View Full Version : Virtumonde and Smitfraud
lotusindigo
2007-06-08, 06:27
I ran spybot on safe mode and couldn't get rid of these two. I also did the online scan, but couldn't understand how to get the logfile. Here is the HJT logfile:
-----------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:17:02 PM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\All Users\Application Data\uhkxefqh.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Games\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [uhkxefqh.exe] C:\Documents and Settings\All Users\Application Data\uhkxefqh.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/24f2d1f86d2f22fe6b06/netzip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\mmc.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\R_SERVER.EXE" /service (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
-----------------------
Can you help me?
Hi lotusindigo
Rename HijackThis.exe to scanner.exe and post back a fresh HijackThis log, please :)
lotusindigo
2007-06-09, 03:49
I'm not sure I understood you correctly... what I did was change the target of the HJT desktop icon to scanner.exe and do another scan. Came up with this. Hope I did it right...
Logfile of HijackThis v1.99.1
Scan saved at 7:47:59 PM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\All Users\Application Data\uhkxefqh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Games\Desktop\scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {37854DC6-D076-4337-946E-D1EF7E0B20DF} - C:\WINDOWS\system32\jkkji.dll (file missing)
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\pmnllll.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\rkxshpyu.dll
O2 - BHO: (no name) - {FD6E46D8-D395-49A7-ABE3-D023F84C4AAA} - C:\WINDOWS\system32\mlljg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [uhkxefqh.exe] C:\Documents and Settings\All Users\Application Data\uhkxefqh.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvcos.dll,startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\ygmyoqbg.dll",realset
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/24f2d1f86d2f22fe6b06/netzip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\mmc.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: jkkji - C:\WINDOWS\system32\jkkji.dll (file missing)
O20 - Winlogon Notify: mlljg - C:\WINDOWS\system32\mlljg.dll
O20 - Winlogon Notify: pmnllll - C:\WINDOWS\SYSTEM32\pmnllll.dll
O20 - Winlogon Notify: StillImage - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wineil32 - C:\WINDOWS\SYSTEM32\wineil32.dll
O20 - Winlogon Notify: winexz32 - C:\WINDOWS\
O20 - Winlogon Notify: winjgf32 - C:\WINDOWS\SYSTEM32\winjgf32.dll
O20 - Winlogon Notify: winjks32 - C:\WINDOWS\
O20 - Winlogon Notify: winzzc32 - winzzc32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\R_SERVER.EXE" /service (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Hi
That looks ok :)
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
lotusindigo
2007-06-09, 21:28
Ran VundoFix. Came up with three instances that it couldn't delete. Rebooted. Upon reboot, got an error message telling me that VundoFix.exe could not be found. Saving VundoFix to my desktop and trying again.
lotusindigo
2007-06-09, 22:06
Worked the second time. :)
Logfile of HijackThis v1.99.1
Scan saved at 2:04:23 PM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\All Users\Application Data\uhkxefqh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Documents and Settings\Games\Desktop\scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {37854DC6-D076-4337-946E-D1EF7E0B20DF} - C:\WINDOWS\system32\jkkji.dll (file missing)
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\pmnllll.dll (file missing)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\rkxshpyu.dll
O2 - BHO: (no name) - {FD6E46D8-D395-49A7-ABE3-D023F84C4AAA} - C:\WINDOWS\system32\mlljg.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [uhkxefqh.exe] C:\Documents and Settings\All Users\Application Data\uhkxefqh.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvcos.dll,startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\ygmyoqbg.dll",realset
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/24f2d1f86d2f22fe6b06/netzip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\mmc.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: jkkji - C:\WINDOWS\system32\jkkji.dll (file missing)
O20 - Winlogon Notify: StillImage - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wineil32 - C:\WINDOWS\SYSTEM32\wineil32.dll
O20 - Winlogon Notify: winexz32 - C:\WINDOWS\
O20 - Winlogon Notify: winjgf32 - C:\WINDOWS\SYSTEM32\winjgf32.dll
O20 - Winlogon Notify: winjks32 - C:\WINDOWS\
O20 - Winlogon Notify: winzzc32 - winzzc32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\R_SERVER.EXE" /service (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
lotusindigo
2007-06-09, 22:50
VundoFix V6.4.2
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Scan started at 8:23:03 PM 6/6/2007
Listing files found while scanning....
C:\Program Files\Common Files\{141A08E9-0702-1033-1217-020718030001}\services.dll
C:\WINDOWS\Help\ahrds.dll
C:\WINDOWS\Help\sdrha.bak1
C:\WINDOWS\Help\sdrha.bak2
C:\WINDOWS\Help\sdrha.ini
C:\WINDOWS\Help\sdrha.ini2
C:\WINDOWS\system32\amjhxuxx.dll
C:\WINDOWS\system32\awtqnkh.dll
C:\WINDOWS\system32\awtsppp.dll
C:\WINDOWS\system32\awttttt.dll
C:\WINDOWS\system32\bfeiehnm.dll
C:\WINDOWS\system32\bpoyfvqr.dll
C:\WINDOWS\system32\cbngeydh.dll
C:\WINDOWS\system32\ddscqaos.dll
C:\WINDOWS\system32\dgmhnyub.dll
C:\WINDOWS\system32\dibnttmh.dll
C:\WINDOWS\system32\drjlocbp.dll
C:\WINDOWS\system32\duthilop.dll
C:\WINDOWS\system32\eblterpm.dll
C:\WINDOWS\system32\eynowegx.dll
C:\WINDOWS\system32\fiwntxfx.dll
C:\WINDOWS\system32\fwhbhuuf.dll
C:\WINDOWS\system32\gebcdbc.dll
C:\WINDOWS\system32\hggfgda.dll
C:\WINDOWS\system32\ifrjqlwx.dll
C:\WINDOWS\system32\ijkkj.bak1
C:\WINDOWS\system32\ijkkj.ini
C:\WINDOWS\system32\ikvuefyd.exe
C:\WINDOWS\system32\iqkqnruf.dll
C:\WINDOWS\system32\jblllvxt.dll
C:\WINDOWS\system32\jilhwcwm.dll
C:\WINDOWS\system32\jjvcutxh.dll
C:\WINDOWS\system32\jkkiiji.dll
C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\jsngdhhi.exe
C:\WINDOWS\system32\kdndlfls.dll
C:\WINDOWS\system32\keytkscm.dll
C:\WINDOWS\system32\lmfvitnk.dll
C:\WINDOWS\system32\maowfchi.dll
C:\WINDOWS\system32\meflcxyj.dll
C:\WINDOWS\system32\mpimomjc.dll
C:\WINDOWS\system32\mrrbfhpg.dll
C:\WINDOWS\system32\ngohhqmx.dll
C:\WINDOWS\system32\nkxroxbh.dll
C:\WINDOWS\system32\oetsxrnt.dll
C:\WINDOWS\system32\opnoopo.dll
C:\WINDOWS\system32\peyryjsq.dll
C:\WINDOWS\system32\phppnmic.dll
C:\WINDOWS\system32\qlkwqtwj.dll
C:\WINDOWS\system32\qtcygnkh.dll
C:\WINDOWS\system32\rqrqonk.dll
C:\WINDOWS\system32\rqrspom.dll
C:\WINDOWS\system32\shwimbfx.dll
C:\WINDOWS\system32\smtynxdf.dll
C:\WINDOWS\system32\smvhggfs.dll
C:\WINDOWS\system32\txvlllbj.ini
C:\WINDOWS\system32\wjdpxeak.dll
C:\WINDOWS\system32\wmtqecme.dll
C:\WINDOWS\system32\xxyxyvv.dll
C:\WINDOWS\system32\yayxwwu.dll
C:\WINDOWS\system32\yjhuijmg.dll
C:\WINDOWS\system32\yliqqtxi.dll
Beginning removal...
