PDA

View Full Version : Smitfraud-C.Toolbar888 & tons of other problems



ram7704
2007-05-08, 05:34
After reading some of the information provided in others problems, I have completed a few of the following:

Hijack This Report:
Logfile of HijackThis v1.99.1
Scan saved at 8:10:46 PM, on 07/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\vVX3000.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q304&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - (no file)
O2 - BHO: (no name) - {3D9FFB19-932E-488A-91C8-796F0AEC1D58} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7996186E-46A0-4BF8-B85A-CD7274A08E5f} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {84C39C6B-199E-483C-BDBC-B2A7E88D5605} - (no file)
O2 - BHO: (no name) - {B1AE7512-A7AB-4E7B-B65B-E0CE1E4BE2D7} - C:\WINDOWS\system32\awvvs.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AutoTBar] em32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\servicesAUTOTBAR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\ebuabjqa.dll",realset
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/activex/TmHcmsX.CAB
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103w.bay103.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132362226328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177058755218
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A526A2C7-723E-4081-BF70-A7A9913E8C4A} (LogData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab42858.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab50997.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

[B]VundoFix Report:
VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 6:00:12 PM 07/05/2007

Listing files found while scanning....

C:\WINDOWS\system32\aiqcwghp.dll
C:\WINDOWS\system32\awvvs.dll
C:\WINDOWS\system32\ccyryowq.dll
C:\WINDOWS\system32\evtigatb.dll
C:\WINDOWS\system32\gycpuhsw.dll
C:\WINDOWS\system32\hgueskpg.dll
C:\WINDOWS\system32\hngxhooy.dll
C:\WINDOWS\system32\hrmdhrno.dll
C:\WINDOWS\system32\hutvjdbe.dll
C:\WINDOWS\system32\ikvbhbbg.dll
C:\WINDOWS\system32\jeuxwoyh.dll
C:\WINDOWS\system32\jgkqjeab.dll
C:\WINDOWS\system32\jsoephwx.dll
C:\WINDOWS\system32\kcnhkdsh.dll
C:\WINDOWS\system32\kpvpfrfm.dll
C:\WINDOWS\system32\lcsntgyo.dll
C:\WINDOWS\system32\lqceyexj.dll
C:\WINDOWS\system32\luduofpr.dll
C:\WINDOWS\system32\lxffqkqc.dll
C:\WINDOWS\system32\nnnmljk.dll
C:\WINDOWS\system32\oawyfiac.dll
C:\WINDOWS\system32\ocqnaxcp.dll
C:\WINDOWS\system32\ocwghrdh.dll
C:\WINDOWS\system32\qlsmvxoq.dll
C:\WINDOWS\system32\qttldagr.dll
C:\WINDOWS\system32\rdckwftf.dll
C:\WINDOWS\system32\rlijujeq.dll
C:\WINDOWS\system32\rorqvyrm.dll
C:\WINDOWS\system32\rxtqxhno.dll
C:\WINDOWS\system32\svvwa.bak1
C:\WINDOWS\system32\svvwa.bak2
C:\WINDOWS\system32\svvwa.ini
C:\WINDOWS\system32\svvwa.ini2
C:\WINDOWS\system32\svvwa.tmp
C:\WINDOWS\system32\uwewpmnq.dll
C:\WINDOWS\system32\uwsipfoq.dll
C:\WINDOWS\system32\yjrewpou.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\aiqcwghp.dll
C:\WINDOWS\system32\aiqcwghp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awvvs.dll
C:\WINDOWS\system32\awvvs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ccyryowq.dll
C:\WINDOWS\system32\ccyryowq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\evtigatb.dll
