View Full Version : Virtumonde - cbxyvuu.dll & add/remove
Hi guys, a friend of mine brought his computer to me complaining of problems with his add/remove programs not working(no option to remove). Turns out there is a major infection on his machine and im having a very very hard time with it.
I have run numerous utilities and no matter what i do i cant rid the computer of cbxyvuu.dll. Spybot reports as virtumonde but cannot remove it. I have run vundofix, combofix, killbox, HJT, kaspersky onlinescan, installed antivir anti-virus, sdfix, smitfraudfix, clamwinportable(portable antivirus). I've done alot of searching and keep coming by redundent information about vundo torjan removal however the followingthread seems to be directly related with what i am experiencing: http://www.forums.majorgeeks.com/showthread.php?t=101031
NOTE: Vundo has fully reinfected the pc at the time of this posting(i couldnt xfer the logs to a clean pc to post & the trojan has downloaded a bunch more crap.(same stuff i have removed before)
Here are the logfiles:
Logfile of HijackThis v1.99.1
Scan saved at 4:44:27 PM, on 6/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\WINDOWS\system32\igfxsrvc.exe
O2 - BHO: (no name) - {066A2CDC-319E-4460-BA45-C24562CD51AA} - C:\WINDOWS\system32\cbxyvuu.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: cbxyvuu - cbxyvuu.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
ComboFix 07-06-18.2 - C:\Documents and Settings\RAMZI\Desktop\New Folder\ComboFix.exe
"RAMZI" - 2007-06-20 12:25:07 - Service Pack 2 NTFS [SAFE MODE]
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\afayqmup.dll
C:\WINDOWS\system32\gonrrrmy.dll
C:\WINDOWS\system32\krqxeseq.dll
C:\WINDOWS\system32\nfjlrdbc.dll
C:\WINDOWS\system32\rlqjfymb.dll
C:\WINDOWS\system32\rypxtqtu.dll
C:\WINDOWS\system32\smkcjilx.dll
C:\WINDOWS\system32\ucjalnaf.dll
C:\WINDOWS\system32\winpdc32.dll
C:\WINDOWS\SYSTEM32\oqtss.ini
C:\WINDOWS\SYSTEM32\pumqyafa.ini
C:\WINDOWS\SYSTEM32\ymrrrnog.ini
C:\WINDOWS\SYSTEM32\qesexqrk.ini
C:\WINDOWS\SYSTEM32\cbdrljfn.ini
C:\WINDOWS\SYSTEM32\bmyfjqlr.ini
C:\WINDOWS\SYSTEM32\utqtxpyr.ini
C:\WINDOWS\SYSTEM32\xlijckms.ini
C:\WINDOWS\SYSTEM32\fanlajcu.ini
C:\WINDOWS\SYSTEM32\ttutv.bak1
C:\WINDOWS\SYSTEM32\ttutv.bak2
C:\WINDOWS\SYSTEM32\ttutv.ini
C:\WINDOWS\SYSTEM32\ttutv.ini2
C:\WINDOWS\SYSTEM32\ttutv.tmp
C:\WINDOWS\SYSTEM32\ttutv.bak1
C:\WINDOWS\SYSTEM32\ttutv.bak2
C:\WINDOWS\SYSTEM32\ttutv.ini
C:\WINDOWS\SYSTEM32\ttutv.ini2
C:\WINDOWS\SYSTEM32\ttutv.tmp
C:\WINDOWS\system32\sstqo.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
C:\WINDOWS\system32\sstqo.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Common Files\microsoft shared\web folders\ibm00001.dll
C:\Program Files\Common Files\microsoft shared\web folders\ibm00002.dll
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\pppatc~1
C:\Program Files\ystem~1
C:\WINDOWS\csrss.exe
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\cscentfy.dll
C:\WINDOWS\system32\media
C:\WINDOWS\system32\media\AvidRender.wav
C:\WINDOWS\system32\winsys64.exe
C:\WINDOWS\system32\xpdx.sys
C:\WINDOWS\wr.txt
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\xpdx
((((((((((((((((((((((((( Files Created from 2007-05-20 to 2007-06-20 )))))))))))))))))))))))))))))))
