PDA

View Full Version : Extremely persistent spyware, adware, etc


Linfone
2007-07-16, 22:18
Hi, I'm still getting persistent spyware issues.

Sample popups include WinAntiVirus and drivecleaner.com and such.

I was told to include a log from HJT and Spybot.

Here's the HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 4:07:15 PM, on 7/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1131200818\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1131200818\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1131200818\ee\AOLServiceHost.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\retrospect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Documents and Settings\Gin Lin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [{50-01-18-86-ZN}] C:\windows\system32\mmdsregp.exe CHD003
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe /h
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\aysvvgar.dll",realset
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\gnmiydgk.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe


and attached is the Spybot log.

Please help, I'm going nuts.

My IE crashes and occasionally my typed letters refuse to show up.

One of my sentences was missing a large number of letters and spaces.
pskelley
2007-07-16, 23:11
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "
BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page

I was told to include a log from HJT and Spybot.
Who told you this? You might want to read what was posted again: http://forums.spybot.info/showthread.php?t=16064
The instructions are pinned to the top of the forum and I have posted them above for you, please read and follow them including:

All logs should be copy/pasted into topic and not attached unless requested by helper in that format.

1) Move HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm
Once HJT is moved, rename HJT.exe, call it Linfone.exe. This should show the Vundo infection I believe you have.

2) TeaTimer may interfere with the tools we use, follow the instructions in this link to turn it off until we are finished:
http://russelltexas.com/malware/teatimer.htm

3) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks
Linfone
2007-07-17, 00:05
Logfile of HijackThis v1.99.1
Scan saved at 6:02:41 PM, on 7/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1131200818\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1131200818\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1131200818\ee\AOLServiceHost.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\retrospect.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\vfind.cfexe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {26D0730D-20B2-4FCF-840F-061427AF90F9} - (no file)
O2 - BHO: (no name) - {8174D084-1433-4669-9C34-2E9614DB8D57} - (no file)
O2 - BHO: (no name) - {EBF67E2B-36E2-445E-8A7C-BFC0A89331E9} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe /h
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
Linfone
2007-07-17, 00:06
"Gin Lin" - 2007-07-16 17:41:38 - ComboFix 07-07-13.8 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\afmnswnc.dll
C:\WINDOWS\system32\bjpmdesl.dll
C:\WINDOWS\system32\dlpmauig.dll
C:\WINDOWS\system32\ecgsnvqc.dll
C:\WINDOWS\system32\giaeters.dll
C:\WINDOWS\system32\gwkdkued.dll
C:\WINDOWS\system32\hqyqhypb.dll
C:\WINDOWS\system32\hsegunjg.dll
C:\WINDOWS\system32\hxtuxpqa.dll
C:\WINDOWS\system32\iamqkjau.dll
C:\WINDOWS\system32\idihmmfp.dll
C:\WINDOWS\system32\iuihmtgn.dll
C:\WINDOWS\system32\lbpmlmcc.dll
C:\WINDOWS\system32\loqukvld.dll
C:\WINDOWS\system32\mxqngauc.dll
C:\WINDOWS\system32\mxsnwaey.dll
C:\WINDOWS\system32\oscqagkw.dll
C:\WINDOWS\system32\rtawrfog.dll
C:\WINDOWS\system32\skdwseyj.dll
C:\WINDOWS\system32\slcioswh.dll
C:\WINDOWS\system32\svwcbnfa.dll
C:\WINDOWS\system32\uiswtxvl.dll
C:\WINDOWS\system32\uwwteflv.dll
C:\WINDOWS\system32\vbvbbwdf.dll
C:\WINDOWS\system32\vohwvicj.dll
C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\system32\wbclqvkt.dll
C:\WINDOWS\system32\wuyxlles.dll
C:\WINDOWS\system32\ywkmhstp.dll
C:\WINDOWS\system32\alkgcrei.exe
C:\WINDOWS\system32\bmrenuct.exe
C:\WINDOWS\system32\bycwdpui.exe
C:\WINDOWS\system32\cswhhwof.exe
C:\WINDOWS\system32\dduoaoeh.exe
C:\WINDOWS\system32\ddxmeria.exe
C:\WINDOWS\system32\dymdumvj.exe
C:\WINDOWS\system32\eooiphwj.exe
C:\WINDOWS\system32\fpcdstkn.exe
C:\WINDOWS\system32\frwyjhgr.exe
C:\WINDOWS\system32\fsegwofr.exe
C:\WINDOWS\system32\fviuchso.exe
C:\WINDOWS\system32\fvnisxin.exe
C:\WINDOWS\system32\gibkhhyt.exe
C:\WINDOWS\system32\higqgfdv.exe
C:\WINDOWS\system32\hoqaxpkw.exe
C:\WINDOWS\system32\iflsbbbv.exe
C:\WINDOWS\system32\iuoducrl.exe
C:\WINDOWS\system32\jcgjdcef.exe
C:\WINDOWS\system32\jeoigqec.exe
C:\WINDOWS\system32\jfxinecd.exe
C:\WINDOWS\system32\keiuaeoa.exe
C:\WINDOWS\system32\kfuhnsml.exe
C:\WINDOWS\system32\kjjdcxvv.exe
C:\WINDOWS\system32\kojjrael.exe
C:\WINDOWS\system32\lgxufswh.exe
C:\WINDOWS\system32\librkryv.exe
C:\WINDOWS\system32\ltwffmgd.exe
C:\WINDOWS\system32\lvkxfcta.exe
C:\WINDOWS\system32\mbhbudfr.exe
C:\WINDOWS\system32\mcemyjee.exe
C:\WINDOWS\system32\mgkntnje.exe
C:\WINDOWS\system32\mqqnxhno.exe
C:\WINDOWS\system32\myhxohhe.exe
C:\WINDOWS\system32\niyjfocv.exe
C:\WINDOWS\system32\objwghrv.exe
C:\WINDOWS\system32\ocxmgnse.exe
C:\WINDOWS\system32\ofgdwbam.exe
C:\WINDOWS\system32\pgbgjkao.exe
C:\WINDOWS\system32\pnhsxpka.exe
C:\WINDOWS\system32\purealqj.exe
C:\WINDOWS\system32\qtusvmmc.exe
C:\WINDOWS\system32\qtxpiykb.exe
C:\WINDOWS\system32\rhnqxloi.exe
C:\WINDOWS\system32\tbqeadpt.exe
C:\WINDOWS\system32\tmwhjhuq.exe
C:\WINDOWS\system32\ttmjfeep.exe
C:\WINDOWS\system32\ueoyfirr.exe
C:\WINDOWS\system32\vsavnfxv.exe
C:\WINDOWS\system32\vwbujstx.exe
C:\WINDOWS\system32\xblavdqv.exe
C:\WINDOWS\system32\ysosbsmn.exe
C:\WINDOWS\SYSTEM32\hhhkj.bak1
C:\WINDOWS\SYSTEM32\hhhkj.bak2
C:\WINDOWS\SYSTEM32\hhhkj.ini
C:\WINDOWS\SYSTEM32\hhhkj.ini2
C:\WINDOWS\SYSTEM32\hhhkj.tmp
C:\WINDOWS\SYSTEM32\klkkj.ini
C:\WINDOWS\SYSTEM32\lsedmpjb.ini
C:\WINDOWS\SYSTEM32\giuampld.ini
C:\WINDOWS\SYSTEM32\cqvnsgce.ini
C:\WINDOWS\SYSTEM32\bpyhqyqh.ini
C:\WINDOWS\SYSTEM32\gjnugesh.ini
C:\WINDOWS\SYSTEM32\cuagnqxm.ini
C:\WINDOWS\SYSTEM32\gofrwatr.ini
C:\WINDOWS\SYSTEM32\ttstv.ini
C:\WINDOWS\SYSTEM32\tkvqlcbw.ini
C:\WINDOWS\SYSTEM32\ptshmkwy.ini
C:\WINDOWS\SYSTEM32\hhhkj.bak1
C:\WINDOWS\SYSTEM32\hhhkj.bak2
C:\WINDOWS\SYSTEM32\hhhkj.ini
C:\WINDOWS\SYSTEM32\hhhkj.ini2
C:\WINDOWS\SYSTEM32\hhhkj.tmp
C:\WINDOWS\SYSTEM32\hhhkj.bak1
C:\WINDOWS\SYSTEM32\hhhkj.bak2
C:\WINDOWS\SYSTEM32\hhhkj.ini
C:\WINDOWS\SYSTEM32\hhhkj.ini2
C:\WINDOWS\SYSTEM32\hhhkj.tmp
C:\WINDOWS\system32\jkhhh.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\GINLIN~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\5MSRY4TC\www.broadcaster.com
C:\DOCUME~1\GINLIN~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\GINLIN~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\ipwindows
C:\Program Files\poolsv
C:\Program Files\svhost
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\17o7
C:\temp\17o7\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\system32\41413471.dll
C:\WINDOWS\system32\A2
C:\WINDOWS\system32\A6
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\lmnvrim.dll
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\o09PrEz
C:\WINDOWS\system32\smpi1
C:\WINDOWS\system32\win
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-06-16 to 2007-07-16 )))))))))))))))))))))))))))))))