C:\WINDOWS\system32\evtigatb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gycpuhsw.dll
C:\WINDOWS\system32\gycpuhsw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hgueskpg.dll
C:\WINDOWS\system32\hgueskpg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hngxhooy.dll
C:\WINDOWS\system32\hngxhooy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hrmdhrno.dll
C:\WINDOWS\system32\hrmdhrno.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hutvjdbe.dll
C:\WINDOWS\system32\hutvjdbe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ikvbhbbg.dll
C:\WINDOWS\system32\ikvbhbbg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jeuxwoyh.dll
C:\WINDOWS\system32\jeuxwoyh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jgkqjeab.dll
C:\WINDOWS\system32\jgkqjeab.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jsoephwx.dll
C:\WINDOWS\system32\jsoephwx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kcnhkdsh.dll
C:\WINDOWS\system32\kcnhkdsh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kpvpfrfm.dll
C:\WINDOWS\system32\kpvpfrfm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lcsntgyo.dll
C:\WINDOWS\system32\lcsntgyo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lqceyexj.dll
C:\WINDOWS\system32\lqceyexj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\luduofpr.dll
C:\WINDOWS\system32\luduofpr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lxffqkqc.dll
C:\WINDOWS\system32\lxffqkqc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnnmljk.dll
C:\WINDOWS\system32\nnnmljk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oawyfiac.dll
C:\WINDOWS\system32\oawyfiac.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ocqnaxcp.dll
C:\WINDOWS\system32\ocqnaxcp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ocwghrdh.dll
C:\WINDOWS\system32\ocwghrdh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qlsmvxoq.dll
C:\WINDOWS\system32\qlsmvxoq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qttldagr.dll
C:\WINDOWS\system32\qttldagr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rdckwftf.dll
C:\WINDOWS\system32\rdckwftf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rlijujeq.dll
C:\WINDOWS\system32\rlijujeq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rorqvyrm.dll
C:\WINDOWS\system32\rorqvyrm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rxtqxhno.dll
C:\WINDOWS\system32\rxtqxhno.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\svvwa.bak1
C:\WINDOWS\system32\svvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\svvwa.bak2
C:\WINDOWS\system32\svvwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\svvwa.ini
C:\WINDOWS\system32\svvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\svvwa.ini2
C:\WINDOWS\system32\svvwa.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\svvwa.tmp
C:\WINDOWS\system32\svvwa.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\uwewpmnq.dll
C:\WINDOWS\system32\uwewpmnq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uwsipfoq.dll
C:\WINDOWS\system32\uwsipfoq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yjrewpou.dll
C:\WINDOWS\system32\yjrewpou.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 8:13:54 PM 07/05/2007