Attempting to delete C:\Program Files\Common Files\{141A08E9-0702-1033-1217-020718030001}\services.dll
C:\Program Files\Common Files\{141A08E9-0702-1033-1217-020718030001}\services.dll Has been deleted!
Attempting to delete C:\WINDOWS\Help\ahrds.dll
C:\WINDOWS\Help\ahrds.dll Has been deleted!
Attempting to delete C:\WINDOWS\Help\sdrha.bak1
C:\WINDOWS\Help\sdrha.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\Help\sdrha.bak2
C:\WINDOWS\Help\sdrha.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\Help\sdrha.ini
C:\WINDOWS\Help\sdrha.ini Has been deleted!
Attempting to delete C:\WINDOWS\Help\sdrha.ini2
C:\WINDOWS\Help\sdrha.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\amjhxuxx.dll
C:\WINDOWS\system32\amjhxuxx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\awtqnkh.dll
C:\WINDOWS\system32\awtqnkh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\awtsppp.dll
C:\WINDOWS\system32\awtsppp.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\awttttt.dll
C:\WINDOWS\system32\awttttt.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\bfeiehnm.dll
C:\WINDOWS\system32\bfeiehnm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\bpoyfvqr.dll
C:\WINDOWS\system32\bpoyfvqr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\cbngeydh.dll
C:\WINDOWS\system32\cbngeydh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ddscqaos.dll
C:\WINDOWS\system32\ddscqaos.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\dgmhnyub.dll
C:\WINDOWS\system32\dgmhnyub.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\dibnttmh.dll
C:\WINDOWS\system32\dibnttmh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\drjlocbp.dll
C:\WINDOWS\system32\drjlocbp.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\duthilop.dll
C:\WINDOWS\system32\duthilop.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\eblterpm.dll
C:\WINDOWS\system32\eblterpm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\eynowegx.dll
C:\WINDOWS\system32\eynowegx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fiwntxfx.dll
C:\WINDOWS\system32\fiwntxfx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fwhbhuuf.dll
C:\WINDOWS\system32\fwhbhuuf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gebcdbc.dll
C:\WINDOWS\system32\gebcdbc.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hggfgda.dll
C:\WINDOWS\system32\hggfgda.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ifrjqlwx.dll
C:\WINDOWS\system32\ifrjqlwx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ijkkj.bak1
C:\WINDOWS\system32\ijkkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ijkkj.ini
C:\WINDOWS\system32\ijkkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\ikvuefyd.exe
C:\WINDOWS\system32\ikvuefyd.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\iqkqnruf.dll
C:\WINDOWS\system32\iqkqnruf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jblllvxt.dll
C:\WINDOWS\system32\jblllvxt.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jilhwcwm.dll
C:\WINDOWS\system32\jilhwcwm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jjvcutxh.dll
C:\WINDOWS\system32\jjvcutxh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkkiiji.dll
C:\WINDOWS\system32\jkkiiji.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\jkkji.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\jsngdhhi.exe
C:\WINDOWS\system32\jsngdhhi.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\kdndlfls.dll
C:\WINDOWS\system32\kdndlfls.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\keytkscm.dll
C:\WINDOWS\system32\keytkscm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\lmfvitnk.dll
C:\WINDOWS\system32\lmfvitnk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\maowfchi.dll
C:\WINDOWS\system32\maowfchi.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\meflcxyj.dll
C:\WINDOWS\system32\meflcxyj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\mpimomjc.dll
C:\WINDOWS\system32\mpimomjc.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\mrrbfhpg.dll
C:\WINDOWS\system32\mrrbfhpg.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ngohhqmx.dll
C:\WINDOWS\system32\ngohhqmx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nkxroxbh.dll
C:\WINDOWS\system32\nkxroxbh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\oetsxrnt.dll
C:\WINDOWS\system32\oetsxrnt.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnoopo.dll
C:\WINDOWS\system32\opnoopo.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\peyryjsq.dll
C:\WINDOWS\system32\peyryjsq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\phppnmic.dll
C:\WINDOWS\system32\phppnmic.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qlkwqtwj.dll
C:\WINDOWS\system32\qlkwqtwj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qtcygnkh.dll
C:\WINDOWS\system32\qtcygnkh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrqonk.dll
C:\WINDOWS\system32\rqrqonk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqrspom.dll
C:\WINDOWS\system32\rqrspom.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\shwimbfx.dll
C:\WINDOWS\system32\shwimbfx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\smtynxdf.dll
C:\WINDOWS\system32\smtynxdf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\smvhggfs.dll
C:\WINDOWS\system32\smvhggfs.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\txvlllbj.ini
C:\WINDOWS\system32\txvlllbj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\wjdpxeak.dll
C:\WINDOWS\system32\wjdpxeak.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wmtqecme.dll
C:\WINDOWS\system32\wmtqecme.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xxyxyvv.dll
C:\WINDOWS\system32\xxyxyvv.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\yayxwwu.dll
C:\WINDOWS\system32\yayxwwu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\yjhuijmg.dll
C:\WINDOWS\system32\yjhuijmg.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\yliqqtxi.dll
C:\WINDOWS\system32\yliqqtxi.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.4.2
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Scan started at 12:59:54 PM 6/9/2007
Listing files found while scanning....