2007-07-16 17:40 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-16 16:14 66,580 --a------ C:\WINDOWS\SYSTEM32\jvnafemi.dll
2007-07-16 16:05 66,068 --a------ C:\WINDOWS\SYSTEM32\buvouteo.exe
2007-07-16 15:19 66,580 --a------ C:\WINDOWS\SYSTEM32\ifddpqkr.dll
2007-07-16 15:16 66,068 --a------ C:\WINDOWS\SYSTEM32\dhrmgume.exe
2007-07-16 15:06 66,580 --a------ C:\WINDOWS\SYSTEM32\iymcoxal.dll
2007-07-16 14:58 66,068 --a------ C:\WINDOWS\SYSTEM32\uetpnibd.exe
2007-07-16 12:42 66,580 --a------ C:\WINDOWS\SYSTEM32\nbgtbvqy.dll
2007-07-16 12:36 66,068 --a------ C:\WINDOWS\SYSTEM32\xadmrnoj.exe
2007-07-16 11:53 66,580 --a------ C:\WINDOWS\SYSTEM32\eakrkapy.dll
2007-07-16 11:47 66,068 --a------ C:\WINDOWS\SYSTEM32\sdfrxano.exe
2007-07-16 09:13 66,580 --a------ C:\WINDOWS\SYSTEM32\rprtoweo.dll
2007-07-16 09:04 66,068 --a------ C:\WINDOWS\SYSTEM32\ysjpkboo.exe
2007-07-16 08:12 66,580 --a------ C:\WINDOWS\SYSTEM32\nljiqtkr.dll
2007-07-16 08:06 66,068 --a------ C:\WINDOWS\SYSTEM32\qhsbkcod.exe
2007-07-15 20:44 66,068 --a------ C:\WINDOWS\SYSTEM32\ykqpxuns.exe
2007-07-15 20:34 66,068 --a------ C:\WINDOWS\SYSTEM32\fdgjrbbx.exe
2007-07-15 20:33 2,072 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-07-15 20:32 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-07-15 20:32 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-07-15 20:32 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-07-15 20:18 66,580 --a------ C:\WINDOWS\SYSTEM32\qaupyjmh.dll
2007-07-15 20:13 66,068 --a------ C:\WINDOWS\SYSTEM32\cdptpfoh.exe
2007-07-15 19:27 66,580 --a------ C:\WINDOWS\SYSTEM32\ojnmfxtx.dll
2007-07-15 19:21 66,068 --a------ C:\WINDOWS\SYSTEM32\ewuukjrg.exe
2007-07-15 19:12 <DIR> d--hs---- C:\WINDOWS\CSC
2007-07-15 19:05 66,068 --a------ C:\WINDOWS\SYSTEM32\eqowgltf.exe
2007-07-15 18:06 66,580 --a------ C:\WINDOWS\SYSTEM32\oobixohp.dll
2007-07-15 18:00 66,068 --a------ C:\WINDOWS\SYSTEM32\toeemhqm.exe
2007-07-15 17:11 66,580 --a------ C:\WINDOWS\SYSTEM32\vnjhutnr.dll
2007-07-15 17:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-15 16:59 66,068 --a------ C:\WINDOWS\SYSTEM32\mbbcircd.exe
2007-07-15 16:57 66,580 --a------ C:\WINDOWS\SYSTEM32\hkmvljim.dll
2007-07-15 16:51 66,068 --a------ C:\WINDOWS\SYSTEM32\qhwjptdo.exe
2007-07-15 16:01 66,580 --a------ C:\WINDOWS\SYSTEM32\mkgrylkk.dll
2007-07-15 15:55 66,068 --a------ C:\WINDOWS\SYSTEM32\qrckgajg.exe
2007-07-15 15:36 66,580 --a------ C:\WINDOWS\SYSTEM32\cfhqidnv.dll
2007-07-15 15:33 66,068 --a------ C:\WINDOWS\SYSTEM32\fgjspcde.exe
2007-07-15 14:32 66,068 --a------ C:\WINDOWS\SYSTEM32\jfllnbiq.exe
2007-07-15 10:18 66,580 --a------ C:\WINDOWS\SYSTEM32\tqgbiavl.dll
2007-07-15 10:12 66,068 --a------ C:\WINDOWS\SYSTEM32\ihfjhmxn.exe
2007-07-15 09:32 66,580 --a------ C:\WINDOWS\SYSTEM32\javxfbln.dll
2007-07-15 09:20 66,068 --a------ C:\WINDOWS\SYSTEM32\syjqbboy.exe
2007-07-14 11:43 66,580 --a------ C:\WINDOWS\SYSTEM32\adlldsqt.dll
2007-07-14 11:35 66,068 --a------ C:\WINDOWS\SYSTEM32\tblbosue.exe
2007-07-14 10:09 66,580 --a------ C:\WINDOWS\SYSTEM32\vehqubrc.dll
2007-07-14 10:09 66,068 --a------ C:\WINDOWS\SYSTEM32\svnhfude.exe
2007-07-13 10:21 66,580 --a------ C:\WINDOWS\SYSTEM32\dmrirkuc.dll
2007-07-13 10:07 66,068 --a------ C:\WINDOWS\SYSTEM32\stifkemd.exe
2007-07-12 18:13 66,580 --a------ C:\WINDOWS\SYSTEM32\bbnyhptc.dll
2007-07-12 18:08 66,068 --a------ C:\WINDOWS\SYSTEM32\ptgwayhs.exe
2007-07-12 12:35 66,580 --a------ C:\WINDOWS\SYSTEM32\hgpkhoml.dll
2007-07-12 12:29 66,068 --a------ C:\WINDOWS\SYSTEM32\seqnlkep.exe
2007-07-11 22:38 66,580 --a------ C:\WINDOWS\SYSTEM32\wpswryit.dll
2007-07-11 22:23 66,068 --a------ C:\WINDOWS\SYSTEM32\jwvfvhka.exe
2007-07-11 14:14 66,580 --a------ C:\WINDOWS\SYSTEM32\iscldbai.dll
2007-07-11 14:12 66,068 --a------ C:\WINDOWS\SYSTEM32\vfbarsyr.exe
2007-07-11 10:04 <DIR> d-------- C:\Program Files\Sierra
2007-07-11 10:02 <DIR> d-------- C:\DOCUME~1\GINLIN~1\APPLIC~1\InstallShield
2007-07-11 09:50 66,580 --a------ C:\WINDOWS\SYSTEM32\bbuxihhu.dll
2007-07-11 09:45 66,068 --a------ C:\WINDOWS\SYSTEM32\hsbmegol.exe
2007-07-10 18:39 66,068 --a------ C:\WINDOWS\SYSTEM32\odtdvwxs.exe
2007-07-09 21:02 <DIR> d-------- C:\Program Files\iTunes
2007-07-09 21:02 <DIR> d-------- C:\Program Files\iPod
2007-07-09 20:56 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-09 20:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-09 18:33 66,068 --a------ C:\WINDOWS\SYSTEM32\qvpmorfd.exe
2007-07-04 10:45 <DIR> d-------- C:\LINs
2007-07-01 18:38 <DIR> d-------- C:\Program Files\Picasa2
2007-07-01 18:35 <DIR> d-------- C:\Program Files\Retrospect
2007-07-01 18:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\RetroExp
2007-07-01 17:43 339,968 --a------ C:\WINDOWS\SYSTEM32\WDBtnMgr.exe
2007-07-01 17:43 <DIR> d-------- C:\Program Files\Western Digital Technologies
2007-07-01 17:27 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys
2007-06-29 19:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-29 19:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-15 22:29:10 -------- d-----w C:\Program Files\MyWay
2007-07-13 04:36:16 -------- d-----w C:\DOCUME~1\GINLIN~1\APPLIC~1\Viewpoint
2007-07-11 15:04:49 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-11 01:38:27 -------- d-----w C:\DOCUME~1\GINLIN~1\APPLIC~1\Apple Computer
2007-07-03 05:07:34 -------- d-----w C:\Program Files\Starcraft
2007-07-03 01:03:21 -------- d-----w C:\Program Files\Windows NT
2007-07-01 23:37:33 -------- d-----w C:\Program Files\Google
2007-06-30 00:17:41 -------- d-----w C:\Program Files\Lavasoft
2007-06-21 22:37:35 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-04 20:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 20:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 20:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-17 03:06:23 -------- d-----w C:\Program Files\Windows Defender
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 06:13:23 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-01-05 04:53:00 26,856 -c--a-w C:\DOCUME~1\GINLIN~1\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26D0730D-20B2-4FCF-840F-061427AF90F9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8174D084-1433-4669-9C34-2E9614DB8D57}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EBF67E2B-36E2-445E-8A7C-BFC0A89331E9}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"@"="" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"WD Button Manager"="WDBtnMgr.exe" [2007-07-01 17:43 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe" [2006-09-11 17:32]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 14:35]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-01 18:37]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="C:\Program Files\ewido\security suite\shellhook.dll" [2004-09-30 07:21]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"=C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" -hide


