2.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_02\\bin\\jusched.exe"
"hpWirelessAssistant"="C:\\Program Files\\hpq\\HP Wireless Assistant\\HP Wireless Assistant.exe"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
********************************************************************
catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-09 14:12:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????8?1?5?3??@???? ???B?????????????hLC? ??????
scanning hidden files ...
C:\SYSTEM.SAV\delink.log 320 bytes
C:\SYSTEM.SAV\info.bom 16384 bytes
C:\SYSTEM.SAV\INFO.US 4096 bytes
C:\SYSTEM.SAV\Logs
C:\SYSTEM.SAV\Logs\Cia.ini 155648 bytes
C:\SYSTEM.SAV\Logs\Info.bom 16384 bytes
C:\SYSTEM.SAV\Logs\Install.log 372736 bytes
C:\SYSTEM.SAV\Logs\Preinchk.log 4096 bytes
C:\SYSTEM.SAV\Logs\Sysinfo.log 294912 bytes
C:\SYSTEM.SAV\Logs\UIADUMP.EUE 4096 bytes
C:\SYSTEM.SAV\Logs\UIADUMP.FPP 4096 bytes
C:\SYSTEM.SAV\mszone.log 16384 bytes
C:\SYSTEM.SAV\PREINCHK.log 4096 bytes
C:\SYSTEM.SAV\REBOOT.ME 48 bytes
C:\SYSTEM.SAV\REGFLUSH.LOG 4096 bytes
C:\SYSTEM.SAV\RmDev.log 28672 bytes
C:\SYSTEM.SAV\SYSINFO.LOG 294912 bytes
C:\SYSTEM.SAV\SysInfo.US 294912 bytes
C:\SYSTEM.SAV\UTIL
C:\SYSTEM.SAV\UTIL\BOOTSEC.NT4 512 bytes
C:\SYSTEM.SAV\UTIL\BrandIt.Log 20480 bytes
C:\SYSTEM.SAV\UTIL\CHKIMAGE.exe 126976 bytes
C:\SYSTEM.SAV\UTIL\CIA.CDC 69632 bytes
C:\SYSTEM.SAV\UTIL\CIA.INI 81920 bytes
C:\SYSTEM.SAV\UTIL\cpqci.dll 122880 bytes
C:\SYSTEM.SAV\UTIL\cvacompg.exe 118784 bytes
C:\SYSTEM.SAV\UTIL\cvacompg.tmp 168 bytes
C:\SYSTEM.SAV\UTIL\DelDir.exe 36864 bytes
C:\SYSTEM.SAV\UTIL\delmodem.ini 184 bytes
C:\SYSTEM.SAV\UTIL\DELMPLNK.bat 88 bytes
C:\SYSTEM.SAV\UTIL\DELMPLNK.js 480 bytes
C:\SYSTEM.SAV\UTIL\DETECTOS.INI 408 bytes
C:\SYSTEM.SAV\UTIL\DNSP1.LOG 16384 bytes
C:\SYSTEM.SAV\UTIL\EISDTICON.log 32 bytes
C:\SYSTEM.SAV\UTIL\EVENTDEL.VBS 208 bytes
C:\SYSTEM.SAV\UTIL\FB_EIS.log 32 bytes
C:\SYSTEM.SAV\UTIL\hpqnt.dll 77824 bytes
C:\SYSTEM.SAV\UTIL\INSTALL.LOG 376832 bytes
C:\SYSTEM.SAV\UTIL\ISLOGCHK.EXE 110592 bytes
C:\SYSTEM.SAV\UTIL\ISLOGCHK.INI 4096 bytes
C:\SYSTEM.SAV\UTIL\mscu.log 168 bytes
C:\SYSTEM.SAV\UTIL\PININST.EXE 110592 bytes
C:\SYSTEM.SAV\UTIL\PININST.INI 4096 bytes
C:\SYSTEM.SAV\UTIL\PININST.LOG 8192 bytes
C:\SYSTEM.SAV\UTIL\POSTOOBE.LOG 48 bytes
C:\SYSTEM.SAV\UTIL\postproc.ini 544 bytes
C:\SYSTEM.SAV\UTIL\powerset.log 88 bytes
C:\SYSTEM.SAV\UTIL\PREINCHK.BAT 216 bytes
C:\SYSTEM.SAV\UTIL\PREINFO.INI 200 bytes
C:\SYSTEM.SAV\UTIL\PREINFO2.EXE 86016 bytes
C:\SYSTEM.SAV\UTIL\qlb.log 176 bytes
C:\SYSTEM.SAV\UTIL\random.ini 40 bytes