Listing files found while scanning....

No infected files were found.

ram7704
2007-05-08, 05:39
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 07, 2007 8:02:29 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 8/05/2007
Kaspersky Anti-Virus database records: 315218
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 98651
Number of viruses found: 20
Number of infected objects: 129
Number of suspicious objects: 0
Duration of the scan process: 01:23:46

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007050720070508\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\InstallShield Installation Information\{19234D4B-AA7A-4165-8ECB-0247B420C515}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{26BDE7D8-93F0-4A07-AD47-1707DB417941}\Setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{68E7E8BD-2233-49BE-81D6-1A1FAF1B5196}\Setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{91B323B5-A79C-4D23-BD6D-046C565F9BCF}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{976EA7B1-7562-483D-88DA-4323D263B7CD}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{AD13BFB0-FDD2-4AFA-A8AF-9F4A950D56B7}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{B34BE30D-A759-4EC2-B58F-19FE2DEBF651}\Setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{CF2C1A86-5A98-4862-A3AE-9992E3A6427D}\Setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{DE286975-ACF1-45B8-9EF7-34E162B2C817}\Setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{EF4C7EB0-D71B-43A3-9552-8053DE4B0401}\Setup.ilg Object is locked skipped
C:\RECYCLER\S-1-5-21-1156901620-1524690348-4111518195-1003\Dc37.JPG Object is locked skipped
C:\RECYCLER\S-1-5-21-1156901620-1524690348-4111518195-1003\Dc38.sav Object is locked skipped
C:\RECYCLER\S-1-5-21-1156901620-1524690348-4111518195-1003\Dc39.DUS Object is locked skipped
C:\RECYCLER\S-1-5-21-1156901620-1524690348-4111518195-1003\Dc40.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-1156901620-1524690348-4111518195-1003\Dc41.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-1156901620-1524690348-4111518195-1003\Dc42.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-1156901620-1524690348-4111518195-1003\Dc43.JPG Object is locked skipped
C:\RECYCLER\S-1-5-21-1156901620-1524690348-4111518195-1008\Dc12.exe Infected: not-a-virus:AdWare.Win32.Trymedia.a skipped
C:\RECYCLER\S-1-5-21-1355472538-2792187077-1989954115-1003\Dc1.exe Infected: not-a-virus:Porn-Dialer.Win32.AsianRaw.bc skipped
C:\RECYCLER\S-1-5-21-2109563836-3697440518-998460145-1003\Dc218\ErrorSafeFreeInstallW[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\RECYCLER\S-1-5-21-2109563836-3697440518-998460145-1003\Dc219\ErrorSafeFreeInstallW[1].cab/UERS_9999_N91S1502NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\RECYCLER\S-1-5-21-2109563836-3697440518-998460145-1003\Dc219\ErrorSafeFreeInstallW[1].cab CAB: infected - 1 skipped
C:\RECYCLER\S-1-5-21-2109563836-3697440518-998460145-1003\Dc221\PCTurboProInstallerFree[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.w skipped
C:\RECYCLER\S-1-5-21-2109563836-3697440518-998460145-1003\Dc266.dll Infected: Packed.Win32.Klone.j skipped
C:\RECYCLER\S-1-5-21-2109563836-3697440518-998460145-1003\Dc267.dll Infected: Packed.Win32.Klone.j skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc387.JPG Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc388.JPG Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc389.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc390.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc391.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc392.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc393.PSF Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc394.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc395.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc396.JPG Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc426.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc427.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc428.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc429.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc430.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc431.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc432.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc433.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc434.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc435.JPG Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc436.JPG Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc437.JPG Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc438.JPG Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc439.JPG Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc440.JPG Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc441.JPG Object is locked skipped
C:\RECYCLER\S-1-5-21-2382219286-3372686796-1432744361-1003\Dc442.lnk Object is locked skipped
C:\RECYCLER\S-1-5-21-668290192-613363583-4092584357-1003\Dc62.JPG Object is locked skipped
C:\RECYCLER\S-1-5-21-668290192-613363583-4092584357-1003\Dc63.JPG Object is locked skipped
C:\RECYCLER\S-1-5-21-668290192-613363583-4092584357-1003\Dc64.JPG Object is locked skipped
C:\RECYCLER\S-1-5-21-668290192-613363583-4092584357-1003\Dc65.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-668290192-613363583-4092584357-1003\Dc66.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-668290192-613363583-4092584357-1003\Dc67.JPG Object is locked skipped
C:\RECYCLER\S-1-5-21-668290192-613363583-4092584357-1003\Dc68.JPG Object is locked skipped
C:\RECYCLER\S-1-5-21-668290192-613363583-4092584357-1003\Dc69.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-668290192-613363583-4092584357-1003\Dc70.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-668290192-613363583-4092584357-1003\Dc71.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-668290192-613363583-4092584357-1003\Dc72.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-668290192-613363583-4092584357-1003\Dc73.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-668290192-613363583-4092584357-1003\Dc74.JPG Object is locked skipped
C:\RECYCLER\S-1-5-21-668290192-613363583-4092584357-1003\Dc75.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-668290192-613363583-4092584357-1003\Dc76.reg Object is locked skipped
C:\RECYCLER\S-1-5-21-668290192-613363583-4092584357-1003\Dc77.doc Object is locked skipped
C:\RECYCLER\S-1-5-21-668290192-613363583-4092584357-1003\Dc86.asd Object is locked skipped