Contents of the 'Scheduled Tasks' folder
2007-07-16 16:04:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-16 22:58:54 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-16 17:58:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-16 18:01:04 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-16 18:00

--- E O F ---
Linfone
2007-07-17, 00:37
"Gin Lin" - 2007-07-16 17:41:38 - ComboFix 07-07-13.8 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\afmnswnc.dll
C:\WINDOWS\system32\bjpmdesl.dll
C:\WINDOWS\system32\dlpmauig.dll
C:\WINDOWS\system32\ecgsnvqc.dll
C:\WINDOWS\system32\giaeters.dll
C:\WINDOWS\system32\gwkdkued.dll
C:\WINDOWS\system32\hqyqhypb.dll
C:\WINDOWS\system32\hsegunjg.dll
C:\WINDOWS\system32\hxtuxpqa.dll
C:\WINDOWS\system32\iamqkjau.dll
C:\WINDOWS\system32\idihmmfp.dll
C:\WINDOWS\system32\iuihmtgn.dll
C:\WINDOWS\system32\lbpmlmcc.dll
C:\WINDOWS\system32\loqukvld.dll
C:\WINDOWS\system32\mxqngauc.dll
C:\WINDOWS\system32\mxsnwaey.dll
C:\WINDOWS\system32\oscqagkw.dll
C:\WINDOWS\system32\rtawrfog.dll
C:\WINDOWS\system32\skdwseyj.dll
C:\WINDOWS\system32\slcioswh.dll
C:\WINDOWS\system32\svwcbnfa.dll
C:\WINDOWS\system32\uiswtxvl.dll
C:\WINDOWS\system32\uwwteflv.dll
C:\WINDOWS\system32\vbvbbwdf.dll
C:\WINDOWS\system32\vohwvicj.dll
C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\system32\wbclqvkt.dll
C:\WINDOWS\system32\wuyxlles.dll
C:\WINDOWS\system32\ywkmhstp.dll
C:\WINDOWS\system32\alkgcrei.exe
C:\WINDOWS\system32\bmrenuct.exe
C:\WINDOWS\system32\bycwdpui.exe
C:\WINDOWS\system32\cswhhwof.exe
C:\WINDOWS\system32\dduoaoeh.exe
C:\WINDOWS\system32\ddxmeria.exe
C:\WINDOWS\system32\dymdumvj.exe
C:\WINDOWS\system32\eooiphwj.exe
C:\WINDOWS\system32\fpcdstkn.exe
C:\WINDOWS\system32\frwyjhgr.exe
C:\WINDOWS\system32\fsegwofr.exe
C:\WINDOWS\system32\fviuchso.exe
C:\WINDOWS\system32\fvnisxin.exe
C:\WINDOWS\system32\gibkhhyt.exe
C:\WINDOWS\system32\higqgfdv.exe
C:\WINDOWS\system32\hoqaxpkw.exe
C:\WINDOWS\system32\iflsbbbv.exe
C:\WINDOWS\system32\iuoducrl.exe
C:\WINDOWS\system32\jcgjdcef.exe
C:\WINDOWS\system32\jeoigqec.exe
C:\WINDOWS\system32\jfxinecd.exe
C:\WINDOWS\system32\keiuaeoa.exe
C:\WINDOWS\system32\kfuhnsml.exe
C:\WINDOWS\system32\kjjdcxvv.exe
C:\WINDOWS\system32\kojjrael.exe
C:\WINDOWS\system32\lgxufswh.exe
C:\WINDOWS\system32\librkryv.exe
C:\WINDOWS\system32\ltwffmgd.exe
C:\WINDOWS\system32\lvkxfcta.exe
C:\WINDOWS\system32\mbhbudfr.exe
C:\WINDOWS\system32\mcemyjee.exe
C:\WINDOWS\system32\mgkntnje.exe
C:\WINDOWS\system32\mqqnxhno.exe
C:\WINDOWS\system32\myhxohhe.exe
C:\WINDOWS\system32\niyjfocv.exe
C:\WINDOWS\system32\objwghrv.exe
C:\WINDOWS\system32\ocxmgnse.exe
C:\WINDOWS\system32\ofgdwbam.exe
C:\WINDOWS\system32\pgbgjkao.exe
C:\WINDOWS\system32\pnhsxpka.exe
C:\WINDOWS\system32\purealqj.exe
C:\WINDOWS\system32\qtusvmmc.exe
C:\WINDOWS\system32\qtxpiykb.exe
C:\WINDOWS\system32\rhnqxloi.exe
C:\WINDOWS\system32\tbqeadpt.exe
C:\WINDOWS\system32\tmwhjhuq.exe
C:\WINDOWS\system32\ttmjfeep.exe
C:\WINDOWS\system32\ueoyfirr.exe
C:\WINDOWS\system32\vsavnfxv.exe
C:\WINDOWS\system32\vwbujstx.exe
C:\WINDOWS\system32\xblavdqv.exe
C:\WINDOWS\system32\ysosbsmn.exe
C:\WINDOWS\SYSTEM32\hhhkj.bak1
C:\WINDOWS\SYSTEM32\hhhkj.bak2
C:\WINDOWS\SYSTEM32\hhhkj.ini
C:\WINDOWS\SYSTEM32\hhhkj.ini2
C:\WINDOWS\SYSTEM32\hhhkj.tmp
C:\WINDOWS\SYSTEM32\klkkj.ini
C:\WINDOWS\SYSTEM32\lsedmpjb.ini
C:\WINDOWS\SYSTEM32\giuampld.ini
C:\WINDOWS\SYSTEM32\cqvnsgce.ini
C:\WINDOWS\SYSTEM32\bpyhqyqh.ini
C:\WINDOWS\SYSTEM32\gjnugesh.ini
C:\WINDOWS\SYSTEM32\cuagnqxm.ini
C:\WINDOWS\SYSTEM32\gofrwatr.ini
C:\WINDOWS\SYSTEM32\ttstv.ini
C:\WINDOWS\SYSTEM32\tkvqlcbw.ini
C:\WINDOWS\SYSTEM32\ptshmkwy.ini
C:\WINDOWS\SYSTEM32\hhhkj.bak1
C:\WINDOWS\SYSTEM32\hhhkj.bak2
C:\WINDOWS\SYSTEM32\hhhkj.ini
C:\WINDOWS\SYSTEM32\hhhkj.ini2
C:\WINDOWS\SYSTEM32\hhhkj.tmp
C:\WINDOWS\SYSTEM32\hhhkj.bak1
C:\WINDOWS\SYSTEM32\hhhkj.bak2
C:\WINDOWS\SYSTEM32\hhhkj.ini
C:\WINDOWS\SYSTEM32\hhhkj.ini2
C:\WINDOWS\SYSTEM32\hhhkj.tmp
C:\WINDOWS\system32\jkhhh.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\GINLIN~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\5MSRY4TC\www.broadcaster.com
C:\DOCUME~1\GINLIN~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\GINLIN~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\ipwindows
C:\Program Files\poolsv
C:\Program Files\svhost
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\17o7
C:\temp\17o7\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\system32\41413471.dll
C:\WINDOWS\system32\A2
C:\WINDOWS\system32\A6
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\lmnvrim.dll
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\o09PrEz
C:\WINDOWS\system32\smpi1
C:\WINDOWS\system32\win
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-06-16 to 2007-07-16 )))))))))))))))))))))))))))))))