C:\WINDOWS\system32\bilnxbew.ini
C:\WINDOWS\system32\cxeicldl.ini
C:\WINDOWS\system32\gbqoymgy.ini
C:\WINDOWS\system32\gjllm.bak1
C:\WINDOWS\system32\gjllm.bak2
C:\WINDOWS\system32\gjllm.ini
C:\WINDOWS\system32\iifccdb.dll
C:\WINDOWS\system32\iifffdc.dll
C:\WINDOWS\system32\ijkkj.bak1
C:\WINDOWS\system32\ijkkj.ini
C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\ldlciexc.dll
C:\WINDOWS\system32\mlljg.dll
C:\WINDOWS\system32\opnkhhh.dll
C:\WINDOWS\system32\pmnllll.dll
C:\WINDOWS\system32\webxnlib.dll
C:\WINDOWS\system32\xxyxyvv.dll
C:\WINDOWS\system32\ygmyoqbg.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\bilnxbew.ini
C:\WINDOWS\system32\bilnxbew.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\cxeicldl.ini
C:\WINDOWS\system32\cxeicldl.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\gbqoymgy.ini
C:\WINDOWS\system32\gbqoymgy.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\gjllm.bak1
C:\WINDOWS\system32\gjllm.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\gjllm.bak2
C:\WINDOWS\system32\gjllm.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\gjllm.ini
C:\WINDOWS\system32\gjllm.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\iifccdb.dll
C:\WINDOWS\system32\iifccdb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iifffdc.dll
C:\WINDOWS\system32\iifffdc.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ijkkj.bak1
C:\WINDOWS\system32\ijkkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ijkkj.ini
C:\WINDOWS\system32\ijkkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\ldlciexc.dll
C:\WINDOWS\system32\ldlciexc.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\mlljg.dll
C:\WINDOWS\system32\mlljg.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\opnkhhh.dll
C:\WINDOWS\system32\opnkhhh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnllll.dll
C:\WINDOWS\system32\pmnllll.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\webxnlib.dll
C:\WINDOWS\system32\webxnlib.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xxyxyvv.dll
C:\WINDOWS\system32\xxyxyvv.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\ygmyoqbg.dll
C:\WINDOWS\system32\ygmyoqbg.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.4.2
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Scan started at 1:25:09 PM 6/9/2007
Listing files found while scanning....
C:\WINDOWS\system32\ehkmp.ini
C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\mlljg.dll
C:\WINDOWS\system32\pmkhe.dll
C:\WINDOWS\system32\pmnllll.dll
C:\WINDOWS\system32\xbeeg.bak1
C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xxyxyvv.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ehkmp.ini
C:\WINDOWS\system32\ehkmp.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\geebx.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\mlljg.dll
C:\WINDOWS\system32\mlljg.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmkhe.dll
C:\WINDOWS\system32\pmkhe.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\pmnllll.dll
C:\WINDOWS\system32\pmnllll.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xbeeg.bak1
C:\WINDOWS\system32\xbeeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\xxyxyvv.dll
C:\WINDOWS\system32\xxyxyvv.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\geebx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmkhe.dll
C:\WINDOWS\system32\pmkhe.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.4.2
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Scan started at 1:48:23 PM 6/9/2007
Listing files found while scanning....
C:\WINDOWS\system32\jkkji.dll
Beginning removal...
Performing Repairs to the registry.
Done!
Hi
Open HijackThis, click do a system scan only and checkmark these:
O2 - BHO: (no name) - {37854DC6-D076-4337-946E-D1EF7E0B20DF} - C:\WINDOWS\system32\jkkji.dll (file missing)
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\pmnllll.dll (file missing)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\rkxshpyu.dll
O2 - BHO: (no name) - {FD6E46D8-D395-49A7-ABE3-D023F84C4AAA} - C:\WINDOWS\system32\mlljg.dll (file missing)
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [uhkxefqh.exe] C:\Documents and Settings\All Users\Application Data\uhkxefqh.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvcos.dll,startup
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\ygmyoqbg.dll",realset
O20 - Winlogon Notify: jkkji - C:\WINDOWS\system32\jkkji.dll (file missing)
O20 - Winlogon Notify: StillImage - C:\WINDOWS\
O20 - Winlogon Notify: wineil32 - C:\WINDOWS\SYSTEM32\wineil32.dll
O20 - Winlogon Notify: winexz32 - C:\WINDOWS\
O20 - Winlogon Notify: winjgf32 - C:\WINDOWS\SYSTEM32\winjgf32.dll
O20 - Winlogon Notify: winjks32 - C:\WINDOWS\
O20 - Winlogon Notify: winzzc32 - winzzc32.dll (file missing)
Close all windows including browser and press fix checked.
Please download the Killbox (http://download.bleepingcomputer.com/spyware/KillBox.exe).
Save it to the desktop.
Please run Killbox.
Select "Delete on Reboot" and "All files"
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\SYSTEM32\wineil32.dll
C:\WINDOWS\SYSTEM32\winjgf32.dll
C:\Documents and Settings\All Users\Application Data\uhkxefqh.exe
C:\WINDOWS\system32\drvcos.dll
C:\WINDOWS\system32\rkxshpyu.dll
Go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..
If your computer does not restart automatically, please restart it manually.
Post a fresh HijackThis log.
lotusindigo
2007-06-10, 23:29
Did all the above steps. I never got a pending operations prompt after the reboot prompt, is that ok? Here is HJT logfile.
Logfile of HijackThis v1.99.1
Scan saved at 3:27:50 PM, on 6/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Games\Desktop\scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/24f2d1f86d2f22fe6b06/netzip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\mmc.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wineil32 - wineil32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\R_SERVER.EXE" /service (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
lotusindigo
2007-06-10, 23:36
I noticed that the wineil32 file was still in that most recent log. I figured I may have forgotten to check it, so I repeated all the steps for wineil32.dll file only. New HJT logfile:
Logfile of HijackThis v1.99.1
Scan saved at 3:33:41 PM, on 6/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Games\Desktop\scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/24f2d1f86d2f22fe6b06/netzip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\mmc.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\R_SERVER.EXE" /service (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Hi
Yes, that's ok :)
Have you installed this by yourself?