ram7704
2007-05-08, 05:40
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP392\A0069655.dll Infected: not-a-virus:AdWare.Win32.Mirar.f skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP392\A0069695.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bj skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP396\A0069741.dll Infected: Trojan-Downloader.Win32.Agent.bfj skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP422\A0075903.exe Infected: Trojan-Downloader.Win32.Adload.jm skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP427\A0076188.exe Infected: not-virus:Hoax.Win32.Renos.he skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP429\A0077296.dll Infected: not-a-virus:AdWare.Win32.BHO.v skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP430\A0077539.dll Infected: not-a-virus:AdWare.Win32.BHO.v skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP430\A0077576.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP430\A0077577.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP430\A0077578.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP431\A0077662.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP431\A0077664.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP431\A0077668.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP438\A0078095.dll Infected: Packed.Win32.Klone.j skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP439\A0078187.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP439\A0078188.exe Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP439\A0078223.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP439\A0078262.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP439\A0078264.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP439\A0078265.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP439\A0078266.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP439\A0078267.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP439\A0078268.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP443\A0078488.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP443\A0078492.exe Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP443\A0078493.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP443\A0078494.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP445\A0078898.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP445\A0078912.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP446\A0079530.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP447\A0079542.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP447\A0079547.exe Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP447\A0079548.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP447\A0079549.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP447\A0079550.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP447\A0079551.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP447\A0079552.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP447\A0079553.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP447\A0079554.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP447\A0079555.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP447\A0079556.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP447\A0079557.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP447\A0079558.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP447\A0079572.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP448\A0079599.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP448\A0079600.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP449\A0079664.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP449\A0079665.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP449\A0079666.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP449\A0079670.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP449\A0079672.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP449\A0079677.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079717.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079718.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079719.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079720.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079721.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079722.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079723.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079724.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079725.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079726.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079727.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079728.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079729.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079730.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079731.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079732.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079733.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079734.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079735.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079737.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079738.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079739.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079740.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079741.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079742.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079743.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079745.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079746.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079747.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\change.log Object is locked skipped
C:\VundoFix Backups\aiqcwghp.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\awvvs.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\ccyryowq.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\VundoFix Backups\evtigatb.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\VundoFix Backups\gycpuhsw.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\hgueskpg.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\hngxhooy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\hrmdhrno.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\hutvjdbe.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\ikvbhbbg.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\jeuxwoyh.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\jgkqjeab.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\jsoephwx.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\VundoFix Backups\kcnhkdsh.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\kpvpfrfm.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\lcsntgyo.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\lqceyexj.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\luduofpr.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\lxffqkqc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\oawyfiac.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\ocqnaxcp.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\VundoFix Backups\ocwghrdh.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\qlsmvxoq.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\qttldagr.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\rdckwftf.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\rlijujeq.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\rorqvyrm.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\rxtqxhno.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\uwewpmnq.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\uwsipfoq.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\yjrewpou.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetol1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\fldrclnr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\sxs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmp.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA5P_0001_FNI531024NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.h skipped
C:\WINDOWS\Downloaded Program Files\UWA5PNetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.e skipped
C:\WINDOWS\Downloaded Program Files\UWA5P_0001_FNI531024NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.h skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dpvkjkll.dll Infected: Packed.Win32.Klone.j skipped
C:\WINDOWS\system32\fwfjumwj.dll Infected: Packed.Win32.Klone.j skipped
C:\WINDOWS\system32\gsceeihj.dll Infected: Packed.Win32.Klone.j skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\icoedpdw.dll Infected: Packed.Win32.Klone.j skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\oselcxii.dll Infected: Packed.Win32.Klone.j skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Help with this is greatly appreciated

Mr_JAk3
2007-05-13, 21:54
Hello ram7704 and welcome to the Forums :)

Sorry for the delay...

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

:bigthumb:

ram7704
2007-05-14, 03:44
Hi Mr. Jak.

Thank you for replying. Here is the report.