2007-07-16 17:40 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-16 16:14 66,580 --a------ C:\WINDOWS\SYSTEM32\jvnafemi.dll
2007-07-16 16:05 66,068 --a------ C:\WINDOWS\SYSTEM32\buvouteo.exe
2007-07-16 15:19 66,580 --a------ C:\WINDOWS\SYSTEM32\ifddpqkr.dll
2007-07-16 15:16 66,068 --a------ C:\WINDOWS\SYSTEM32\dhrmgume.exe
2007-07-16 15:06 66,580 --a------ C:\WINDOWS\SYSTEM32\iymcoxal.dll
2007-07-16 14:58 66,068 --a------ C:\WINDOWS\SYSTEM32\uetpnibd.exe
2007-07-16 12:42 66,580 --a------ C:\WINDOWS\SYSTEM32\nbgtbvqy.dll
2007-07-16 12:36 66,068 --a------ C:\WINDOWS\SYSTEM32\xadmrnoj.exe
2007-07-16 11:53 66,580 --a------ C:\WINDOWS\SYSTEM32\eakrkapy.dll
2007-07-16 11:47 66,068 --a------ C:\WINDOWS\SYSTEM32\sdfrxano.exe
2007-07-16 09:13 66,580 --a------ C:\WINDOWS\SYSTEM32\rprtoweo.dll
2007-07-16 09:04 66,068 --a------ C:\WINDOWS\SYSTEM32\ysjpkboo.exe
2007-07-16 08:12 66,580 --a------ C:\WINDOWS\SYSTEM32\nljiqtkr.dll
2007-07-16 08:06 66,068 --a------ C:\WINDOWS\SYSTEM32\qhsbkcod.exe
2007-07-15 20:44 66,068 --a------ C:\WINDOWS\SYSTEM32\ykqpxuns.exe
2007-07-15 20:34 66,068 --a------ C:\WINDOWS\SYSTEM32\fdgjrbbx.exe
2007-07-15 20:33 2,072 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-07-15 20:32 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-07-15 20:32 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-07-15 20:32 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-07-15 20:18 66,580 --a------ C:\WINDOWS\SYSTEM32\qaupyjmh.dll
2007-07-15 20:13 66,068 --a------ C:\WINDOWS\SYSTEM32\cdptpfoh.exe
2007-07-15 19:27 66,580 --a------ C:\WINDOWS\SYSTEM32\ojnmfxtx.dll
2007-07-15 19:21 66,068 --a------ C:\WINDOWS\SYSTEM32\ewuukjrg.exe
2007-07-15 19:12 <DIR> d--hs---- C:\WINDOWS\CSC
2007-07-15 19:05 66,068 --a------ C:\WINDOWS\SYSTEM32\eqowgltf.exe
2007-07-15 18:06 66,580 --a------ C:\WINDOWS\SYSTEM32\oobixohp.dll
2007-07-15 18:00 66,068 --a------ C:\WINDOWS\SYSTEM32\toeemhqm.exe
2007-07-15 17:11 66,580 --a------ C:\WINDOWS\SYSTEM32\vnjhutnr.dll
2007-07-15 17:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-15 16:59 66,068 --a------ C:\WINDOWS\SYSTEM32\mbbcircd.exe
2007-07-15 16:57 66,580 --a------ C:\WINDOWS\SYSTEM32\hkmvljim.dll
2007-07-15 16:51 66,068 --a------ C:\WINDOWS\SYSTEM32\qhwjptdo.exe
2007-07-15 16:01 66,580 --a------ C:\WINDOWS\SYSTEM32\mkgrylkk.dll
2007-07-15 15:55 66,068 --a------ C:\WINDOWS\SYSTEM32\qrckgajg.exe
2007-07-15 15:36 66,580 --a------ C:\WINDOWS\SYSTEM32\cfhqidnv.dll
2007-07-15 15:33 66,068 --a------ C:\WINDOWS\SYSTEM32\fgjspcde.exe
2007-07-15 14:32 66,068 --a------ C:\WINDOWS\SYSTEM32\jfllnbiq.exe
2007-07-15 10:18 66,580 --a------ C:\WINDOWS\SYSTEM32\tqgbiavl.dll
2007-07-15 10:12 66,068 --a------ C:\WINDOWS\SYSTEM32\ihfjhmxn.exe
2007-07-15 09:32 66,580 --a------ C:\WINDOWS\SYSTEM32\javxfbln.dll
2007-07-15 09:20 66,068 --a------ C:\WINDOWS\SYSTEM32\syjqbboy.exe
2007-07-14 11:43 66,580 --a------ C:\WINDOWS\SYSTEM32\adlldsqt.dll
2007-07-14 11:35 66,068 --a------ C:\WINDOWS\SYSTEM32\tblbosue.exe
2007-07-14 10:09 66,580 --a------ C:\WINDOWS\SYSTEM32\vehqubrc.dll
2007-07-14 10:09 66,068 --a------ C:\WINDOWS\SYSTEM32\svnhfude.exe
2007-07-13 10:21 66,580 --a------ C:\WINDOWS\SYSTEM32\dmrirkuc.dll
2007-07-13 10:07 66,068 --a------ C:\WINDOWS\SYSTEM32\stifkemd.exe
2007-07-12 18:13 66,580 --a------ C:\WINDOWS\SYSTEM32\bbnyhptc.dll
2007-07-12 18:08 66,068 --a------ C:\WINDOWS\SYSTEM32\ptgwayhs.exe
2007-07-12 12:35 66,580 --a------ C:\WINDOWS\SYSTEM32\hgpkhoml.dll
2007-07-12 12:29 66,068 --a------ C:\WINDOWS\SYSTEM32\seqnlkep.exe
2007-07-11 22:38 66,580 --a------ C:\WINDOWS\SYSTEM32\wpswryit.dll
2007-07-11 22:23 66,068 --a------ C:\WINDOWS\SYSTEM32\jwvfvhka.exe
2007-07-11 14:14 66,580 --a------ C:\WINDOWS\SYSTEM32\iscldbai.dll
2007-07-11 14:12 66,068 --a------ C:\WINDOWS\SYSTEM32\vfbarsyr.exe
2007-07-11 10:04 <DIR> d-------- C:\Program Files\Sierra
2007-07-11 10:02 <DIR> d-------- C:\DOCUME~1\GINLIN~1\APPLIC~1\InstallShield
2007-07-11 09:50 66,580 --a------ C:\WINDOWS\SYSTEM32\bbuxihhu.dll
2007-07-11 09:45 66,068 --a------ C:\WINDOWS\SYSTEM32\hsbmegol.exe
2007-07-10 18:39 66,068 --a------ C:\WINDOWS\SYSTEM32\odtdvwxs.exe
2007-07-09 21:02 <DIR> d-------- C:\Program Files\iTunes
2007-07-09 21:02 <DIR> d-------- C:\Program Files\iPod
2007-07-09 20:56 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-09 20:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-09 18:33 66,068 --a------ C:\WINDOWS\SYSTEM32\qvpmorfd.exe
2007-07-04 10:45 <DIR> d-------- C:\LINs
2007-07-01 18:38 <DIR> d-------- C:\Program Files\Picasa2
2007-07-01 18:35 <DIR> d-------- C:\Program Files\Retrospect
2007-07-01 18:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\RetroExp
2007-07-01 17:43 339,968 --a------ C:\WINDOWS\SYSTEM32\WDBtnMgr.exe
2007-07-01 17:43 <DIR> d-------- C:\Program Files\Western Digital Technologies
2007-07-01 17:27 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys
2007-06-29 19:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-29 19:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-15 22:29:10 -------- d-----w C:\Program Files\MyWay
2007-07-13 04:36:16 -------- d-----w C:\DOCUME~1\GINLIN~1\APPLIC~1\Viewpoint
2007-07-11 15:04:49 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-11 01:38:27 -------- d-----w C:\DOCUME~1\GINLIN~1\APPLIC~1\Apple Computer
2007-07-03 05:07:34 -------- d-----w C:\Program Files\Starcraft
2007-07-03 01:03:21 -------- d-----w C:\Program Files\Windows NT
2007-07-01 23:37:33 -------- d-----w C:\Program Files\Google
2007-06-30 00:17:41 -------- d-----w C:\Program Files\Lavasoft
2007-06-21 22:37:35 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-04 20:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 20:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 20:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-17 03:06:23 -------- d-----w C:\Program Files\Windows Defender
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 06:13:23 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-01-05 04:53:00 26,856 -c--a-w C:\DOCUME~1\GINLIN~1\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26D0730D-20B2-4FCF-840F-061427AF90F9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8174D084-1433-4669-9C34-2E9614DB8D57}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EBF67E2B-36E2-445E-8A7C-BFC0A89331E9}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"@"="" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"WD Button Manager"="WDBtnMgr.exe" [2007-07-01 17:43 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe" [2006-09-11 17:32]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 14:35]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-01 18:37]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="C:\Program Files\ewido\security suite\shellhook.dll" [2004-09-30 07:21]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"=C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" -hide