2007-06-20 12:24 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-20 11:35 266,336 --------- C:\WINDOWS\SYSTEM32\sstqo.dll
2007-06-20 11:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-20 11:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-20 11:10 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-20 11:10 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-06-20 11:10 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc
2007-06-20 10:34 <DIR> d-------- C:\VundoFix Backups
2007-06-19 21:48 904 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-06-19 16:54 57,344 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\ihqhgrsh.exe
2007-06-19 14:13 75,932 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klick.dat
2007-06-19 14:13 74,396 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klin.dat
2007-06-19 14:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-19 14:02 7,456 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.dat
2007-06-19 14:02 233,504 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2007-06-19 13:04 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgArCln.sys
2007-06-19 13:00 31,254 --------- C:\WINDOWS\SYSTEM32\cbxyvuu.dll
2007-06-18 23:10 28 --a------ C:\WINDOWS\SYSTEM32\substpntx8.dll
2007-06-18 23:05 <DIR> d-------- C:\Program Files\Godlike Developers
2007-06-18 01:39 22,528 --a------ C:\WINDOWS\SYSTEM32\lpdsvc.dll
2007-06-18 01:39 18,944 --a------ C:\WINDOWS\SYSTEM32\lprmon.dll
2007-06-17 22:35 444 --a------ C:\WINDOWS\SYSTEM32\d3d8caps.dat
2007-06-16 03:30 99,072 --a------ C:\pmcubosf1.exe
2007-06-16 03:30 94,976 --a------ C:\pmcubosf3.exe
2007-06-16 03:30 286,720 --a------ C:\WINDOWS\SYSTEM32\scchk32.exe
2007-06-16 03:30 100,096 --a------ C:\pmcubosf2.exe
2007-06-15 17:28 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Talkback
2007-06-14 23:33 <DIR> d-------- C:\WINDOWS\imkk
2007-06-14 23:33 <DIR> d-------- C:\Program Files\Common Files\imkk
2007-06-14 23:17 <DIR> d--hs---- C:\WINDOWS\UkFNWkk
2007-06-14 03:24 16,384 --a------ C:\WINDOWS\SYSTEM32\FileOps.exe
2007-06-14 03:00 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-06-14 02:04 <DIR> d-------- C:\DOCUME~1\RAMZI\APPLIC~1\Ulead Systems
2007-06-14 00:24 57,344 --a------ C:\WINDOWS\os1zn2mO7Z.exe
2007-06-12 19:35 8 --a------ C:\WINDOWS\SYSTEM32\sdfinacs.dll
2007-06-12 19:35 5 --a------ C:\WINDOWS\SYSTEM32\fontqxet.dll
2007-06-12 19:35 14 --a------ C:\WINDOWS\SYSTEM32\rasqervy.dll
2007-06-12 19:35 0 --a------ C:\WINDOWS\SYSTEM32\hidrwupd.dll
2007-06-12 19:34 57,344 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\gtcfaxaz.exe
2007-06-12 19:34 143 --a------ C:\WINDOWS\SYSTEM32\wuasirvy.dll
2007-06-12 19:34 <DIR> d-------- C:\DOCUME~1\RAMZI\APPLIC~1\Yahoo!
2007-06-11 23:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-05 01:36 <DIR> d-------- C:\Program Files\DiscWizard for Windows
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AWRTPD.sys
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-20 15:33:12 -------- d-----w C:\Program Files\Lavasoft
2007-06-18 05:50:57 -------- d-----w C:\Program Files\CyberLink
2007-06-18 05:39:30 -------- d-----w C:\Program Files\Online Services
2007-06-18 00:16:51 -------- d-----w C:\Program Files\EPSON Print CD
2007-06-15 21:14:50 -------- d-----w C:\Program Files\Yahoo!