C:\SYSTEM.SAV\UTIL\REGDEV.EXE 106496 bytes
C:\SYSTEM.SAV\UTIL\REGDEV.INI 560 bytes
C:\SYSTEM.SAV\UTIL\sedinst.log 168 bytes
C:\SYSTEM.SAV\UTIL\STRTMENU.EXE 24576 bytes
C:\SYSTEM.SAV\UTIL\SWSET_B.INI 4096 bytes
C:\SYSTEM.SAV\UTIL\ticrdbus.log 32 bytes
C:\SYSTEM.SAV\UTIL\touchpad.log 192 bytes
C:\SYSTEM.SAV\UTIL\WINDVD.LOG 168 bytes
C:\SYSTEM.SAV\UTIL\wlassistant.log 176 bytes
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 61
********************************************************************
Completion time: 2007-05-09 14:13:52 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-09 14:13
Ok good :)
Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\system32\rxrlrbtf.dll
Click on Send
Wait for the scan to end.
Copy & Paste the scan results to here, then we'll nail the rest of the infections :bigthumb:
Here is the next scan:
STATUS: FINISHEDComplete scanning result of "rxrlrbtf.dll", received in VirusTotal at 05.11.2007, 01:24:24 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.5.10.0 05.10.2007 no virus found
AntiVir 7.4.0.15 05.10.2007 TR/Vundo.Gen
Authentium 4.93.8 05.10.2007 no virus found
Avast 4.7.997.0 05.10.2007 no virus found
AVG 7.5.0.467 05.10.2007 Adware Generic2.RN
BitDefender 7.2 05.11.2007 Trojan.Vundo.DLP
CAT-QuickHeal 9.00 05.10.2007 AdWare.Virtumonde.ir (Not a Virus)
ClamAV devel-20070416 05.10.2007 Trojan.Packed-7
DrWeb 4.33 05.10.2007 Trojan.Juan
eSafe 7.0.15.0 05.10.2007 no virus found
eTrust-Vet 30.7.3624 05.10.2007 no virus found
Ewido 4.0 05.10.2007 no virus found
FileAdvisor 1 05.11.2007 no virus found
Fortinet 2.85.0.0 05.10.2007 suspicious
F-Prot 4.3.2.48 05.10.2007 W32/Adware.JGJ
F-Secure 6.70.13030.0 05.11.2007 no virus found
Ikarus T3.1.1.7 05.10.2007 not-a-virus:AdWare.Win32.Virtumonde.ir
Kaspersky 4.0.2.24 05.10.2007 not-a-virus:AdWare.Win32.Virtumonde.ir
McAfee 5028 05.10.2007 no virus found
Microsoft 1.2503 05.11.2007 no virus found
NOD32v2 2256 05.10.2007 no virus found
Norman 5.80.02 05.10.2007 W32/Virtumonde.GJC
Panda 9.0.0.4 05.10.2007 Adware/WebSearch
Prevx1 V2 05.11.2007 no virus found
Sophos 4.17.0 05.08.2007 no virus found
Sunbelt 2.2.907.0 05.05.2007 VIPRE.Suspicious
Symantec 10 05.11.2007 Trojan.Vundo
TheHacker 6.1.6.112 05.10.2007 Adware/Virtumonde.ir
VBA32 3.12.0 05.10.2007 AdWare.Win32.Virtumonde.ir
VirusBuster 4.3.7:9 05.10.2007 no virus found
Webwasher-Gateway 6.0.1 05.11.2007 Trojan.Vundo.Gen
Aditional Information
File size: 49204 bytes
MD5: c09a14054ad9461cf8679918d1d1f5a0
SHA1: c12cb7e86aca59d3db4ca362a954a66c94d5d9ae
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
l
Ok good...