Contents of the 'Scheduled Tasks' folder
2007-07-16 16:04:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-16 22:58:54 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-16 17:58:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-16 18:01:04 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-16 18:00

--- E O F ---
Linfone
2007-07-17, 00:38
Logfile of HijackThis v1.99.1
Scan saved at 6:02:41 PM, on 7/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1131200818\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1131200818\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1131200818\ee\AOLServiceHost.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\retrospect.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\vfind.cfexe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {26D0730D-20B2-4FCF-840F-061427AF90F9} - (no file)
O2 - BHO: (no name) - {8174D084-1433-4669-9C34-2E9614DB8D57} - (no file)
O2 - BHO: (no name) - {EBF67E2B-36E2-445E-8A7C-BFC0A89331E9} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe /h
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
Linfone
2007-07-17, 00:39
Um, reposted the above in original thread
My bad
pskelley
2007-07-17, 01:34
Thanks for returning your information. I am concerned about your lack of being being able to follow the posted directions. This is your computer you are working on, if you can't follow the directions I post, please let me know. I would prefer not to proceed under those circumstances.

Case in point, the instructions for combofix state this:

3) Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here or Here to your Desktop.

You are running combofix from here: C:\ComboFix\vfind.cfexe
which is the C:\ drive NOT the Desktop.

Please remove combofix entirely from your computer.

Now do this:
Thanks to Atribune and any others who helped with this fix.

Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

Thank you
Linfone
2007-07-17, 20:08
Logfile of HijackThis v1.99.1
Scan saved at 2:08:24 PM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1131200818\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1131200818\ee\AOLServiceHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\1131200818\ee\AOLServiceHost.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\retrospect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe /h
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
Linfone
2007-07-17, 20:09
VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 1:54:56 PM 7/17/2007

Listing files found while scanning....

C:\windows\system32\adlldsqt.dll
C:\windows\system32\bbnyhptc.dll
C:\windows\system32\bbuxihhu.dll
C:\windows\system32\cfhqidnv.dll
C:\windows\system32\dmrirkuc.dll
C:\windows\system32\eakrkapy.dll
C:\windows\system32\hgpkhoml.dll
C:\windows\system32\hkmvljim.dll
C:\windows\system32\ifddpqkr.dll
C:\windows\system32\iscldbai.dll
C:\windows\system32\iymcoxal.dll
C:\windows\system32\javxfbln.dll
C:\windows\system32\jvnafemi.dll
C:\windows\system32\mkgrylkk.dll
C:\windows\system32\nbgtbvqy.dll
C:\windows\system32\nljiqtkr.dll
C:\windows\system32\ojnmfxtx.dll
C:\windows\system32\oobixohp.dll
C:\windows\system32\qaupyjmh.dll
C:\windows\system32\rprtoweo.dll
C:\windows\system32\tqgbiavl.dll
C:\windows\system32\vehqubrc.dll
C:\windows\system32\vnjhutnr.dll
C:\windows\system32\wpswryit.dll

Beginning removal...

Attempting to delete C:\windows\system32\adlldsqt.dll
C:\windows\system32\adlldsqt.dll Has been deleted!

Attempting to delete C:\windows\system32\bbnyhptc.dll
C:\windows\system32\bbnyhptc.dll Has been deleted!

Attempting to delete C:\windows\system32\bbuxihhu.dll
C:\windows\system32\bbuxihhu.dll Has been deleted!

Attempting to delete C:\windows\system32\cfhqidnv.dll
C:\windows\system32\cfhqidnv.dll Has been deleted!

Attempting to delete C:\windows\system32\dmrirkuc.dll
C:\windows\system32\dmrirkuc.dll Has been deleted!

Attempting to delete C:\windows\system32\eakrkapy.dll
C:\windows\system32\eakrkapy.dll Has been deleted!

Attempting to delete C:\windows\system32\hgpkhoml.dll
C:\windows\system32\hgpkhoml.dll Has been deleted!

Attempting to delete C:\windows\system32\hkmvljim.dll
C:\windows\system32\hkmvljim.dll Has been deleted!

Attempting to delete C:\windows\system32\ifddpqkr.dll
C:\windows\system32\ifddpqkr.dll Has been deleted!

Attempting to delete C:\windows\system32\iscldbai.dll
C:\windows\system32\iscldbai.dll Has been deleted!

Attempting to delete C:\windows\system32\iymcoxal.dll
C:\windows\system32\iymcoxal.dll Has been deleted!

Attempting to delete C:\windows\system32\javxfbln.dll
C:\windows\system32\javxfbln.dll Has been deleted!