2007-06-14 06:23:43 -------- d-----w C:\Program Files\VstPlugins
2007-06-14 06:22:06 -------- d-----w C:\Program Files\EPSON
2007-06-12 23:38:11 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-14 09:36:22 -------- d-----w C:\DOCUME~1\RAMZI\APPLIC~1\dvdcss
2007-05-12 23:25:02 -------- d-----w C:\DOCUME~1\RAMZI\APPLIC~1\U3
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-22 14:30:12 -------- d-----w C:\Program Files\ArcSoft
2007-04-22 14:18:22 -------- d-----w C:\Program Files\Common Files\Intuit
2007-04-22 14:01:07 -------- d-----w C:\Program Files\Google
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\WUPS.DLL
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-14 15:55:53 1,156 -c--a-w C:\WINDOWS\mozver.dat
2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
2005-12-30 22:35:21 848 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{066A2CDC-319E-4460-BA45-C24562CD51AA}=C:\WINDOWS\system32\cbxyvuu.dll [2007-06-19 13:00]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 02:56]
{7CA5E587-C9C9-4FA6-AB5B-153E0D111AA2}=C:\WINDOWS\system32\sstqo.dll [2007-06-20 11:35]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 14:03]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-26 07:37]
"ihqhgrsh.exe"="C:\Documents and Settings\All Users\Application Data\ihqhgrsh.exe" [2007-06-19 16:54]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
"combofix"=C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCpl"=0 (0x0)
"DisableChangePassword"=0 (0x0)
"DisableLockWorkstation"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideClock"=0 (0x0)
"NoManageMyComputerVerb"=0 (0x0)
"NoLowDiskSpaceChecks"=0 (0x0)
"NoStartMenuPinnedList"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)
"NoUserNameInStartMenu"=0 (0x0)
"StartmenuLogoff"=0 (0x0)
"NoStartMenuSubFolders"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"ClearRecentDocsOnExit"=0 (0x0)
"NoPrinterTabs"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"NoAddPrinter"=0 (0x0)
"NoPrinters"=0 (0x0)
"NoNetworkConnections"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoClose"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoShellSearchButton"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoRecentDocsNetHood"=0 (0x0)
"NoChangeAnimation"=0 (0x0)
"NoChangeKeyboardNavigationIndicators"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]
"{066A2CDC-319E-4460-BA45-C24562CD51AA}"="C:\WINDOWS\system32\cbxyvuu.dll" [2007-06-19 13:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxyvuu]
cbxyvuu.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqo]
C:\WINDOWS\system32\sstqo.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^RAMZI^Start Menu^Programs^Startup^LifeDrive™ Manager.lnk]
backup=C:\WINDOWS\pss\LifeDrive™ Manager.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^RAMZI^Start Menu^Programs^Startup^palmOne Registration.lnk]
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\DellSupport\DSAgnt.exe" /startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDBitSet]
"C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDTray]
"C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3800 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB004" /M "Stylus CX3800"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R200 Series]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R260 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE /FU "C:\WINDOWS\TEMP\E_S5ED.tmp" /EF "HKCU"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
"C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
NtmlSvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\Setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fbe9d1d5-f711-11db-ab82-00132015a1fc}]
AutoRun\command- F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fbe9d1d7-f711-11db-ab82-00132015a1fc}]
AutoRun\command- H:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
Contents of the 'Scheduled Tasks' folder
2005-06-04 20:26:10 C:\WINDOWS\tasks\ISP signup reminder 1.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-20 12:37:07
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-20 12:40:14 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-20 12:39
--- E O F ---
VundoFix V6.5.0
Checking Java version...
Scan started at 10:34:25 AM 6/20/2007
Listing files found while scanning....
C:\WINDOWS\system32\ddcyx.dll
C:\windows\system32\oxbmmodf.dll
C:\WINDOWS\system32\xycdd.bak1
C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\xycdd.ini2
C:\WINDOWS\system32\xycdd.tmp
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\ddcyx.dll Has been deleted!
Attempting to delete C:\windows\system32\oxbmmodf.dll
C:\windows\system32\oxbmmodf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xycdd.bak1
C:\WINDOWS\system32\xycdd.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\xycdd.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\xycdd.ini2
C:\WINDOWS\system32\xycdd.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\xycdd.tmp
C:\WINDOWS\system32\xycdd.tmp Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.0
Checking Java version...
Scan started at 11:13:41 AM 6/20/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.0
Checking Java version...
Scan started at 3:44:47 PM 6/20/2007
Listing files found while scanning....
C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\sstqo.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\oqtss.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\sstqo.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.0
Checking Java version...