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\R_SERVER.EXE" /service (file missing)
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Post:
- a fresh HijackThis log
- kaspersky report
lotusindigo
2007-06-12, 07:58
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, June 11, 2007 11:54:39 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 12/06/2007
Kaspersky Anti-Virus database records: 342546
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 98810
Number of viruses found: 38
Number of infected objects: 150
Number of suspicious objects: 0
Duration of the scan process: 01:52:16
Infected Object Name / Virus Name / Last Action
C:\!KillBox\drvcos.dll Infected: Trojan.Win32.Agent.qt skipped
C:\!KillBox\rkxshpyu.dll Infected: Trojan.Win32.BHO.bd skipped
C:\!KillBox\wineil32.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\!KillBox\winjgf32.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\bsgvjmep.exe Infected: Trojan-Clicker.Win32.Agent.is skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\6ccffeebf26f3b53bf560ce3ebc894a3_86a95731-ac6a-4138-9e65-1568d521f131 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\946f290e786381d3225bb1101d45fab7_86a95731-ac6a-4138-9e65-1568d521f131 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\87597c2bd92cecd42067219e4eb14c62_86a95731-ac6a-4138-9e65-1568d521f131 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ff10bef4f9389c2d059ca9a726a90678_86a95731-ac6a-4138-9e65-1568d521f131 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Games\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-7e09d0a6-2be049cf.zip/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\Games\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-7e09d0a6-2be049cf.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\Games\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-7e09d0a6-2be049cf.zip ZIP: infected - 2 skipped
C:\Documents and Settings\Games\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv493.jar-1661bf12-28f720e2.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\Documents and Settings\Games\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv493.jar-1661bf12-28f720e2.zip/Counter.class Infected: Trojan.Java.ClassLoader.h skipped
C:\Documents and Settings\Games\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv493.jar-1661bf12-28f720e2.zip/Parser.class Infected: Trojan.Java.ClassLoader.d skipped
C:\Documents and Settings\Games\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv493.jar-1661bf12-28f720e2.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Games\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Games\Desktop\backups\backup-20070610-152134-788.dll Infected: Trojan.Win32.BHO.bd skipped
C:\Documents and Settings\Games\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Games\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Games\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Games\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Games\Local Settings\History\History.IE5\MSHist012007061120070612\index.dat Object is locked skipped
C:\Documents and Settings\Games\Local Settings\Temp\hsperfdata_Games\3580 Object is locked skipped
C:\Documents and Settings\Games\Local Settings\Temp\~DF364.tmp Object is locked skipped
C:\Documents and Settings\Games\Local Settings\Temp\~DF375.tmp Object is locked skipped
C:\Documents and Settings\Games\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Games\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Games\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Games\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Games\UserData\index.dat Object is locked skipped
C:\Documents and Settings\Jheru\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-160dd9ae-5aec0d2f.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Jheru\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-160dd9ae-5aec0d2f.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Jheru\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-160dd9ae-5aec0d2f.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\Jheru\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-160dd9ae-5aec0d2f.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Jheru\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-516ac74a-7b14ad5f.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Jheru\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-516ac74a-7b14ad5f.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Jheru\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-516ac74a-7b14ad5f.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\Jheru\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-516ac74a-7b14ad5f.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Jheru\Local Settings\Temp\hsperfdata_Jheru\2160 Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\hsperfdata_Owner\3084 Object is locked skipped
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP890\A0335693.dll Infected: not-a-virus:AdWare.Win32.Searchcolor.a skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP890\A0335695.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP890\A0335702.dll Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP890\A0335704.dll Infected: not-a-virus:AdWare.Win32.Comet.bd skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336039.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336040.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336142.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ek skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336145.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336146.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336147.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336157.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336160.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336162.exe Infected: not-a-virus:AdWare.Win32.Searchcolor.b skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336164.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336167.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336168.exe Infected: not-a-virus:AdWare.Win32.Searchcolor.b skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336173.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336175.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336179.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336184.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336185.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336192.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336212.dll Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336214.exe Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336225.dll Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336227.exe Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336309.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336374.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336392.exe Infected: not-a-virus:AdWare.Win32.Searchcolor.a skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336393.exe Infected: not-a-virus:AdWare.Win32.Searchcolor.a skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336394.exe Infected: not-a-virus:AdWare.Win32.Searchcolor.a skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336397.dll Infected: Trojan-Spy.Win32.Agent.ps skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336423.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336424.exe Infected: Trojan-Downloader.Win32.PurityScan.ej skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336425.exe Infected: Trojan-Downloader.Win32.Tiny.he skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP892\A0340454.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP892\A0340455.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP892\A0340571.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340785.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340786.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340788.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340789.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340790.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340791.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340802.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340803.