Attempting to delete C:\windows\system32\jvnafemi.dll
C:\windows\system32\jvnafemi.dll Has been deleted!

Attempting to delete C:\windows\system32\mkgrylkk.dll
C:\windows\system32\mkgrylkk.dll Has been deleted!

Attempting to delete C:\windows\system32\nbgtbvqy.dll
C:\windows\system32\nbgtbvqy.dll Has been deleted!

Attempting to delete C:\windows\system32\nljiqtkr.dll
C:\windows\system32\nljiqtkr.dll Has been deleted!

Attempting to delete C:\windows\system32\ojnmfxtx.dll
C:\windows\system32\ojnmfxtx.dll Has been deleted!

Attempting to delete C:\windows\system32\oobixohp.dll
C:\windows\system32\oobixohp.dll Has been deleted!

Attempting to delete C:\windows\system32\qaupyjmh.dll
C:\windows\system32\qaupyjmh.dll Has been deleted!

Attempting to delete C:\windows\system32\rprtoweo.dll
C:\windows\system32\rprtoweo.dll Has been deleted!

Attempting to delete C:\windows\system32\tqgbiavl.dll
C:\windows\system32\tqgbiavl.dll Has been deleted!

Attempting to delete C:\windows\system32\vehqubrc.dll
C:\windows\system32\vehqubrc.dll Has been deleted!

Attempting to delete C:\windows\system32\vnjhutnr.dll
C:\windows\system32\vnjhutnr.dll Has been deleted!

Attempting to delete C:\windows\system32\wpswryit.dll
C:\windows\system32\wpswryit.dll Has been deleted!

Performing Repairs to the registry.
Done!
pskelley
2007-07-17, 20:17
Thanks, Vundofix cleaned out a load of files and you HJT log looks clean. How is the computer running now? Let's give another good scan a look like this:

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks
Linfone
2007-07-17, 23:10
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, July 17, 2007 5:07:24 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 17/07/2007
Kaspersky Anti-Virus database records: 340920
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 143537
Number of viruses found: 9
Number of infected objects: 188
Number of suspicious objects: 22
Duration of the scan process: 02:37:34