Scan started at 4:15:19 PM 6/20/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.1
Checking Java version...
Scan started at 6:36:13 PM 6/20/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.1
Checking Java version...
Scan started at 8:13:52 PM 6/20/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.1
Checking Java version...
Scan started at 12:35:21 PM 6/21/2007
Listing files found while scanning....
C:\WINDOWS\system32\awvtt.dll
C:\WINDOWS\system32\ttvwa.bak1
C:\WINDOWS\system32\ttvwa.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awvtt.dll
C:\WINDOWS\system32\awvtt.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\ttvwa.bak1
C:\WINDOWS\system32\ttvwa.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ttvwa.ini
C:\WINDOWS\system32\ttvwa.ini Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awvtt.dll
C:\WINDOWS\system32\awvtt.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\ttvwa.ini
C:\WINDOWS\system32\ttvwa.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.1
Checking Java version...
Scan started at 12:51:34 PM 6/21/2007
Listing files found while scanning....
C:\WINDOWS\system32\awvtt.dll
C:\WINDOWS\system32\ttvwa.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awvtt.dll
C:\WINDOWS\system32\awvtt.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ttvwa.ini
C:\WINDOWS\system32\ttvwa.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.1
Checking Java version...
Scan started at 2:24:46 PM 6/21/2007
Listing files found while scanning....
No infected files were found.
********************************
SmitFraudFix v2.195
Scan done at 15:57:14.82, Thu 06/21/2007
Run from C:\Documents and Settings\RAMZI\Desktop\New Folder\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\CSCRIPT.EXE
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\RAMZI
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\RAMZI\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\RAMZI\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DE3A536B-096E-4C61-9ADF-D7B4417CB399}: DhcpNameServer=192.168.15.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.15.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
SDFix: Version 1.88
Run by RAMZI on Wed 06/20/2007 at 01:04 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\RAMZI\Desktop\NEWFOL~1\SDFix
Safe Mode:
Checking Services:
Name:
NtmlSvc
ImagePath:
%SystemRoot%\System32\svchost.exe -k netsvcs
NtmlSvc - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\WINDOWS\SYSTEM32\HIDRWUPD.DLL - Deleted
Removing Temp Files...
ADS Check:
Checking C:\WINDOWS
C:\WINDOWS
No streams found.
Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.
Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
Backups Folder: - C:\DOCUME~1\RAMZI\Desktop\NEWFOL~1\SDFix\backups\backups.zip
Listing Files with Hidden Attributes:
C:\Documents and Settings\RAMZI\Application Data\U3\temp\Launchpad Removal.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Windows Media Player\MPLAYER2.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\RAMZI\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp
C:\Documents and Settings\RAMZI\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp
C:\Documents and Settings\RAMZI\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp
C:\Documents and Settings\RAMZI\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SAM.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.tmp.LOG
Listing User Accounts:
Administrator Guest HelpAssistant
RAMZI STRONGARM SUPPORT_388945a0
Finished
AntiVir PersonalEdition Classic
Report file date: Thursday, June 21, 2007 10:45
Scanning for 836149 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: RAMZI
Computer name: BLAK-MARKET
Version information:
BUILD.DAT : 247 14437 Bytes 5/10/2007 11:55:00
AVSCAN.EXE : 7.0.4.15 282664 Bytes 4/20/2007 17:37:14
AVSCAN.DLL : 7.0.4.4 33832 Bytes 3/27/2007 17:31:54
LUKE.DLL : 7.0.4.11 143400 Bytes 3/27/2007 17:26:04
LUKERES.DLL : 7.0.4.0 10280 Bytes 3/19/2007 17:18:59
ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 5/31/2006 19:08:58
ANTIVIR1.VDF : 6.38.1.170 5569024 Bytes 5/21/2007 14:44:47
ANTIVIR2.VDF : 6.39.0.25 648704 Bytes 6/17/2007 14:44:47
ANTIVIR3.VDF : 6.39.0.43 88576 Bytes 6/21/2007 14:44:47
AVEWIN32.DLL : 7.4.0.34 2478592 Bytes 6/21/2007 14:44:47
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 15:36:26
AVPREF.DLL : 7.0.2.1 24616 Bytes 3/27/2007 17:31:50
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 18:16:24