"Owner" - 2007-05-13 18:37:02 Service Pack 2
ComboFix 07-05.13.V - Running from: "C:\Documents and Settings\Owner\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dpvkjkll.dll
C:\WINDOWS\system32\ebuabjqa.dll
C:\WINDOWS\system32\fwfjumwj.dll
C:\WINDOWS\system32\gsceeihj.dll
C:\WINDOWS\system32\icoedpdw.dll
C:\WINDOWS\system32\jeavhrlb.dll
C:\WINDOWS\system32\oselcxii.dll
C:\WINDOWS\system32\wqygrtpy.dll
C:\WINDOWS\system32\yesavidw.dll
C:\WINDOWS\system32\aqjbaube.ini
C:\WINDOWS\system32\aqjbaube.ini2
C:\WINDOWS\system32\aqjbaube.tmp
C:\WINDOWS\system32\blrhvaej.ini
C:\WINDOWS\system32\yptrgyqw.ini
C:\WINDOWS\system32\wdivasey.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Owner\APPLIC~1\Install.dat
C:\Program Files\p2pnetworks\AlConfig.xml
C:\Program Files\p2pnetworks\alp2plib.log
C:\Program Files\p2pnetworks\alp2plib.log.bak
C:\Program Files\p2pnetworks\install.log
C:\Program Files\p2pnetworks\mpp2pl.exe
C:\Program Files\p2pnetworks\sp2p.cache
C:\Program Files\p2pnetworks\uninst.exe
C:\Program Files\p2pnetworks
C:\Program Files\Common Files\{F8806~1


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-13 ))))))))))))))))))))))))))))))))))


2007-05-13 18:40 2,053,181 ---hs---- C:\WINDOWS\system32\aqjbaube.ini2
2007-05-12 14:40 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1.000\NTUSER.DAT
2007-05-12 14:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.000\WINDOWS
2007-05-12 14:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.000\APPLIC~1\Symantec
2007-05-12 14:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.000\APPLIC~1\SampleView
2007-05-12 14:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.000\APPLIC~1\Real
2007-05-08 20:09 3,191,432 --a------ C:\runalyz.exe
2007-05-08 20:09 <DIR> d-------- C:\Program Files\Safer Networking
2007-05-08 18:35 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-07 21:27 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1.YOU\NTUSER.DAT
2007-05-07 21:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1.YOU\APPLIC~1\Real
2007-05-07 20:08 <DIR> d-------- C:\HJT
2007-05-07 18:30 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-05-07 18:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-05-07 18:00 <DIR> d-------- C:\VundoFix Backups
2007-05-07 10:08 5,505,024 --a------ C:\DOCUME~1\THEGIR~1\ntuser.dat
2007-05-07 03:22 1,462,558 ---hs---- C:\WINDOWS\system32\lcveefct.ini2
2007-05-07 02:30 5,037,072 --a------ C:\spybotsd14.exe
2007-05-07 02:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-03 05:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PopCap
2007-04-29 07:31 7,602,176 --a------ C:\DOCUME~1\Owner\ntuser.dat
2007-04-28 10:36 <DIR> d-------- C:\DOCUME~1\THEGIR~1\APPLIC~1\SampleView
2007-04-21 15:35 <DIR> d-------- C:\Program Files\MSN Messenger
2007-04-20 05:17 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-04-20 00:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-04-19 03:13 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SampleView
2007-04-18 13:45 <DIR> d-------- C:\DOCUME~1\THEGIR~1\APPLIC~1\AdobeUM
2007-04-14 23:49 <DIR> d--hs---- C:\WINDOWS\IA