Infected Object Name / Virus Name / Last Action
C:\Diablo II\d2gfz.dll Infected: SpamTool.Win32.VB.f skipped
C:\Documents and Settings\All Users\Application Data\AOL\browser\history.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_D30MRT21.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_D30MRT21.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-05162007-220654.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip/Yazzle1549OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku1.zip/Yazzle1281OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Gin Lin\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Gin Lin\Local Settings\Application Data\Google\Google Desktop Search\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\Gin Lin\Local Settings\Application Data\Google\Google Desktop Search\dbdam Object is locked skipped
C:\Documents and Settings\Gin Lin\Local Settings\Application Data\Google\Google Desktop Search\dbdao Object is locked skipped
C:\Documents and Settings\Gin Lin\Local Settings\Application Data\Google\Google Desktop Search\dbeam Object is locked skipped
C:\Documents and Settings\Gin Lin\Local Settings\Application Data\Google\Google Desktop Search\dbeao Object is locked skipped
C:\Documents and Settings\Gin Lin\Local Settings\Application Data\Google\Google Desktop Search\dbm Object is locked skipped
C:\Documents and Settings\Gin Lin\Local Settings\Application Data\Google\Google Desktop Search\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\Gin Lin\Local Settings\Application Data\Google\Google Desktop Search\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\Gin Lin\Local Settings\Application Data\Google\Google Desktop Search\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\Gin Lin\Local Settings\Application Data\Google\Google Desktop Search\fii.cf1 Object is locked skipped
C:\Documents and Settings\Gin Lin\Local Settings\Application Data\Google\Google Desktop Search\fiih.ht1 Object is locked skipped
C:\Documents and Settings\Gin Lin\Local Settings\Application Data\Google\Google Desktop Search\rpm.cf1 Object is locked skipped
C:\Documents and Settings\Gin Lin\Local Settings\Application Data\Google\Google Desktop Search\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\Gin Lin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Gin Lin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Gin Lin\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{A8583897-95C2-4369-9DF2-85FBBACFD812} Object is locked skipped
C:\Documents and Settings\Gin Lin\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Gin Lin\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Gin Lin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Gin Lin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Gin Lin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Guest\Local Settings\Temp\royrvvfv.dll Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Roger Lin\Desktop\backups\backup-20070516-192728-691.dll Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\Roger Lin\Local Settings\Temp\CmarP1065.exe/data0005 Infected: Trojan-Downloader.Win32.VB.fn skipped
C:\Documents and Settings\Roger Lin\Local Settings\Temp\CmarP1065.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Roger Lin\Local Settings\Temp\YazzleBundle-1281.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Roger Lin\Local Settings\Temp\YazzleBundle-1281.exe NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\afmnswnc.dll.vir Infected: Trojan.Win32.BHO.g skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\alkgcrei.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bmrenuct.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bycwdpui.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cswhhwof.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dduoaoeh.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ddxmeria.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dymdumvj.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\eooiphwj.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fpcdstkn.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\frwyjhgr.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fsegwofr.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fviuchso.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fvnisxin.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\giaeters.dll.vir Suspicious: Packed.Win32.Morphine.a skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gibkhhyt.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gwkdkued.dll.vir Suspicious: Packed.Win32.Morphine.a skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\higqgfdv.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hoqaxpkw.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\iamqkjau.dll.vir Infected: Trojan.Win32.BHO.g skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\idihmmfp.dll.vir Infected: Trojan.Win32.BHO.g skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\iflsbbbv.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\iuihmtgn.dll.vir Infected: Trojan.Win32.BHO.g skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\iuoducrl.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jcgjdcef.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jeoigqec.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jfxinecd.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\keiuaeoa.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kfuhnsml.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kjjdcxvv.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kojjrael.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lbpmlmcc.dll.vir Suspicious: Packed.Win32.Morphine.a skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lgxufswh.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\librkryv.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ltwffmgd.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lvkxfcta.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mbhbudfr.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mcemyjee.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mgkntnje.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mqqnxhno.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mxsnwaey.dll.vir Suspicious: Packed.Win32.Morphine.a skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\myhxohhe.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\niyjfocv.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\objwghrv.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ocxmgnse.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ofgdwbam.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\oscqagkw.dll.vir Infected: Trojan.Win32.BHO.bd skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pgbgjkao.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pnhsxpka.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\purealqj.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qtusvmmc.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qtxpiykb.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rhnqxloi.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\skdwseyj.dll.vir Suspicious: Packed.Win32.Morphine.a skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\slcioswh.dll.vir Infected: Trojan.Win32.BHO.bd skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\svwcbnfa.dll.vir Suspicious: Packed.Win32.Morphine.a skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tbqeadpt.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tmwhjhuq.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ttmjfeep.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ueoyfirr.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\uiswtxvl.dll.vir Infected: Trojan.Win32.BHO.g skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\uwwteflv.dll.vir Suspicious: Packed.Win32.Morphine.a skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vbvbbwdf.dll.vir Suspicious: Packed.Win32.Morphine.a skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vohwvicj.dll.vir Infected: Trojan.Win32.BHO.g skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vsavnfxv.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vwbujstx.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wuyxlles.dll.vir Suspicious: Packed.Win32.Morphine.a skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xblavdqv.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ysosbsmn.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
Linfone
2007-07-17, 23:11
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1431\A0079090.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1431\A0079091.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091077.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091081.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091082.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091086.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091087.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091088.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091089.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091092.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091093.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091095.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091096.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091097.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091098.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091099.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091100.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091101.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091104.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091106.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091107.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091108.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091109.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091110.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091111.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091112.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091113.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091114.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091115.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091116.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091117.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091118.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091119.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091120.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091121.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091122.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091123.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091124.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091125.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091126.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091127.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091128.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091129.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091130.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091131.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091132.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091133.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091134.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091135.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091136.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091137.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091138.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091139.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091140.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091141.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091142.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091143.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091144.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091145.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091146.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091147.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091148.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091149.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091150.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091151.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091152.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091153.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091154.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1534\A0091155.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091256.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091257.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091258.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091259.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091260.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091261.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091262.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091263.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091264.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091265.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091266.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091267.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091268.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091269.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091270.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091271.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091272.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091273.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091274.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091275.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091276.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091277.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091278.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1535\A0091279.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1538\change.log Object is locked skipped
C:\VundoFix Backups\adlldsqt.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\bbnyhptc.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\bbuxihhu.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\cfhqidnv.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\dmrirkuc.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\eakrkapy.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\hgpkhoml.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\hkmvljim.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\ifddpqkr.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\iscldbai.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\iymcoxal.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\javxfbln.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\jvnafemi.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\mkgrylkk.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\nbgtbvqy.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\nljiqtkr.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\ojnmfxtx.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\oobixohp.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\qaupyjmh.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\rprtoweo.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\tqgbiavl.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\vehqubrc.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\vnjhutnr.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\wpswryit.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\SBO\SB1065.exe Infected: Trojan-Downloader.Win32.VB.fn skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\Retrospect Copies\Backup of Local Disk (C)\Documents and Settings\Gin Lin\Local Settings\Temp\CmarP1065.exe/data0005 Infected: Trojan-Downloader.Win32.VB.fn skipped
E:\Retrospect Copies\Backup of Local Disk (C)\Documents and Settings\Gin Lin\Local Settings\Temp\CmarP1065.exe NSIS: infected - 1 skipped
E:\Retrospect Copies\Backup of Local Disk (C)\Documents and Settings\Gin Lin\Local Settings\Temp\YazzleBundle-1281.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
E:\Retrospect Copies\Backup of Local Disk (C)\Documents and Settings\Gin Lin\Local Settings\Temp\YazzleBundle-1281.exe NSIS: infected - 1 skipped
E:\Retrospect Copies\Backup of Local Disk (C)\Documents and Settings\Gin Lin\Local Settings\Temp\yazzlesnet.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
E:\Retrospect Copies\Backup of Local Disk (C)\Documents and Settings\Gin Lin\Local Settings\Temp\yazzlesnet.exe NSIS: infected - 1 skipped
E:\Retrospect Copies\Backup of Local Disk (C)\Documents and Settings\Guest\Local Settings\Temp\royrvvfv.dll Infected: Trojan.Win32.BHO.g skipped
E:\Retrospect Copies\Backup of Local Disk (C)\Documents and Settings\Roger Lin\Desktop\backups\backup-20070516-192728-691.dll Infected: Trojan.Win32.BHO.g skipped
E:\Retrospect Copies\Backup of Local Disk (C)\Documents and Settings\Roger Lin\Local Settings\Temp\CmarP1065.exe/data0005 Infected: Trojan-Downloader.Win32.VB.fn skipped
E:\Retrospect Copies\Backup of Local Disk (C)\Documents and Settings\Roger Lin\Local Settings\Temp\CmarP1065.exe NSIS: infected - 1 skipped
E:\Retrospect Copies\Backup of Local Disk (C)\Documents and Settings\Roger Lin\Local Settings\Temp\YazzleBundle-1281.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
E:\Retrospect Copies\Backup of Local Disk (C)\Documents and Settings\Roger Lin\Local Settings\Temp\YazzleBundle-1281.exe NSIS: infected - 1 skipped

Scan process completed.
pskelley
2007-07-18, 01:33
Kaspersky:
C:\Diablo II\d2gfz.dll Infected: SpamTool.Win32.VB.f <<< delete that file in red

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ <<< delete everything in the recovery folder.
Open Spybot > Click Recovery (red cross) check all items > click Purge selected items

C:\Documents and Settings\Guest\Local Settings\Temp\ <<< delete the contents of that TEMP folder (not the folder)

C:\Documents and Settings\Roger Lin\Desktop\backups\ <<< delete the contents of the backups folder
(this is HJT so you may have moved the backups folder here: C:\HJT\ <<< in that folder it should be. Do not delete the folder, just the contents.

C:\Documents and Settings\Roger Lin\Local Settings\Temp\ <<< delete the contents of that Temp folder (not the folder)

C:\QooBox\ <<< delete that folder completely

C:\System Volume Information\_restore <<< System Restore files, follow these instructions:
System Restore does not know the good files from the bad. Bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

C:\VundoFix Backups\ <<< delete that folder completely

E:\Retrospect Copies\Backup of Local Disk (C)\Documents and Settings\Gin Lin\Local Settings\Temp\ <<< delete the contents of that Temp folder (not the folder)

E:\Retrospect Copies\Backup of Local Disk (C)\Documents and Settings\Roger Lin\Local Settings\Temp\ <<< delete the contents of that Temp folder (not the folder)

RUN Clean Manager
http://spyware-free.us/tutorials/cleanmgr/

Restart the computer and post a new Kaspersky scan.

Thanks
tashi
2007-07-23, 15:19
Two topics:
http://forums.spybot.info/showthread.php?p=104765#post104765

Do you want them merged Phil?

EDIT: Merged two topics.
tashi
2007-07-28, 07:24
Due to lack of a response to helper this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.