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340804.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340810.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340811.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340863.exe Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340864.exe Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340865.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340865.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340865.exe/data.rar/serial.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340865.exe/data.rar Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340865.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340866.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340866.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340866.exe/data.rar/serial.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340866.exe/data.rar Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340866.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340867.exe Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP894\A0340941.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP894\A0340942.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP894\A0340944.dll Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP894\A0340945.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP894\A0340964.dll Infected: not-a-virus:AdWare.Win32.Comet.ac skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP895\change.log Object is locked skipped
lotusindigo
2007-06-12, 08:00
C:\VundoFix Backups\ahrds.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ek skipped
C:\VundoFix Backups\awtqnkh.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped
C:\VundoFix Backups\awtsppp.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\awttttt.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\eynowegx.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\gebcdbc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\geebx.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\hggfgda.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\iifccdb.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\iifffdc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\ikvuefyd.exe.bad Infected: not-a-virus:AdWare.Win32.Searchcolor.b skipped
C:\VundoFix Backups\jblllvxt.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\VundoFix Backups\jkkiiji.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\jkkji.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\jsngdhhi.exe.bad Infected: not-a-virus:AdWare.Win32.Searchcolor.b skipped
C:\VundoFix Backups\ldlciexc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\VundoFix Backups\meflcxyj.dll.bad Infected: Trojan.Win32.BHO.g skipped
C:\VundoFix Backups\mlljg.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\mrrbfhpg.dll.bad Infected: Trojan.Win32.BHO.g skipped
C:\VundoFix Backups\opnkhhh.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\opnoopo.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\pmkhe.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\pmnllll.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\rqrqonk.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\rqrspom.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\webxnlib.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\VundoFix Backups\xxyxyvv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\yayxwwu.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\ygmyoqbg.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll.000 Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\$_hpcst$.hpc Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Help\ibnc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fl skipped
C:\WINDOWS\Internet Logs\DONNA.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{00A8A200-DEC1-44F3-AD1B-779D4B9EEB70}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\WINDOWS\system32\BMGi_b.exe/NewExplorer.exe Infected: Trojan.Win32.VB.aft skipped
C:\WINDOWS\system32\BMGi_b.exe InstallCreator: infected - 1 skipped
C:\WINDOWS\system32\BMGi_b.exe UPX: infected - 1 skipped
C:\WINDOWS\system32\BMGi_b2.exe/NewExplorer.exe Infected: Trojan.Win32.VB.aft skipped
C:\WINDOWS\system32\BMGi_b2.exe InstallCreator: infected - 1 skipped
C:\WINDOWS\system32\BMGi_b2.exe UPX: infected - 1 skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd8797.sys Object is locked skipped
C:\WINDOWS\system32\drvxok.dll Infected: Trojan.Win32.Agent.qt skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\ousghfmw.exe Infected: Trojan-Clicker.Win32.Small.mw skipped
C:\WINDOWS\system32\stuxlxya.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wgfhmcei.dll Infected: Trojan.Win32.BHO.o skipped
C:\WINDOWS\system32\winsys64.exe Infected: Trojan-Downloader.Win32.Alphabet.c skipped
C:\WINDOWS\system32\xqdmwjtd.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\xqxrklda.dll Infected: Trojan.Win32.BHO.o skipped
C:\WINDOWS\Temp\mst4F4.tmp Infected: Trojan.Win32.Agent.qt skipped
C:\WINDOWS\Temp\mst523.tmp Infected: Trojan.Win32.Agent.qt skipped
C:\WINDOWS\Temp\synagent.exe Infected: Trojan-Downloader.Win32.Alphabet.c skipped
C:\WINDOWS\Temp\win4EB.tmp.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\WINDOWS\Temp\win4EF.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\WINDOWS\Temp\win4F3.tmp.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\WINDOWS\Temp\win4F6.tmp.exe Infected: Trojan-Downloader.Win32.Agent.brf skipped
C:\WINDOWS\Temp\win4F8.tmp.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\WINDOWS\Temp\win4F8.tmp.exe NSIS: infected - 1 skipped
C:\WINDOWS\Temp\win51A.tmp.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\WINDOWS\Temp\win51E.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\WINDOWS\Temp\win522.tmp.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\WINDOWS\Temp\win522.tmp.exe NSIS: infected - 1 skipped
C:\WINDOWS\Temp\win525.tmp.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\WINDOWS\Temp\win528.tmp.exe Infected: Trojan-Downloader.Win32.Agent.brf skipped
C:\WINDOWS\Temp\ZLT03033.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT03039.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\YazzleBundle-1119.exe/data0002 Infected: Trojan.Win32.Scapur.k skipped
C:\WINDOWS\YazzleBundle-1119.exe NSIS: infected - 1 skipped
Scan process completed.
lotusindigo
2007-06-12, 08:00
Logfile of HijackThis v1.99.1
Scan saved at 12:00:06 AM, on 6/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Games\Desktop\scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/24f2d1f86d2f22fe6b06/netzip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\mmc.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\R_SERVER.EXE" /service (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
lotusindigo
2007-06-12, 08:02
Sorry, I had to break up the Kaspersky scan in two. And no, I don't recall installing
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\R_SERVER.EXE" /service (file missing)
Hi
Empty these folders:
C:\!KillBox\
C:\VundoFix Backups
C:\WINDOWS\Temp
C:\Documents and Settings\Games\Application Data\Sun\Java\Deployment\cache
C:\Documents and Settings\Jheru\Application Data\Sun\Java\Deployment\cache
Empty Recycle Bin
Please run Killbox.
Select "Delete on Reboot" and "All files"
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\Help\ibnc.dll
C:\WINDOWS\system32\AdmDll.dll
C:\WINDOWS\system32\BMGi_b.exe
C:\WINDOWS\system32\BMGi_b2.exe
C:\WINDOWS\system32\drvxok.dll
C:\WINDOWS\system32\h323log.txt
C:\WINDOWS\system32\ousghfmw.exe
C:\WINDOWS\system32\stuxlxya.exe
C:\WINDOWS\system32\wgfhmcei.dll
C:\WINDOWS\system32\winsys64.exe
C:\WINDOWS\system32\xqdmwjtd.exe
C:\WINDOWS\system32\xqxrklda.dll
C:\WINDOWS\Temp\mst4F4.tmp
C:\WINDOWS\Temp\mst523.tmp
C:\WINDOWS\Temp\synagent.exe
C:\WINDOWS\Temp\win4EB.tmp.exe
C:\WINDOWS\Temp\win4EF.tmp.exe
C:\WINDOWS\Temp\win4F3.tmp.exe
C:\WINDOWS\Temp\win4F6.tmp.exe
C:\WINDOWS\Temp\win4F8.tmp.exe
C:\WINDOWS\Temp\win51A.tmp.exe
C:\WINDOWS\Temp\win51E.tmp.exe
C:\WINDOWS\Temp\win522.tmp.exe
C:\WINDOWS\Temp\win525.tmp.exe
C:\WINDOWS\Temp\win528.tmp.exe
C:\WINDOWS\YazzleBundle-1119.exe
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
Go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..
If your computer does not restart automatically, please restart it manually.
Empty this folder:
c:\!KillBox
Empty Recycle Bin
Re-scan with kaspersky
Post:
- a fresh HijackThis log
- kaspersky report
lotusindigo
2007-06-13, 07:30
Logfile of HijackThis v1.99.1
Scan saved at 11:30:00 PM, on 6/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\DFWin\dfw.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Games\Desktop\scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: (no name) - {D237AE76-2C1D-4DEB-AD52-3DFBDFC029C2} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvwup.dll,startup
O4 - HKLM\..\Run: [ipmon] ipmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/24f2d1f86d2f22fe6b06/netzip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\mmc.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: jkkji - C:\WINDOWS\
O20 - Winlogon Notify: pmnllll - C:\WINDOWS\
O20 - Winlogon Notify: StillImage - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wineil32 - C:\WINDOWS\
O20 - Winlogon Notify: winexz32 - C:\WINDOWS\
O20 - Winlogon Notify: winjgf32 - C:\WINDOWS\
O20 - Winlogon Notify: winjks32 - C:\WINDOWS\
O20 - Winlogon Notify: winzzc32 - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: gimmicks - {40dcff6e-af8d-4183-8ebe-a82270ac449e} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\R_SERVER.EXE" /service (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
lotusindigo
2007-06-13, 07:34
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, June 12, 2007 11:28:06 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 13/06/2007
Kaspersky Anti-Virus database records: 342831
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 99263
Number of viruses found: 38
Number of infected objects: 139
Number of suspicious objects: 0
Duration of the scan process: 01:53:49
Infected Object Name / Virus Name / Last Action
C:\bsgvjmep.exe Infected: Trojan-Clicker.Win32.Agent.is skipped
C:\DFWin\Context.txt Object is locked skipped
C:\DFWin\t33764.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\6ccffeebf26f3b53bf560ce3ebc894a3_86a95731-ac6a-4138-9e65-1568d521f131 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\946f290e786381d3225bb1101d45fab7_86a95731-ac6a-4138-9e65-1568d521f131 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\87597c2bd92cecd42067219e4eb14c62_86a95731-ac6a-4138-9e65-1568d521f131 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ff10bef4f9389c2d059ca9a726a90678_86a95731-ac6a-4138-9e65-1568d521f131 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Games\Application Data\Aim\mbvkofwr\mcjra\cert8.db Object is locked skipped
C:\Documents and Settings\Games\Application Data\Aim\mbvkofwr\mcjra\key3.db Object is locked skipped
C:\Documents and Settings\Games\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Games\Desktop\backups\backup-20070610-152134-788.dll Infected: Trojan.Win32.BHO.bd skipped
C:\Documents and Settings\Games\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Games\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Games\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Games\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Games\Local Settings\History\History.IE5\MSHist012007061220070613\index.dat Object is locked skipped
C:\Documents and Settings\Games\Local Settings\Temp\~DF189B.tmp Object is locked skipped
C:\Documents and Settings\Games\Local Settings\Temp\~DFDE61.tmp Object is locked skipped
C:\Documents and Settings\Games\Local Settings\Temp\~DFDE72.tmp Object is locked skipped
C:\Documents and Settings\Games\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Games\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Games\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Games\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Games\UserData\index.dat Object is locked skipped
C:\Documents and Settings\Jheru\Local Settings\Temp\hsperfdata_Jheru\2160 Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\hsperfdata_Owner\3084 Object is locked skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc111.tmp Infected: Trojan.Win32.Agent.qt skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc112.tmp Infected: Trojan.Win32.Agent.qt skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc114.exe Infected: Trojan-Downloader.Win32.Alphabet.c skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc1280.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc1285.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc2010.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc2010.exe NSIS: infected - 1 skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc2014.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc2018.exe Infected: Trojan-Downloader.Win32.Agent.brf skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3095\v1.0\jar\java.jar-7e09d0a6-2be049cf.zip/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3095\v1.0\jar\java.jar-7e09d0a6-2be049cf.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3095\v1.0\jar\java.jar-7e09d0a6-2be049cf.zip ZIP: infected - 2 skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3095\v1.0\jar\loaderadv493.jar-1661bf12-28f720e2.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3095\v1.0\jar\loaderadv493.jar-1661bf12-28f720e2.zip/Counter.class Infected: Trojan.Java.ClassLoader.h skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3095\v1.0\jar\loaderadv493.jar-1661bf12-28f720e2.zip/Parser.class Infected: Trojan.Java.ClassLoader.d skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3095\v1.0\jar\loaderadv493.jar-1661bf12-28f720e2.zip ZIP: infected - 3 skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3097\v1.0\jar\count.jar-160dd9ae-5aec0d2f.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3097\v1.0\jar\count.jar-160dd9ae-5aec0d2f.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3097\v1.0\jar\count.jar-160dd9ae-5aec0d2f.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3097\v1.0\jar\count.jar-160dd9ae-5aec0d2f.zip ZIP: infected - 3 skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3097\v1.0\jar\count.jar-516ac74a-7b14ad5f.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3097\v1.0\jar\count.jar-516ac74a-7b14ad5f.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3097\v1.0\jar\count.jar-516ac74a-7b14ad5f.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3097\v1.0\jar\count.jar-516ac74a-7b14ad5f.zip ZIP: infected - 3 skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc508.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc513.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc518.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc522.exe Infected: Trojan-Downloader.Win32.Agent.brf skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc525.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc525.exe NSIS: infected - 1 skipped
lotusindigo
2007-06-13, 07:35
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP890\A0335693.dll Infected: not-a-virus:AdWare.Win32.Searchcolor.a skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP890\A0335695.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP890\A0335702.dll Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP890\A0335704.dll Infected: not-a-virus:AdWare.Win32.Comet.bd skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336039.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336040.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336142.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ek skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336145.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336146.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336147.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336157.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336160.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336162.exe Infected: not-a-virus:AdWare.Win32.Searchcolor.b skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336164.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336167.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336168.exe Infected: not-a-virus:AdWare.Win32.Searchcolor.b skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336173.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336175.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336179.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336184.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336185.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336192.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336212.dll Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336214.exe Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336225.dll Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336227.exe Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336309.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336374.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336392.exe Infected: not-a-virus:AdWare.Win32.Searchcolor.a skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336393.exe Infected: not-a-virus:AdWare.Win32.Searchcolor.a skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336394.exe Infected: not-a-virus:AdWare.Win32.Searchcolor.a skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336397.dll Infected: Trojan-Spy.Win32.Agent.ps skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336423.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336424.exe Infected: Trojan-Downloader.Win32.PurityScan.ej skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336425.exe Infected: Trojan-Downloader.Win32.Tiny.he skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP892\A0340454.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP892\A0340455.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP892\A0340571.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340785.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340786.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340788.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340789.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340790.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340791.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340802.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340803.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340804.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340810.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340811.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340863.exe Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340864.exe Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340865.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340865.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340865.exe/data.rar/serial.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340865.exe/data.rar Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340865.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340866.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340866.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340866.exe/data.rar/serial.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340866.exe/data.rar Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340866.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340867.exe Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP894\A0340941.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP894\A0340942.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP894\A0340944.dll Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP894\A0340945.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP894\A0340964.dll Infected: not-a-virus:AdWare.Win32.Comet.ac skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341399.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fl skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341400.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341401.exe/NewExplorer.exe Infected: Trojan.Win32.VB.aft skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341401.exe InstallCreator: infected - 1 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341401.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341402.exe/NewExplorer.exe Infected: Trojan.Win32.VB.aft skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341402.exe InstallCreator: infected - 1 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341402.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341403.dll Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341404.exe Infected: Trojan-Clicker.Win32.Small.mw skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341405.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341406.dll Infected: Trojan.Win32.BHO.o skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341407.exe Infected: Trojan-Downloader.Win32.Alphabet.c skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341408.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341409.dll Infected: Trojan.Win32.BHO.o skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341410.exe/data0002 Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341410.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341411.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341421.dll Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341422.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341424.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341425.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341426.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341427.exe/NewExplorer.exe Infected: Trojan.Win32.VB.aft skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341427.exe InstallCreator: infected - 1 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341427.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341428.exe/NewExplorer.exe Infected: Trojan.Win32.VB.aft skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341428.exe InstallCreator: infected - 1 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341428.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341429.dll Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341430.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fl skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341431.exe Infected: Trojan-Clicker.Win32.Small.mw skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341432.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341433.dll Infected: Trojan.Win32.BHO.o skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341434.exe Infected: Trojan-Downloader.Win32.Alphabet.c skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341435.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341436.dll Infected: Trojan.Win32.BHO.o skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341437.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341438.exe/data0002 Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341438.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\change.log Object is locked skipped
lotusindigo
2007-06-13, 07:36
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll.000 Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\$_hpcst$.hpc Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\DONNA.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9FF5D9C8-6CB7-4CB5-9EAF-B0184B4E981E}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd8797.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT069d2.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT069d5.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
G:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\change.log Object is locked skipped
Scan process completed.
Hi
1. Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an 'S' in the system tray.
2. In the 'Resident Shield' section, toggle the AVG Anti-Spyware active protection 'off' by clicking 'Change state' which will then change the protection status to 'inactive'.
3. If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to "Restart the Resident Shield".
4. Reply 'no' and set it to 'inactive' for the duration of your cleanup.
Open HijackThis, click do a system scan only and checkmark these:
O2 - BHO: (no name) - {D237AE76-2C1D-4DEB-AD52-3DFBDFC029C2} - (no file)
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvwup.dll,startup
O4 - HKLM\..\Run: [ipmon] ipmon.exe
O20 - Winlogon Notify: jkkji - C:\WINDOWS\
O20 - Winlogon Notify: pmnllll - C:\WINDOWS\
O20 - Winlogon Notify: StillImage - C:\WINDOWS\
O20 - Winlogon Notify: wineil32 - C:\WINDOWS\
O20 - Winlogon Notify: winexz32 - C:\WINDOWS\
O20 - Winlogon Notify: winjgf32 - C:\WINDOWS\
O20 - Winlogon Notify: winjks32 - C:\WINDOWS\
O20 - Winlogon Notify: winzzc32 - C:\WINDOWS\
O21 - SSODL: gimmicks - {40dcff6e-af8d-4183-8ebe-a82270ac449e} - (no file)
Close all windows including browser and press fix checked.
Reboot
Post a fresh HijackThis log.
lotusindigo
2007-06-13, 21:34
Logfile of HijackThis v1.99.1
Scan saved at 1:33:15 PM, on 6/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Games\Desktop\scanner.exe.exe
C:\WINDOWS\system32\WgaTray.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/24f2d1f86d2f22fe6b06/netzip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\mmc.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\R_SERVER.EXE" /service (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Hi
Open HijackThis, click do a system scan only and checkmark this:
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\R_SERVER.EXE" /service (file missing)
Close all windows including browser and press fix checked.
Reboot
Delete this:
C:\bsgvjmep.exe
Empty Recycle Bin
Re-scan with kaspersky
Post:
- a fresh HijackThis log
- kaspersky report
lotusindigo
2007-06-15, 07:57
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, June 14, 2007 11:56:24 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 15/06/2007
Kaspersky Anti-Virus database records: 346853
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 101960
Number of viruses found: 38
Number of infected objects: 139
Number of suspicious objects: 0
Duration of the scan process: 01:49:30
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\6ccffeebf26f3b53bf560ce3ebc894a3_86a95731-ac6a-4138-9e65-1568d521f131 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\946f290e786381d3225bb1101d45fab7_86a95731-ac6a-4138-9e65-1568d521f131 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\87597c2bd92cecd42067219e4eb14c62_86a95731-ac6a-4138-9e65-1568d521f131 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ff10bef4f9389c2d059ca9a726a90678_86a95731-ac6a-4138-9e65-1568d521f131 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Games\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Games\Desktop\backups\backup-20070610-152134-788.dll Infected: Trojan.Win32.BHO.bd skipped
C:\Documents and Settings\Games\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Games\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Games\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Games\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Games\Local Settings\History\History.IE5\MSHist012007061420070615\index.dat Object is locked skipped
C:\Documents and Settings\Games\Local Settings\Temp\~DFB681.tmp Object is locked skipped
C:\Documents and Settings\Games\Local Settings\Temp\~DFB694.tmp Object is locked skipped
C:\Documents and Settings\Games\Local Settings\Temp\~DFF9D5.tmp Object is locked skipped
C:\Documents and Settings\Games\Local Settings\Temp\~DFF9E6.tmp Object is locked skipped
C:\Documents and Settings\Games\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Games\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Games\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Jheru\Local Settings\Temp\hsperfdata_Jheru\2160 Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\hsperfdata_Owner\3084 Object is locked skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc111.tmp Infected: Trojan.Win32.Agent.qt skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc112.tmp Infected: Trojan.Win32.Agent.qt skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc114.exe Infected: Trojan-Downloader.Win32.Alphabet.c skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc1280.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc1285.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc2010.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc2010.exe NSIS: infected - 1 skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc2014.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc2018.exe Infected: Trojan-Downloader.Win32.Agent.brf skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3095\v1.0\jar\java.jar-7e09d0a6-2be049cf.zip/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3095\v1.0\jar\java.jar-7e09d0a6-2be049cf.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3095\v1.0\jar\java.jar-7e09d0a6-2be049cf.zip ZIP: infected - 2 skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3095\v1.0\jar\loaderadv493.jar-1661bf12-28f720e2.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3095\v1.0\jar\loaderadv493.jar-1661bf12-28f720e2.zip/Counter.class Infected: Trojan.Java.ClassLoader.h skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3095\v1.0\jar\loaderadv493.jar-1661bf12-28f720e2.zip/Parser.class Infected: Trojan.Java.ClassLoader.d skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3095\v1.0\jar\loaderadv493.jar-1661bf12-28f720e2.zip ZIP: infected - 3 skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3097\v1.0\jar\count.jar-160dd9ae-5aec0d2f.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3097\v1.0\jar\count.jar-160dd9ae-5aec0d2f.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3097\v1.0\jar\count.jar-160dd9ae-5aec0d2f.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3097\v1.0\jar\count.jar-160dd9ae-5aec0d2f.zip ZIP: infected - 3 skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3097\v1.0\jar\count.jar-516ac74a-7b14ad5f.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3097\v1.0\jar\count.jar-516ac74a-7b14ad5f.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3097\v1.0\jar\count.jar-516ac74a-7b14ad5f.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc3097\v1.0\jar\count.jar-516ac74a-7b14ad5f.zip ZIP: infected - 3 skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc508.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc513.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc518.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc522.exe Infected: Trojan-Downloader.Win32.Agent.brf skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc525.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\RECYCLER\S-1-5-21-1659004503-1085031214-682003330-1004\Dc525.exe NSIS: infected - 1 skipped
lotusindigo
2007-06-15, 07:58
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP890\A0335693.dll Infected: not-a-virus:AdWare.Win32.Searchcolor.a skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP890\A0335695.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP890\A0335702.dll Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP890\A0335704.dll Infected: not-a-virus:AdWare.Win32.Comet.bd skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336039.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336040.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336142.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ek skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336145.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336146.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336147.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336157.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336160.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336162.exe Infected: not-a-virus:AdWare.Win32.Searchcolor.b skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336164.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336167.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336168.exe Infected: not-a-virus:AdWare.Win32.Searchcolor.b skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336173.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336175.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336179.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336184.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336185.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336192.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336212.dll Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336214.exe Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336225.dll Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336227.exe Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336309.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336374.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336392.exe Infected: not-a-virus:AdWare.Win32.Searchcolor.a skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336393.exe Infected: not-a-virus:AdWare.Win32.Searchcolor.a skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336394.exe Infected: not-a-virus:AdWare.Win32.Searchcolor.a skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336397.dll Infected: Trojan-Spy.Win32.Agent.ps skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336423.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336424.exe Infected: Trojan-Downloader.Win32.PurityScan.ej skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP891\A0336425.exe Infected: Trojan-Downloader.Win32.Tiny.he skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP892\A0340454.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP892\A0340455.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP892\A0340571.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340785.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340786.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340788.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340789.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340790.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340791.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340802.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340803.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340804.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340810.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340811.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340863.exe Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340864.exe Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340865.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340865.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340865.exe/data.rar/serial.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340865.exe/data.rar Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340865.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340866.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340866.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340866.exe/data.rar/serial.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340866.exe/data.rar Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340866.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP893\A0340867.exe Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP894\A0340941.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP894\A0340942.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP894\A0340944.dll Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP894\A0340945.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP894\A0340964.dll Infected: not-a-virus:AdWare.Win32.Comet.ac skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341399.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fl skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341400.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341401.exe/NewExplorer.exe Infected: Trojan.Win32.VB.aft skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341401.exe InstallCreator: infected - 1 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341401.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341402.exe/NewExplorer.exe Infected: Trojan.Win32.VB.aft skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341402.exe InstallCreator: infected - 1 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341402.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341403.dll Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341404.exe Infected: Trojan-Clicker.Win32.Small.mw skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341405.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341406.dll Infected: Trojan.Win32.BHO.o skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341407.exe Infected: Trojan-Downloader.Win32.Alphabet.c skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341408.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341409.dll Infected: Trojan.Win32.BHO.o skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341410.exe/data0002 Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341410.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341411.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341421.dll Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341422.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341424.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341425.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341426.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341427.exe/NewExplorer.exe Infected: Trojan.Win32.VB.aft skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341427.exe InstallCreator: infected - 1 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341427.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341428.exe/NewExplorer.exe Infected: Trojan.Win32.VB.aft skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341428.exe InstallCreator: infected - 1 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341428.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341429.dll Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341430.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fl skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341431.exe Infected: Trojan-Clicker.Win32.Small.mw skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341432.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341433.dll Infected: Trojan.Win32.BHO.o skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341434.exe Infected: Trojan-Downloader.Win32.Alphabet.c skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341435.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341436.dll Infected: Trojan.Win32.BHO.o skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341437.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341438.exe/data0002 Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP896\A0341438.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP899\A0341733.exe Infected: Trojan-Clicker.Win32.Agent.is skipped
C:\System Volume Information\_restore{4A1605D5-CBD0-41CB-8CE0-8DD162DC6F2D}\RP899\change.log Object is locked skipped
lotusindigo
2007-06-15, 08:00
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll.000 Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\$_hpcst$.hpc Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\DONNA.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd8797.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT0378f.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT071ba.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
lotusindigo
2007-06-15, 08:01
Logfile of HijackThis v1.99.1
Scan saved at 12:00:40 AM, on 6/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Games\Desktop\scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/24f2d1f86d2f22fe6b06/netzip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\mmc.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\R_SERVER.EXE" /service (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Hi
Please click Start > Run and type in: services.msc
Click OK
In the Services window find: Remote Administrator Service (r_server)
Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK
Now, go to Start > Run, and copy/paste the following into the Open box:
sc delete r_server
Click: OK
Reboot
Post a fresh HijackThis log.
lotusindigo, still with us?
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.