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-18 00:24:12 -------- d-----w C:\Program Files\Lavasoft
2007-04-17 11:22:47 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-06 00:38:19 -------- d-----w C:\Program Files\Yahoo!
2007-04-02 07:05:58 -------- d-----w C:\Program Files\illiminable
2007-04-02 05:02:47 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-17 16:32:56 -------- d-----w C:\Program Files\Shockwave.com
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-01 09:33:15 374 ----a-w C:\DOCUME~1\Owner\APPLIC~1\internaldb6334.dat
2007-03-01 09:16:49 18,432 ----a-w C:\DOCUME~1\Owner\APPLIC~1\internaldb41.dat
2007-03-01 09:16:45 538 ----a-w C:\DOCUME~1\Owner\APPLIC~1\internaldb8467.dat
2007-03-01 08:57:05 32 ----a-w C:\WINDOWS\system32\winrui.dll
2007-02-28 21:32:06 69,698 ----a-w C:\WINDOWS\distro_uPlayMe_stub_973387.exe
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 04:43]
{89AD2930-A9D1-47B9-88F5-7BECF7578E4C}=C:\WINDOWS\system32\awvvs.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HPHUPD05"="c:\\Program Files\\HP\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"VTTimer"="VTTimer.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"AutoTBar"="em32\\Wbem;c:\\Python22;C:\\Program Files\\PC-Doctor for Windows\\servicesAUTOTBAR.EXE"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"UpdateManager"="\"c:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"VX3000"="C:\\WINDOWS\\vVX3000.exe"
"LifeCam"="\"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"AlcxMonitor"="ALCXMNTR.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 05:23]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-21 05:15]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-13 22:43]
"VTTimer"="VTTimer.exe" [2004-10-22 12:53 C:\WINDOWS\system32\VTTimer.exe])
"AGRSMMSG"="AGRSMMSG.exe" [])
"AutoTBar"="em32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\servicesAUTOTBAR.EXE" []
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 15:54]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44]
"VX3000"="C:\WINDOWS\vVX3000.exe" [2006-10-13 18:04]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 18:01]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 04:43]
"AlcxMonitor"="ALCXMNTR.EXE" [])

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.EXE" []
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" []
"RecordNow!"="" [])
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 16:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"
"BackupNotify"="c:\\Program Files\\HP\\Digital Imaging\\bin\\backupnotify.exe"
"RecordNow!"=""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_9"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0




[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070508-000023-969
O4 - HKCU\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\tcfeevcl.dll",setvm
backup-20070507-235913-459
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\WINDOWS\system32\awvvs.dll,CreateProtectProc
backup-20070507-221603-796
O2 - BHO: (no name) - {B1AE7512-A7AB-4E7B-B65B-E0CE1E4BE2D7} - C:\WINDOWS\system32\awvvs.dll (file missing)

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\RegCure Program Check.job
C:\WINDOWS\tasks\RegCure.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-13 18:41:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-13 18:41:39
C:\ComboFix-quarantined-files.txt ... 2007-05-13 18:41

Mr_JAk3
2007-05-14, 10:59
Hi again, we'll continue :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

==================

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - (no file)
O2 - BHO: (no name) - {3D9FFB19-932E-488A-91C8-796F0AEC1D58} - (no file)
O2 - BHO: (no name) - {7996186E-46A0-4BF8-B85A-CD7274A08E5f} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {84C39C6B-199E-483C-BDBC-B2A7E88D5605} - (no file)
O2 - BHO: (no name) - {B1AE7512-A7AB-4E7B-B65B-E0CE1E4BE2D7} - C:\WINDOWS\system32\awvvs.dll (file missing)
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\ebuabjqa.dll",realset

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following files (if present):
C:\WINDOWS\system32\aqjbaube.ini2
C:\WINDOWS\system32\lcveefct.ini2

Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

ram7704
2007-05-15, 05:53
Hello again Mr. Jak,

Sorry if I don't respond very quick, but I work all day. Here are the reports:

Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 8:41:45 PM, on 14/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\vVX3000.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AutoTBar] em32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\servicesAUTOTBAR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/activex/TmHcmsX.CAB
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103w.bay103.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132362226328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177058755218
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A526A2C7-723E-4081-BF70-A7A9913E8C4A} (LogData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab42858.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab50997.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

[B]AVG:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:35:35 PM 14/05/2007

+ Scan result:



C:\QooBox\Quarantine\C\WINDOWS\system32\dpvkjkll.dll.vir -> Adware.BHO : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\fwfjumwj.dll.vir -> Adware.BHO : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\gsceeihj.dll.vir -> Adware.BHO : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\icoedpdw.dll.vir -> Adware.BHO : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\oselcxii.dll.vir -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP438\A0078095.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP452\A0079946.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP452\A0079947.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP457\A0080225.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP457\A0080227.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP457\A0080228.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP457\A0080229.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP457\A0080231.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP446\A0079531.exe -> Adware.IWantSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP439\A0078187.dll -> Adware.Lucky : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP443\A0078494.dll -> Adware.Lucky : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP446\A0079530.dll -> Adware.Lucky : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP392\A0069655.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP392\A0069695.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP439\A0078188.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP443\A0078492.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP447\A0079547.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1156901620-1524690348-4111518195-1008\Dc12.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP450\A0079736.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP452\A0079926.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1355472538-2792187077-1989954115-1003\Dc1.exe -> Dialer.AsianRaw.bc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP422\A0075903.exe -> Downloader.Adload.jm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP396\A0069735.exe -> Downloader.Agent.bkw : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UWA5PNetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.e : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA5P_0001_FNI531024NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.h : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UWA5P_0001_FNI531024NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.h : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP452\A0079953.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP427\A0076188.exe -> Not-A-Virus.Hoax.Win32.Renos.he : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP396\A0069741.dll -> Trojan.Agent : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\p2pnetworks\mpp2pl.exe.vir -> Trojan.MediaPipe.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP457\A0080223.exe -> Trojan.MediaPipe.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP421\A0075731.exe -> Trojan.Rond : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP428\A0076244.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP428\A0076247.vbs -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

**I thought I should let you know that when I log onto "The Girls" account 3 boxes pop-up
1. Error loading C:\WINDOWS\system32\awvvs.dll
2. " " " " " " " " " " \ebuabjqa.dll
3. " " " " " " " " " " \tcfeevcl.dll
All underneath say "The specified module could not be found"

Mr_JAk3
2007-05-15, 11:08
Hi :)

OK could you post a HijackThis log taken on "The Girls" account then :bigthumb:

ram7704
2007-05-15, 14:21
Good morning Mr. Jak,

Here is the report you requested:

Logfile of HijackThis v1.99.1
Scan saved at 5:19:01 AM, on 15/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\vVX3000.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AutoTBar] em32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\servicesAUTOTBAR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SDR6_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe"
O4 - HKCU\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe"
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\WINDOWS\system32\awvvs.dll,CreateProtectProc
O4 - HKCU\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\tcfeevcl.dll",setvm
O4 - HKCU\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\ebuabjqa.dll",realset
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/activex/TmHcmsX.CAB
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103w.bay103.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132362226328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177058755218
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A526A2C7-723E-4081-BF70-A7A9913E8C4A} (LogData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab42858.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab50997.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Mr_JAk3
2007-05-15, 21:54
Hello :)

Some leftovers...

Open Control Panel -> Add/Remove programs -> Remove all the of the following or similar entries if found:

DriveCleaner Free

and any other programs you didn't install or don't recognize - if your not sure please ask first

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKCU\..\Run: [SDR6_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe"
O4 - HKCU\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe"
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\WINDOWS\system32\awvvs.dll,CreateProtectProc
O4 - HKCU\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\tcfeevcl.dll",setvm
O4 - HKCU\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\ebuabjqa.dll",realset

Delete this folder if found:
C:\Program Files\Common Files\DriveCleaner Free

Reboot the computer.

When you're ready, please post the following logs to here:
- a fresh HijackThis log

ram7704
2007-05-16, 18:27
Hello again Mr. Jak,

Here is the report from "The Girls" Account. Please note, the pop-ups are no longer coming up when I log on. :bigthumb: Also, in the Add/Remove programs, there is no sign of DriveCleaner Free.

Logfile of HijackThis v1.99.1
Scan saved at 9:22:50 AM, on 16/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\vVX3000.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AutoTBar] em32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\servicesAUTOTBAR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/activex/TmHcmsX.CAB
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103w.bay103.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132362226328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177058755218
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A526A2C7-723E-4081-BF70-A7A9913E8C4A} (LogData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab42858.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab50997.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

Mr_JAk3
2007-05-16, 23:16
Hi again, it is looking clean now :)

You don't seem to have a third-party firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) installed. You must install one firewall.
It is possible that you're using the Windows XP firewall. That is of course better than nothing but I recommend that you install a more advanced firewall that gives more protection. Windows firewall doesn't eg protect your computer from inbound threats. This means that any malware on your computer is free to "phone home" for more instructions. Remember to use only one firewall at the same time. I'll give you a few alternatives if you want to install a third-party firewall:

These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
Comodo (http://www.personalfirewall.comodo.com)

You don't have an antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) on your computer, you must install one antivirus. Otherwise you'll get infected again.