AVPACK32.DLL : 7.3.0.12 360488 Bytes 6/21/2007 14:44:47
AVREG.DLL : 7.0.1.2 31784 Bytes 3/15/2007 14:05:08
AVEVTLOG.DLL : 7.0.0.18 86056 Bytes 3/27/2007 17:16:05
AVARKT.DLL : 1.0.0.17 278568 Bytes 5/2/2007 16:32:26
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 16:09:42
RCIMAGE.DLL : 7.0.1.15 2228264 Bytes 3/13/2007 15:46:18
RCTEXT.DLL : 7.0.45.0 86056 Bytes 3/19/2007 17:42:42
Configuration settings for the scan:
Jobname..........................: Local Hard Disks
Configuration file...............: C:\Program Files\AntiVir PersonalEdition Classic\alldiscs.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: Thursday, June 21, 2007 10:45
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'CTFMON.EXE' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'mm_tray.exe' - '1' Module(s) have been scanned
Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned
Scan process 'ALG.EXE' - '1' Module(s) have been scanned
Scan process 'ULCDRSvr.exe' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'sqlservr.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'AvidSDMService.exe' - '1' Module(s) have been scanned
Scan process 'guard.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'LSASS.EXE' - '1' Module(s) have been scanned
Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned
Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned
Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned
Scan process 'SMSS.EXE' - '1' Module(s) have been scanned
31 processes with 31 modules were scanned
Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Starting to scan the registry.
The registry was scanned ( '8' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\!KillBox\cbxyvuu.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was moved to '46f28f91.qua'!
C:\Documents and Settings\All Users\Application Data\gtcfaxaz.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '46dd92f5.qua'!
C:\Documents and Settings\All Users\Application Data\ihqhgrsh.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '46eb92ea.qua'!
C:\Documents and Settings\RAMZI\Desktop\New Folder\SmitfraudFix.exe
[DETECTION] Contains signature of the dropper DR/Tool.Reboot.F.7
[INFO] The file was moved to '46e393b7.qua'!
C:\Documents and Settings\RAMZI\Local Settings\Application Data\Mozilla\Firefox\Profiles\gjm3xrz4.default\Cache\63329BDCd01
[DETECTION] Contains signature of the dropper DR/Tool.Reboot.F.7
[INFO] The file was moved to '46ad9394.qua'!
C:\Documents and Settings\RAMZI\Local Settings\Temporary Internet Files\Content.IE5\0HUR016F\CAR6KVN1
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '46cc93b0.qua'!
C:\Program Files\hijackthis\backups\backup-20070620-112407-429.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was moved to '46dd9c24.qua'!
C:\Program Files\hijackthis\backups\backup-20070620-112407-605.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '46dd9c25.qua'!
C:\Program Files\hijackthis\backups\backup-20070620-112445-938.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was moved to '47a0801a.qua'!
C:\Program Files\hijackthis\backups\backup-20070620-203157-720.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was moved to '46dd9c26.qua'!
C:\WINDOWS\os1zn2mO7Z.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '46ab9fce.qua'!
C:\WINDOWS\SYSTEM32\awvtt.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\WINDOWS\SYSTEM32\cbxyvuu.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\WINDOWS\SYSTEM32\msorcl32.exe
[DETECTION] Is the Trojan horse TR/Crypt.FKM.Gen
[INFO] The file was moved to '46e9a39e.qua'!
C:\WINDOWS\SYSTEM32\scchk32.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '46dda3a9.qua'!
End of the scan: Thursday, June 21, 2007 12:14
Used time: 1:28:39 min
The scan has been done completely.
6060 Scanning directories
216202 Files were scanned
15 viruses and/or unwanted programs were found
0 classified as suspicious:
0 files were deleted
0 files were repaired
13 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
216187 Files not concerned
9047 Archives were scanned
4 Warnings
0 Notes
0 Hidden objects were found
Sorry if any of this is redundent, i have been wracking my brain over this computer forthe past 2 days and im pretty lost at this point.
Hi there.
FYI: By posting to your own topic, adding logs that have not yet been requested, helpers may think you are already being assisted.
Please see: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836) :)