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
:bigthumb:
Here are the logs:
Old versions of java are exploitable and should be removed.
Scan started at 15:34:28 11/05/2007
Listing files found while scanning....
C:\WINDOWS\system32\rxrlrbtf.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\rxrlrbtf.dll
C:\WINDOWS\system32\rxrlrbtf.dll Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 15:42:55, on 11/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5981309A-BC2D-4C11-8878-6D0E74D18213} - C:\WINDOWS\system32\sabcgvom.dll (file missing)
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: iPod ?? (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Hi again, we'll continue :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
==================
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O2 - BHO: (no name) - {5981309A-BC2D-4C11-8878-6D0E74D18213} - C:\WINDOWS\system32\sabcgvom.dll (file missing)
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
Here's The AVG and HJT
+ Created at: 11:13:01 13/05/2007
+ Scan result:
C:\QooBox\Quarantine\C\WINDOWS\system32\hobhqean.dll.vir -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\iifdaxv.dll.vir -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{572A9EBB-FFCB-4E41-BE27-DF6E71CEDA3F}\RP25\A0003491.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{572A9EBB-FFCB-4E41-BE27-DF6E71CEDA3F}\RP25\A0003497.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{572A9EBB-FFCB-4E41-BE27-DF6E71CEDA3F}\RP28\A0003981.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\rxrlrbtf.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{572A9EBB-FFCB-4E41-BE27-DF6E71CEDA3F}\RP25\A0003608.exe -> Logger.BZub.if : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{572A9EBB-FFCB-4E41-BE27-DF6E71CEDA3F}\RP23\A0003228.dll -> Logger.VBStat.h : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{572A9EBB-FFCB-4E41-BE27-DF6E71CEDA3F}\RP23\A0003229.dll -> Logger.VBStat.h : Cleaned with backup (quarantined).
C:\cp1041.nls -> Proxy.Horst : Cleaned with backup (quarantined).
:mozilla.222:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.223:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.224:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.157:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.19:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.20:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.21:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.22:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.248:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.24:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.129:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.130:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.53:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.40:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.43:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.44:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.45:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.46:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.54:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.139:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.140:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.141:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.71:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.72:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.73:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.74:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.75:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.76:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.82:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.83:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.86:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.87:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.23:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.61:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.62:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.63:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.64:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.65:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.66:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.67:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.52:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.55:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.56:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.240:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.249:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.251:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.226:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.8:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.221:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.208:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.209:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.210:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.69:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.70:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.252:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.253:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.254:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.255:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.256:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.258:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.259:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.58:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.25:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.26:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.27:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.28:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.29:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.30:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.269:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.270:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.271:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.272:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.68:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.47:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.48:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.49:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.50:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.51:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.57:C:\Documents and Settings\Charlie.A22F9CA1071340E\Application Data\Mozilla\Firefox\Profiles\38yhvxte.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
::Report end
Logfile of HijackThis v1.99.1
Scan saved at 11:19:02, on 13/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: iPod ?? (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Hello :)
Looks pretty good now. How is the computer running ?
:bigthumb:
The computer has sped up and no more jumping to strange sights, and it seems I'm well set up in regards to protection? I'm running AVG anti spyware and anti virus, I'v got zone alarm and spybot S&D plus what I've installed for this clean up.
Thanks for helping,
Hope all is well in your part of the world,
banjo
Hi again, it is looking clean now :)
Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.
Then you should update your Java to the latest version (6u1) Start
Control Panel
Add/Remove Programs
Delete the old Java, J2SE Runtime Environment 5.0 Update 2
Download the latest version of Java Runtime Environment (JRE) 6u1 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)