These are good (free) antiviruses: AVG (http://free.grisoft.com)
Antivir (http://www.free-av.com)
Avast (http://www.avast.com)

Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.

Then you should update your Java to the latest version (6u1) Start
Control Panel
Add/Remove Programs
Delete the old Javas, beginning with J2SE Runtime Environment or similar
Download the latest version of Java Runtime Environment (JRE) 6u1 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it

Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)

Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)

ram7704
2007-05-17, 10:26
Hello Mr. Jak,

First of all, I want to thank you for your help. What you and others are doing on this site is great!!! :bigthumb: to all of you!!!!

I have some questions, if you don't mind answering:

1. I believe I have a firewall. It's an Alpha Shield firewall that connects in between my internet connection and my computer. Is this good enough or should I still download another that you have suggested?

2. I see you suggested using Firefox. I've tried downloading this, but MSN Messenger doesn't seem to be compatible with it. Well when I intially tried. Do you know if there are setting to make it compatible? i.e. when you click on your mail icon from MSN Messenger, Firefox will not bring up your mail the way Internet Explorer does.

3. What is QooBox? Do I need this folder?

4. Also a folder that is named "bintheredunthat." I don't ever recall having a folder named this.

5. Do I need to scan my account and "The Girls" account separate when I run all the scans?

6. With "The Girls" account set to a "Limited Account," does this in any way help my computer?

Thanks again for your help Mr. Jak. I am so grateful. You're great at what you do here.

Roberta

ram7704
2007-05-17, 10:28
Hello Mr. Jak,

First of all, I want to thank you for your help. What you and others are doing on this site is great!!! :bigthumb: to all of you!!!!

I have some questions, if you don't mind answering:

1. I believe I have a firewall. It's an Alpha Shield firewall that connects in between my internet connection and my computer. Is this good enough or should I still download another that you have suggested?

2. I see you suggested using Firefox. I've tried downloading this, but MSN Messenger doesn't seem to be compatible with it. Well when I intially tried. Do you know if there are setting to make it compatible? i.e. when you click on your mail icon from MSN Messenger, Firefox will not bring up your mail the way Internet Explorer does.

3. What is QooBox? Do I need this folder?

4. Also a folder that is named "bintheredunthat." I don't ever recall having a folder named this.

5. Do I need to scan my account and "The Girls" account separate when I run all the scans?

6. With "The Girls" account set to a "Limited Account," does this in any way help my computer?

7. I almost forgot...What is SunJava? Is it part of Java?

Thanks again for your help Mr. Jak. I am so grateful. You're great at what you do here.

Roberta

Mr_JAk3
2007-05-17, 21:04
Hello :)

1. Ok an external firewall is a good thing. It propably doesn't monitor which applications connect to the Internet from your computer. This is why it would be good to install a software firewall - protection for inbound threats.

2. Well you can have both browsers, IE and FireFox installed. You can still use IE for checking emails (in this case you may leave IE as your default browser).

3. QooBox is a backup folder created by one of the tools. You may delete it.

4. Also bintheredunthat is a backup folder created by one of the tools. You may delete it.

5. No if your account is an administrator account.

6. If you use this "The Girls" noramlly, it should smaller the risk of some infections/consequenses

7. It is an application. Eg some website features may require it. See more info here (http://en.wikipedia.org/wiki/Java_(Sun))

:bigthumb:

ram7704
2007-05-18, 09:14
Ok, I will install a firewall.

Your answers are very thorough.

Thanks again for all the help you have given!!!!!!!! :greeting:

Roberta

Mr_JAk3
2007-05-18, 22:44
That's great news and you're very welcome :D:

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb: