PDA

View Full Version : Virtumondo hard edition



larssov
2007-08-07, 22:30
Hi I have gotten a real hard virtumondo
Can someone help me, Here are the latest combofix and Hijack log I usually have a BHO 2 entry to, but that one is removed for the time being.. it is always the same file as the one listed directly under 020 - appinitdll

I would be thrilled if someone could help me, I have waited three days on another forum, but they seems to have forgotten me :( Thx in advance

I am sorry That i did not attach the Hijack log, but i could only attach one file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:26:30, on 2007-08-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
H:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\Program\Analog Devices\SoundMAX\SMAgent.exe
H:\WINDOWS\system32\wscntfy.exe
H:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
H:\Program\Analog Devices\SoundMAX\Smax4.exe
C:\Program\D-Tools\daemon.exe
H:\Program\Java\jre1.6.0_02\bin\jusched.exe
H:\WINDOWS\System32\svchost.exe
H:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program\Personal\bin\Personal.exe
H:\WINDOWS\system32\RunDll32.exe
H:\Program\Delade filer\Teleca Shared\Generic.exe
H:\Program\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
H:\Program\Mozilla Firefox\firefox.exe
H:\WINDOWS\explorer.exe
H:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "H:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [PRONoMgr.exe] H:\Program\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMAXPnP] H:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "H:\Program\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ASUS Probe] H:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "H:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Personal.lnk = H:\Program\Personal\bin\Personal.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program\Messenger\msmsgs.exe
O20 - AppInit_DLLs: h:\windows\system32\vturopn.dll
O20 - Winlogon Notify: erstuf - H:\WINDOWS\SYSTEM32\erstuf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - H:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - H:\Program\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - H:\Program\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 3834 bytes

random/random
2007-08-08, 00:05
Please don't post logs as attachments, it's quite inconvenient having to download them

Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard

File::
H:\WINDOWS\system32\jkhhf.exe
H:\WINDOWS\efdeec.dll
H:\WINDOWS\vtrqqp.dll
H:\WINDOWS\hgfgee.dll
H:\WINDOWS\khijjj.dll
H:\WINDOWS\byyvur.dll
H:\WINDOWS\gebayw.dll
H:\WINDOWS\wvvsqp.dll
H:\WINDOWS\geebca.dll
H:\WINDOWS\opqpmk.dll
H:\WINDOWS\mlklii.dll
H:\WINDOWS\system32\vturopn.dll
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\erstuf]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=""
RootKit::
H:\WINDOWS\system32\erstuf.dll
Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

larssov
2007-08-09, 03:19
Hi you are my hero,m My new logs. Do seem bad still, but I am thrilled to receive some help.

"Victor" - 2007-08-09 2:11:59 [GMT 2:00] - ComboFix 07-07-24 - Service Pack 2 NTFS
Command switches used :: H:\Documents and Settings\Victor\Skrivbord\CFFIX.TXT


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


H:\WINDOWS\system32\jkhhf.exe
H:\WINDOWS\system32\erstuf.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


H:\WINDOWS\system32\dne43ea740.dat


((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))


2007-08-09 02:14 105,385 --a------ H:\WINDOWS\system32\vtstu.exe
2007-08-07 20:24 99,080 -ra------ H:\WINDOWS\system32\drivers\s116unic.sys
2007-08-07 20:24 98,696 -ra------ H:\WINDOWS\system32\drivers\s116obex.sys
2007-08-07 20:24 23,176 -ra------ H:\WINDOWS\system32\drivers\s116nd5.sys
2007-08-07 20:24 11,016 -ra------ H:\WINDOWS\system32\drivers\s116cr.sys
2007-08-07 20:24 100,488 -ra------ H:\WINDOWS\system32\drivers\s116mgmt.sys
2007-08-07 20:23 15,112 -ra------ H:\WINDOWS\system32\drivers\s116mdfl.sys
2007-08-07 20:23 12,424 -ra------ H:\WINDOWS\system32\drivers\s116cmnt.sys
2007-08-07 20:23 12,424 -ra------ H:\WINDOWS\system32\drivers\s116cm.sys
2007-08-07 20:23 108,680 -ra------ H:\WINDOWS\system32\drivers\s116mdm.sys
2007-08-07 20:08 83,336 -ra------ H:\WINDOWS\system32\drivers\s116bus.sys
2007-08-07 20:08 12,424 -ra------ H:\WINDOWS\system32\drivers\s116whnt.sys
2007-08-07 20:08 12,424 -ra------ H:\WINDOWS\system32\drivers\s116wh.sys
2007-08-06 22:20 <KAT> d-------- H:\WINDOWS\ERUNT
2007-08-06 22:03 24,576 --a------ H:\WINDOWS\system32\VundoFixSVC.exe
2007-08-06 21:21 1,132 --a------ H:\WINDOWS\mozver.dat
2007-08-06 20:27 <KAT> d-------- H:\WINDOWS\CSC
2007-08-06 20:22 131,421 --a------ H:\WINDOWS\efdeec.dll
2007-08-06 07:05 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\Talkback
2007-08-06 07:04 0 --a------ H:\WINDOWS\nsreg.dat
2007-08-06 07:02 131,382 --a------ H:\WINDOWS\vtrqqp.dll
2007-08-06 00:16 118,784 --a------ H:\WINDOWS\system32\MSSTDFMT.DLL
2007-08-06 00:16 <KAT> d-------- H:\Program\SpywareBlaster
2007-08-05 23:42 131,433 --a------ H:\WINDOWS\hgfgee.dll
2007-08-05 22:09 131,433 --a------ H:\WINDOWS\khijjj.dll
2007-08-05 22:06 131,433 --a------ H:\WINDOWS\byyvur.dll
2007-08-05 22:02 131,433 --a------ H:\WINDOWS\gebayw.dll
2007-08-05 21:49 131,433 --a------ H:\WINDOWS\wvvsqp.dll
2007-08-05 21:48 131,433 --a------ H:\WINDOWS\geebca.dll
2007-08-05 19:50 131,433 --a------ H:\WINDOWS\opqpmk.dll
2007-08-05 16:37 10,872 --a------ H:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-05 16:33 <KAT> d-------- H:\Program\Lavasoft
2007-08-05 16:33 <KAT> d-------- H:\Program\Delade filer\Wise Installation Wizard
2007-08-05 16:33 <KAT> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-05 16:18 51,200 --a------ H:\WINDOWS\nircmd.exe
2007-08-05 15:58 2,598 --a------ H:\WINDOWS\system32\tmp.reg
2007-08-05 15:56 <KAT> d-------- H:\VundoFix Backups
2007-08-05 06:15 524,288 --ah----- H:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-05 06:15 <KAT> dr------- H:\DOCUME~1\ADMINI~1\Start-meny
2007-08-05 06:15 <KAT> d--h----- H:\DOCUME~1\ADMINI~1\Skrivare
2007-08-05 06:15 <KAT> d--h----- H:\DOCUME~1\ADMINI~1\N„tverket
2007-08-05 06:15 <KAT> d--h----- H:\DOCUME~1\ADMINI~1\Mallar
2007-08-05 06:15 <KAT> d--h----- H:\DOCUME~1\ADMINI~1\Lokala inst„llningar
2007-08-05 06:15 <KAT> d-------- H:\DOCUME~1\ADMINI~1\Skrivbord
2007-08-05 06:15 <KAT> d-------- H:\DOCUME~1\ADMINI~1\Mina dokument
2007-08-05 06:15 <KAT> d-------- H:\DOCUME~1\ADMINI~1\Favoriter
2007-08-05 05:32 131,448 --a------ H:\WINDOWS\mlklii.dll
2007-08-04 23:36 13,380 --------- H:\WINDOWS\system32\vturopn.dll
2007-08-04 20:20 68,888 --a------ H:\WINDOWS\system32\xinput1_3.dll
2007-08-04 20:20 62,744 --a------ H:\WINDOWS\system32\xinput1_2.dll
2007-08-04 20:20 3,426,072 --a------ H:\WINDOWS\system32\d3dx9_32.dll
2007-08-04 20:20 255,848 --a------ H:\WINDOWS\system32\xactengine2_6.dll
2007-08-04 20:20 251,672 --a------ H:\WINDOWS\system32\xactengine2_5.dll
2007-08-04 20:20 237,848 --a------ H:\WINDOWS\system32\xactengine2_4.dll
2007-08-04 20:20 236,824 --a------ H:\WINDOWS\system32\xactengine2_3.dll
2007-08-04 20:20 2,414,360 --a------ H:\WINDOWS\system32\d3dx9_31.dll
2007-08-04 20:20 15,128 --a------ H:\WINDOWS\system32\x3daudio1_1.dll
2007-08-04 20:19 2,297,552 --a------ H:\WINDOWS\system32\d3dx9_26.dll
2007-08-04 20:09 <KAT> d--hs---- H:\WINDOWS\ftpcache
2007-08-02 23:01 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\GlobalSCAPE
2007-08-02 23:01 <KAT> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\GlobalSCAPE
2007-08-02 23:00 <KAT> d-------- H:\Program\GlobalSCAPE
2007-07-29 10:42 <KAT> d-------- H:\Program\IZArc
2007-07-28 03:00 <KAT> d-------- H:\Program\MSXML 4.0
2007-07-26 12:39 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\Teleca
2007-07-26 12:37 <KAT> d-------- H:\Program\Sony Ericsson
2007-07-26 12:37 <KAT> d-------- H:\Program\Delade filer\Teleca Shared
2007-07-26 12:37 <KAT> d-------- H:\Program\Delade filer\Sony Ericsson Shared
2007-07-26 12:37 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\Sony Ericsson
2007-07-26 12:37 <KAT> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\Teleca
2007-07-26 12:37 <KAT> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony Ericsson
2007-07-24 17:20 <KAT> d-------- H:\Program\Personal
2007-07-24 17:20 <KAT> d-------- H:\DOCUME~1\Victor\cbt
2007-07-24 17:20 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\Personal
2007-07-24 17:20 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\Netscape
2007-07-24 15:23 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\dvdcss
2007-07-24 12:59 <KAT> d-------- H:\DOCUME~1\Victor\Incomplete
2007-07-24 12:59 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\LimeWire
2007-07-24 12:58 <KAT> d-------- H:\Program\LimeWire
2007-07-24 11:13 2,368 --a------ H:\WINDOWS\system32\STEC3.sys
2007-07-23 18:27 <KAT> d-------- H:\Program\Spybot
2007-07-23 18:27 <KAT> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-07 18:35:22 -------- d-----w H:\DOCUME~1\Victor\APPLIC~1\Azureus
2007-08-04 18:19:41 -------- d--h--w H:\Program\InstallShield Installation Information
2007-07-04 20:13:01 -------- d-----w H:\Program\Azureus
2007-07-03 01:00:53 -------- d-----w H:\Program\Messenger
2007-07-02 21:36:48 -------- d-----w H:\Program\MSN Messenger
2007-07-02 20:01:19 -------- d-----w H:\Program\Delade filer\EZB Systems
2007-07-02 19:25:54 -------- d-----w H:\DOCUME~1\Victor\APPLIC~1\Help
2007-07-02 19:24:17 -------- d-----w H:\Program\Delade filer\InstallShield
2007-07-02 01:13:36 47,784 ----a-w H:\WINDOWS\system32\perfc01D.dat
2007-07-02 01:13:36 315,006 ----a-w H:\WINDOWS\system32\perfh01D.dat
2007-06-30 18:52:13 -------- d-----w H:\DOCUME~1\Victor\APPLIC~1\vlc
2007-06-30 18:47:49 -------- d-----w H:\Program\VideoLAN
2007-06-30 18:21:12 -------- d-----w H:\Program\Delade filer\ODBC
2007-06-30 18:21:08 -------- d-----w H:\Program\Delade filer\SpeechEngines
2007-06-30 17:20:48 -------- d-----w H:\Program\ASUS
2007-06-30 17:18:32 -------- d-----w H:\Program\Intel
2007-06-30 17:15:56 -------- d-----w H:\Program\Analog Devices
2007-06-30 16:33:56 -------- d-----w H:\Program\microsoft frontpage
2007-06-30 16:32:30 -------- d--h--w H:\Program\WindowsUpdate
2007-06-30 16:32:27 -------- d-----w H:\Program\Onlinetjänster
2007-06-30 16:31:23 -------- d-----w H:\Program\Delade filer\MSSoap
2007-06-30 16:31:11 -------- d-----w H:\Program\Movie Maker
2007-06-30 16:30:14 21,700 ----a-w H:\WINDOWS\system32\emptyregdb.dat
2007-06-30 16:29:48 -------- d-----w H:\Program\MSN Gaming Zone
2007-06-30 16:29:36 -------- d-----w H:\Program\Windows NT
2007-06-13 19:50:17 43,152 ----a-w H:\WINDOWS\system32\drivers\ativvpxx.vp
2007-06-13 19:25:36 339,968 ----a-w H:\WINDOWS\system32\ATIDEMGX.dll
2007-06-13 19:24:32 268,288 ----a-w H:\WINDOWS\system32\ati2dvag.dll
2007-06-13 19:24:13 2,155,520 ----a-w H:\WINDOWS\system32\drivers\ati2mtag.sys
2007-06-13 19:23:23 307,200 ----a-w H:\WINDOWS\system32\atiiiexx.dll
2007-06-13 19:17:37 139,264 ----a-w H:\WINDOWS\system32\atipdlxx.dll
2007-06-13 19:17:26 118,784 ----a-w H:\WINDOWS\system32\Oemdspif.dll
2007-06-13 19:17:18 26,112 ----a-w H:\WINDOWS\system32\Ati2mdxx.exe
2007-06-13 19:17:12 42,496 ----a-w H:\WINDOWS\system32\ati2edxx.dll
2007-06-13 19:16:59 118,784 ----a-w H:\WINDOWS\system32\ati2evxx.dll
2007-06-13 19:15:39 483,328 ----a-w H:\WINDOWS\system32\ati2evxx.exe
2007-06-13 19:14:51 53,248 ----a-w H:\WINDOWS\system32\ATIDDC.DLL
2007-06-13 19:10:33 8,097,792 ----a-w H:\WINDOWS\system32\atioglx2.dll
2007-06-13 19:07:26 2,922,208 ----a-w H:\WINDOWS\system32\ati3duag.dll
2007-06-13 18:57:21 1,512,960 ----a-w H:\WINDOWS\system32\ativvaxx.dll
2007-06-13 18:57:04 972,072 ----a-w H:\WINDOWS\system32\ativva6x.dat
2007-06-13 18:57:04 3,107,788 ----a-w H:\WINDOWS\system32\ativvaxx.dat
2007-06-13 18:57:04 3,107,788 ----a-w H:\WINDOWS\system32\ativva5x.dat
2007-06-13 18:46:28 5,431,296 ----a-w H:\WINDOWS\system32\atioglxx.dll
2007-06-13 18:43:53 262,144 ----a-w H:\WINDOWS\system32\atikvmag.dll
2007-06-13 18:42:29 17,408 ----a-w H:\WINDOWS\system32\atitvo32.dll
2007-06-13 18:41:46 49,152 ----a-w H:\WINDOWS\system32\drivers\ati2erec.dll
2007-06-13 18:41:06 50,176 ----a-w H:\WINDOWS\system32\atiok3x2.dll
2007-06-13 18:36:45 368,640 ----a-w H:\WINDOWS\system32\ati2cqag.dll
2007-06-13 12:29:00 520,192 ------w H:\WINDOWS\system32\ati2sgag.exe
2007-05-16 15:20:05 683,520 ----a-w H:\WINDOWS\system32\inetcomm.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="H:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25]
"PRONoMgr.exe"="H:\Program\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24]
"SoundMAXPnP"="H:\Program\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28]
"SoundMAX"="H:\Program\Analog Devices\SoundMAX\Smax4.exe" [2003-05-30 09:42]
"ASUS Probe"="H:\Program Files\ASUS\Probe\AsusProb.exe" [2002-12-06 16:07]
"DAEMON Tools-1033"="C:\Program\D-Tools\daemon.exe" [2004-08-22 17:05]
"SunJavaUpdateSched"="H:\Program\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Adobe Reader Speed Launcher"="H:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Sony Ericsson PC Suite"="H:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 10:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="H:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:34]

H:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Personal.lnk - H:\Program\Personal\bin\Personal.exe [2007-07-24 17:20:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c_1iag]
c_1iag.dll 2007-08-09 02:15 92709 H:\WINDOWS\system32\c_1iag.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=h:\windows\system32\vturopn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

R0 hotcore3;hotcore3;H:\WINDOWS\system32\drivers\hotcore3.sys
R1 ISODrive;ISO DVD/CD-ROM Device Driver;\??\C:\Program\UltraISO\drivers\ISODrive.sys
R1 mnmdd;mnmdd;H:\WINDOWS\system32\drivers\mnmdd.sys
R2 aslm75;aslm75;\??\H:\WINDOWS\system32\drivers\aslm75.sys
R2 lanmanserver;Server;H:\WINDOWS\system32\svchost.exe -k netsvcs
R2 lanmanworkstation;Workstation;H:\WINDOWS\system32\svchost.exe -k netsvcs
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;H:\Program\Analog Devices\SoundMAX\SMAgent.exe
R2 STEC3;STEC3;\??\H:\WINDOWS\system32\STEC3.sys
R2 winmgmt;Windows Management Instrumentation;H:\WINDOWS\system32\svchost.exe -k netsvcs
R3 E1000;Intel(R) PRO/1000 Adapter Driver;H:\WINDOWS\system32\DRIVERS\e1000325.sys
R3 wdmaud;Drivrutin f”r Microsoft WINMM WDM-ljudkompatibilitet;H:\WINDOWS\system32\drivers\wdmaud.sys
S3 MidiSyn;MidiSyn;H:\WINDOWS\system32\drivers\MidiSyn.sys
S3 mnmsrvc;NetMeeting Remote Desktop Sharing;H:\WINDOWS\system32\mnmsrvc.exe
S3 nm;Network Monitor Driver;H:\WINDOWS\system32\DRIVERS\NMnt.sys
S3 s116bus;Sony Ericsson Device 116 driver (WDM);H:\WINDOWS\system32\DRIVERS\s116bus.sys
S3 s116mdfl;Sony Ericsson Device 116 USB WMC Modem Filter;H:\WINDOWS\system32\DRIVERS\s116mdfl.sys
S3 s116mdm;Sony Ericsson Device 116 USB WMC Modem Driver;H:\WINDOWS\system32\DRIVERS\s116mdm.sys
S3 s116mgmt;Sony Ericsson Device 116 USB WMC Device Management Drivers (WDM);H:\WINDOWS\system32\DRIVERS\s116mgmt.sys
S3 s116nd5;Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (NDIS);H:\WINDOWS\system32\DRIVERS\s116nd5.sys
S3 s116obex;Sony Ericsson Device 116 USB WMC OBEX Interface;H:\WINDOWS\system32\DRIVERS\s116obex.sys
S3 s116unic;Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (WDM);H:\WINDOWS\system32\DRIVERS\s116unic.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 02:14:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

H:\WINDOWS\system32\c_1iag.dll
H:\WINDOWS\system32\dne43ea740.dat

scan completed successfully
hidden files: 2

**************************************************************************

Completion time: 2007-08-09 2:15:57 - machine was rebooted
H:\ComboFix-quarantined-files.txt ... 2007-08-09 02:15
H:\ComboFix2.txt ... 2007-08-07 21:15
H:\ComboFix3.txt ... 2007-08-07 20:44

--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:17:03, on 2007-08-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
H:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
H:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\Program\Analog Devices\SoundMAX\SMAgent.exe
H:\WINDOWS\system32\wscntfy.exe
H:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
H:\Program\Analog Devices\SoundMAX\Smax4.exe
C:\Program\D-Tools\daemon.exe
H:\Program\Java\jre1.6.0_02\bin\jusched.exe
H:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe
H:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program\Personal\bin\Personal.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\RunDll32.exe
H:\Program\Delade filer\Teleca Shared\Generic.exe
H:\Program\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
H:\WINDOWS\system32\wuauclt.exe
H:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {f28a74ab-0fa5-47a0-aef4-1aa86c6c80b5} - H:\WINDOWS\system32\c_1iag.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "H:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [PRONoMgr.exe] H:\Program\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMAXPnP] H:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "H:\Program\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ASUS Probe] H:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "H:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Personal.lnk = H:\Program\Personal\bin\Personal.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program\Messenger\msmsgs.exe
O20 - AppInit_DLLs: h:\windows\system32\vturopn.dll
O20 - Winlogon Notify: c_1iag - H:\WINDOWS\SYSTEM32\c_1iag.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - H:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - H:\Program\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - H:\Program\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 3972 bytes

random/random
2007-08-09, 13:42
I see you saved the script as CFFIX.TXT - it must be saved as CFscript.txt or it won't work

Please repeat the instructions, following them exactly

larssov
2007-08-09, 20:47
Hi. Thank you, sorry now I have done it.
Thank you for your help!

I think it is better now??? Anyways, when my computer starts the directory h:\program pops up, is that something one can do something about?

Best /V

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:44:38, on 2007-08-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
H:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
H:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\Program\Analog Devices\SoundMAX\SMAgent.exe
H:\WINDOWS\system32\wscntfy.exe
H:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
H:\Program\Analog Devices\SoundMAX\Smax4.exe
C:\Program\D-Tools\daemon.exe
H:\Program\Java\jre1.6.0_02\bin\jusched.exe
H:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe
H:\WINDOWS\System32\svchost.exe
H:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program\Personal\bin\Personal.exe
H:\WINDOWS\system32\wuauclt.exe
H:\Program\Delade filer\Teleca Shared\Generic.exe
H:\Program\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
H:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "H:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [PRONoMgr.exe] H:\Program\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMAXPnP] H:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "H:\Program\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ASUS Probe] H:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "H:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Personal.lnk = H:\Program\Personal\bin\Personal.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - H:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - H:\Program\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - H:\Program\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 3726 bytes
"Victor" - 2007-08-09 19:39:21 [GMT 2:00] - ComboFix 07-07-24 - Service Pack 2 NTFS
Command switches used :: H:\Documents and Settings\Victor\Skrivbord\CFscript.txt


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


H:\WINDOWS\system32\vtstu.exe
H:\WINDOWS\system32\c_1iag.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


H:\WINDOWS\byyvur.dll
H:\WINDOWS\efdeec.dll
H:\WINDOWS\gebayw.dll
H:\WINDOWS\geebca.dll
H:\WINDOWS\hgfgee.dll
H:\WINDOWS\khijjj.dll
H:\WINDOWS\mlklii.dll
H:\WINDOWS\opqpmk.dll
H:\WINDOWS\system32\dne43ea740.dat
H:\WINDOWS\system32\vturopn.dll
H:\WINDOWS\vtrqqp.dll
H:\WINDOWS\wvvsqp.dll


((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))


2007-08-07 20:24 99,080 -ra------ H:\WINDOWS\system32\drivers\s116unic.sys
2007-08-07 20:24 98,696 -ra------ H:\WINDOWS\system32\drivers\s116obex.sys
2007-08-07 20:24 23,176 -ra------ H:\WINDOWS\system32\drivers\s116nd5.sys
2007-08-07 20:24 11,016 -ra------ H:\WINDOWS\system32\drivers\s116cr.sys
2007-08-07 20:24 100,488 -ra------ H:\WINDOWS\system32\drivers\s116mgmt.sys
2007-08-07 20:23 15,112 -ra------ H:\WINDOWS\system32\drivers\s116mdfl.sys
2007-08-07 20:23 12,424 -ra------ H:\WINDOWS\system32\drivers\s116cmnt.sys
2007-08-07 20:23 12,424 -ra------ H:\WINDOWS\system32\drivers\s116cm.sys
2007-08-07 20:23 108,680 -ra------ H:\WINDOWS\system32\drivers\s116mdm.sys
2007-08-07 20:08 83,336 -ra------ H:\WINDOWS\system32\drivers\s116bus.sys
2007-08-07 20:08 12,424 -ra------ H:\WINDOWS\system32\drivers\s116whnt.sys
2007-08-07 20:08 12,424 -ra------ H:\WINDOWS\system32\drivers\s116wh.sys
2007-08-06 22:20 <KAT> d-------- H:\WINDOWS\ERUNT
2007-08-06 22:03 24,576 --a------ H:\WINDOWS\system32\VundoFixSVC.exe
2007-08-06 21:21 1,132 --a------ H:\WINDOWS\mozver.dat
2007-08-06 20:27 <KAT> d-------- H:\WINDOWS\CSC
2007-08-06 07:05 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\Talkback
2007-08-06 07:04 0 --a------ H:\WINDOWS\nsreg.dat
2007-08-06 00:16 118,784 --a------ H:\WINDOWS\system32\MSSTDFMT.DLL
2007-08-06 00:16 <KAT> d-------- H:\Program\SpywareBlaster
2007-08-05 16:37 10,872 --a------ H:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-05 16:33 <KAT> d-------- H:\Program\Lavasoft
2007-08-05 16:33 <KAT> d-------- H:\Program\Delade filer\Wise Installation Wizard
2007-08-05 16:33 <KAT> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-05 16:18 51,200 --a------ H:\WINDOWS\nircmd.exe
2007-08-05 15:58 2,598 --a------ H:\WINDOWS\system32\tmp.reg
2007-08-05 15:56 <KAT> d-------- H:\VundoFix Backups
2007-08-05 06:15 524,288 --ah----- H:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-05 06:15 <KAT> dr------- H:\DOCUME~1\ADMINI~1\Start-meny
2007-08-05 06:15 <KAT> d--h----- H:\DOCUME~1\ADMINI~1\Skrivare
2007-08-05 06:15 <KAT> d--h----- H:\DOCUME~1\ADMINI~1\N„tverket
2007-08-05 06:15 <KAT> d--h----- H:\DOCUME~1\ADMINI~1\Mallar
2007-08-05 06:15 <KAT> d--h----- H:\DOCUME~1\ADMINI~1\Lokala inst„llningar
2007-08-05 06:15 <KAT> d-------- H:\DOCUME~1\ADMINI~1\Skrivbord
2007-08-05 06:15 <KAT> d-------- H:\DOCUME~1\ADMINI~1\Mina dokument
2007-08-05 06:15 <KAT> d-------- H:\DOCUME~1\ADMINI~1\Favoriter
2007-08-04 20:20 68,888 --a------ H:\WINDOWS\system32\xinput1_3.dll
2007-08-04 20:20 62,744 --a------ H:\WINDOWS\system32\xinput1_2.dll
2007-08-04 20:20 3,426,072 --a------ H:\WINDOWS\system32\d3dx9_32.dll
2007-08-04 20:20 255,848 --a------ H:\WINDOWS\system32\xactengine2_6.dll
2007-08-04 20:20 251,672 --a------ H:\WINDOWS\system32\xactengine2_5.dll
2007-08-04 20:20 237,848 --a------ H:\WINDOWS\system32\xactengine2_4.dll
2007-08-04 20:20 236,824 --a------ H:\WINDOWS\system32\xactengine2_3.dll
2007-08-04 20:20 2,414,360 --a------ H:\WINDOWS\system32\d3dx9_31.dll
2007-08-04 20:20 15,128 --a------ H:\WINDOWS\system32\x3daudio1_1.dll
2007-08-04 20:19 2,297,552 --a------ H:\WINDOWS\system32\d3dx9_26.dll
2007-08-04 20:09 <KAT> d--hs---- H:\WINDOWS\ftpcache
2007-08-02 23:01 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\GlobalSCAPE
2007-08-02 23:01 <KAT> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\GlobalSCAPE
2007-08-02 23:00 <KAT> d-------- H:\Program\GlobalSCAPE
2007-07-29 10:42 <KAT> d-------- H:\Program\IZArc
2007-07-28 03:00 <KAT> d-------- H:\Program\MSXML 4.0
2007-07-26 12:39 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\Teleca
2007-07-26 12:37 <KAT> d-------- H:\Program\Sony Ericsson
2007-07-26 12:37 <KAT> d-------- H:\Program\Delade filer\Teleca Shared
2007-07-26 12:37 <KAT> d-------- H:\Program\Delade filer\Sony Ericsson Shared
2007-07-26 12:37 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\Sony Ericsson
2007-07-26 12:37 <KAT> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\Teleca
2007-07-26 12:37 <KAT> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony Ericsson
2007-07-24 17:20 <KAT> d-------- H:\Program\Personal
2007-07-24 17:20 <KAT> d-------- H:\DOCUME~1\Victor\cbt
2007-07-24 17:20 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\Personal
2007-07-24 17:20 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\Netscape
2007-07-24 15:23 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\dvdcss
2007-07-24 12:59 <KAT> d-------- H:\DOCUME~1\Victor\Incomplete
2007-07-24 12:59 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\LimeWire
2007-07-24 12:58 <KAT> d-------- H:\Program\LimeWire
2007-07-24 11:13 2,368 --a------ H:\WINDOWS\system32\STEC3.sys
2007-07-23 18:27 <KAT> d-------- H:\Program\Spybot
2007-07-23 18:27 <KAT> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-07 18:35:22 -------- d-----w H:\DOCUME~1\Victor\APPLIC~1\Azureus
2007-08-04 18:19:41 -------- d--h--w H:\Program\InstallShield Installation Information
2007-07-04 20:13:01 -------- d-----w H:\Program\Azureus
2007-07-03 01:00:53 -------- d-----w H:\Program\Messenger
2007-07-02 21:36:48 -------- d-----w H:\Program\MSN Messenger
2007-07-02 20:01:19 -------- d-----w H:\Program\Delade filer\EZB Systems
2007-07-02 19:25:54 -------- d-----w H:\DOCUME~1\Victor\APPLIC~1\Help
2007-07-02 19:24:17 -------- d-----w H:\Program\Delade filer\InstallShield
2007-07-02 01:13:36 47,784 ----a-w H:\WINDOWS\system32\perfc01D.dat
2007-07-02 01:13:36 315,006 ----a-w H:\WINDOWS\system32\perfh01D.dat
2007-06-30 18:52:13 -------- d-----w H:\DOCUME~1\Victor\APPLIC~1\vlc
2007-06-30 18:47:49 -------- d-----w H:\Program\VideoLAN
2007-06-30 18:21:12 -------- d-----w H:\Program\Delade filer\ODBC
2007-06-30 18:21:08 -------- d-----w H:\Program\Delade filer\SpeechEngines
2007-06-30 17:20:48 -------- d-----w H:\Program\ASUS
2007-06-30 17:18:32 -------- d-----w H:\Program\Intel
2007-06-30 17:15:56 -------- d-----w H:\Program\Analog Devices
2007-06-30 16:33:56 -------- d-----w H:\Program\microsoft frontpage
2007-06-30 16:32:30 -------- d--h--w H:\Program\WindowsUpdate
2007-06-30 16:32:27 -------- d-----w H:\Program\Onlinetjänster
2007-06-30 16:31:23 -------- d-----w H:\Program\Delade filer\MSSoap
2007-06-30 16:31:11 -------- d-----w H:\Program\Movie Maker
2007-06-30 16:30:14 21,700 ----a-w H:\WINDOWS\system32\emptyregdb.dat
2007-06-30 16:29:48 -------- d-----w H:\Program\MSN Gaming Zone
2007-06-30 16:29:36 -------- d-----w H:\Program\Windows NT
2007-06-13 19:50:17 43,152 ----a-w H:\WINDOWS\system32\drivers\ativvpxx.vp
2007-06-13 19:25:36 339,968 ----a-w H:\WINDOWS\system32\ATIDEMGX.dll
2007-06-13 19:24:32 268,288 ----a-w H:\WINDOWS\system32\ati2dvag.dll
2007-06-13 19:24:13 2,155,520 ----a-w H:\WINDOWS\system32\drivers\ati2mtag.sys
2007-06-13 19:23:23 307,200 ----a-w H:\WINDOWS\system32\atiiiexx.dll
2007-06-13 19:17:37 139,264 ----a-w H:\WINDOWS\system32\atipdlxx.dll
2007-06-13 19:17:26 118,784 ----a-w H:\WINDOWS\system32\Oemdspif.dll
2007-06-13 19:17:18 26,112 ----a-w H:\WINDOWS\system32\Ati2mdxx.exe
2007-06-13 19:17:12 42,496 ----a-w H:\WINDOWS\system32\ati2edxx.dll
2007-06-13 19:16:59 118,784 ----a-w H:\WINDOWS\system32\ati2evxx.dll
2007-06-13 19:15:39 483,328 ----a-w H:\WINDOWS\system32\ati2evxx.exe
2007-06-13 19:14:51 53,248 ----a-w H:\WINDOWS\system32\ATIDDC.DLL
2007-06-13 19:10:33 8,097,792 ----a-w H:\WINDOWS\system32\atioglx2.dll
2007-06-13 19:07:26 2,922,208 ----a-w H:\WINDOWS\system32\ati3duag.dll
2007-06-13 18:57:21 1,512,960 ----a-w H:\WINDOWS\system32\ativvaxx.dll
2007-06-13 18:57:04 972,072 ----a-w H:\WINDOWS\system32\ativva6x.dat
2007-06-13 18:57:04 3,107,788 ----a-w H:\WINDOWS\system32\ativvaxx.dat
2007-06-13 18:57:04 3,107,788 ----a-w H:\WINDOWS\system32\ativva5x.dat
2007-06-13 18:46:28 5,431,296 ----a-w H:\WINDOWS\system32\atioglxx.dll
2007-06-13 18:43:53 262,144 ----a-w H:\WINDOWS\system32\atikvmag.dll
2007-06-13 18:42:29 17,408 ----a-w H:\WINDOWS\system32\atitvo32.dll
2007-06-13 18:41:46 49,152 ----a-w H:\WINDOWS\system32\drivers\ati2erec.dll
2007-06-13 18:41:06 50,176 ----a-w H:\WINDOWS\system32\atiok3x2.dll
2007-06-13 18:36:45 368,640 ----a-w H:\WINDOWS\system32\ati2cqag.dll
2007-06-13 12:29:00 520,192 ------w H:\WINDOWS\system32\ati2sgag.exe
2007-05-16 15:20:05 683,520 ----a-w H:\WINDOWS\system32\inetcomm.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="H:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25]
"PRONoMgr.exe"="H:\Program\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24]
"SoundMAXPnP"="H:\Program\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28]
"SoundMAX"="H:\Program\Analog Devices\SoundMAX\Smax4.exe" [2003-05-30 09:42]
"ASUS Probe"="H:\Program Files\ASUS\Probe\AsusProb.exe" [2002-12-06 16:07]
"DAEMON Tools-1033"="C:\Program\D-Tools\daemon.exe" [2004-08-22 17:05]
"SunJavaUpdateSched"="H:\Program\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Adobe Reader Speed Launcher"="H:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Sony Ericsson PC Suite"="H:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 10:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="H:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:34]

H:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Personal.lnk - H:\Program\Personal\bin\Personal.exe [2007-07-24 17:20:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

R0 hotcore3;hotcore3;H:\WINDOWS\system32\drivers\hotcore3.sys
R1 ISODrive;ISO DVD/CD-ROM Device Driver;\??\C:\Program\UltraISO\drivers\ISODrive.sys
R1 mnmdd;mnmdd;H:\WINDOWS\system32\drivers\mnmdd.sys
R2 aslm75;aslm75;\??\H:\WINDOWS\system32\drivers\aslm75.sys
R2 lanmanserver;Server;H:\WINDOWS\system32\svchost.exe -k netsvcs
R2 lanmanworkstation;Workstation;H:\WINDOWS\system32\svchost.exe -k netsvcs
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;H:\Program\Analog Devices\SoundMAX\SMAgent.exe
R2 STEC3;STEC3;\??\H:\WINDOWS\system32\STEC3.sys
R2 winmgmt;Windows Management Instrumentation;H:\WINDOWS\system32\svchost.exe -k netsvcs
R3 E1000;Intel(R) PRO/1000 Adapter Driver;H:\WINDOWS\system32\DRIVERS\e1000325.sys
R3 wdmaud;Drivrutin f”r Microsoft WINMM WDM-ljudkompatibilitet;H:\WINDOWS\system32\drivers\wdmaud.sys
S3 MidiSyn;MidiSyn;H:\WINDOWS\system32\drivers\MidiSyn.sys
S3 mnmsrvc;NetMeeting Remote Desktop Sharing;H:\WINDOWS\system32\mnmsrvc.exe
S3 nm;Network Monitor Driver;H:\WINDOWS\system32\DRIVERS\NMnt.sys
S3 s116bus;Sony Ericsson Device 116 driver (WDM);H:\WINDOWS\system32\DRIVERS\s116bus.sys
S3 s116mdfl;Sony Ericsson Device 116 USB WMC Modem Filter;H:\WINDOWS\system32\DRIVERS\s116mdfl.sys
S3 s116mdm;Sony Ericsson Device 116 USB WMC Modem Driver;H:\WINDOWS\system32\DRIVERS\s116mdm.sys
S3 s116mgmt;Sony Ericsson Device 116 USB WMC Device Management Drivers (WDM);H:\WINDOWS\system32\DRIVERS\s116mgmt.sys
S3 s116nd5;Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (NDIS);H:\WINDOWS\system32\DRIVERS\s116nd5.sys
S3 s116obex;Sony Ericsson Device 116 USB WMC OBEX Interface;H:\WINDOWS\system32\DRIVERS\s116obex.sys
S3 s116unic;Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (WDM);H:\WINDOWS\system32\DRIVERS\s116unic.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 19:42:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-09 19:43:39 - machine was rebooted
H:\ComboFix-quarantined-files.txt ... 2007-08-09 19:43
H:\ComboFix2.txt ... 2007-08-09 02:15
H:\ComboFix3.txt ... 2007-08-07 21:15

--- E O F ---

random/random
2007-08-11, 14:07
Anyways, when my computer starts the directory h:\program pops up, is that something one can do something about?

Is the this a folder that pops up? If so, is it H:\program or H:\program files?

Go here (http://www.kaspersky.com/virusscanner) to run an online scannner from Kaspersky.
Note: You will need to use Internet explorer for this scan
Click on "Kaspersky Online Scanner"
A new smaller window will pop up. Press on "Accept". After reading the contents.
Now Kaspersky will update the anti-virus database. Let it run.
Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
Then click on "My Computer", and the scan will start.
Once finished, save the log as "KAV.txt" to the desktop.


Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post back with the Kaspersky log & a new HijackThis log

larssov
2007-08-12, 23:40
Hi, this did not seem so nice.. :(

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, August 12, 2007 10:34:50 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 12/08/2007
Kaspersky Anti-Virus database records: 379038
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 92057
Number of viruses found: 8
Number of infected objects: 148
Number of suspicious objects: 0
Duration of the scan process: 01:05:36

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\Incomplete\T-7545004-flipsyde-angel.mp3 Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP35\change.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP35\change.log Object is locked skipped
H:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
H:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
H:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
H:\Documents and Settings\LocalService\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
H:\Documents and Settings\LocalService\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
H:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
H:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
H:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
H:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
H:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
H:\Documents and Settings\NetworkService\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
H:\Documents and Settings\NetworkService\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
H:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
H:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Azureus\ipfilter.cache Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Azureus\tmp\AZU18708.tmp Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Azureus\tmp\AZU18709.tmp Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Azureus\tmp\AZU18710.tmp Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Azureus\tmp\AZU18711.tmp Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Azureus\tmp\AZU18712.tmp Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Azureus\tmp\AZU18713.tmp Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Mozilla\Firefox\Profiles\u8l0zgxv.default\cert8.db Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Mozilla\Firefox\Profiles\u8l0zgxv.default\history.dat Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Mozilla\Firefox\Profiles\u8l0zgxv.default\key3.db Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Mozilla\Firefox\Profiles\u8l0zgxv.default\parent.lock Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Mozilla\Firefox\Profiles\u8l0zgxv.default\search.sqlite Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Mozilla\Firefox\Profiles\u8l0zgxv.default\urlclassifier2.sqlite Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\appLauncher_all_log.txt Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\DM_log.txt Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\HookStarter_log.txt Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\TlibCmnDlgs_log.txt Object is locked skipped
H:\Documents and Settings\Victor\Cookies\index.dat Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Media Player\CurrentDatabase_59R.wmdb Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Messenger\testudent@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Messenger\testudent@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Messenger\testudent@hotmail.com\SharingMetadata\Working\database_14E4_3EC3_E43E_A740\dfsr.db Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Messenger\testudent@hotmail.com\SharingMetadata\Working\database_14E4_3EC3_E43E_A740\fsr.log Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Messenger\testudent@hotmail.com\SharingMetadata\Working\database_14E4_3EC3_E43E_A740\fsrtmp.log Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Messenger\testudent@hotmail.com\SharingMetadata\Working\database_14E4_3EC3_E43E_A740\tmp.edb Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Windows Live Contacts\testudent@hotmail.com\real\members.stg Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Windows Live Contacts\testudent@hotmail.com\shadow\members.stg Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Mozilla\Firefox\Profiles\u8l0zgxv.default\Cache\_CACHE_001_ Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Mozilla\Firefox\Profiles\u8l0zgxv.default\Cache\_CACHE_002_ Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Mozilla\Firefox\Profiles\u8l0zgxv.default\Cache\_CACHE_003_ Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Mozilla\Firefox\Profiles\u8l0zgxv.default\Cache\_CACHE_MAP_ Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Temp\hsperfdata_Victor\4072 Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Temp\~DF2474.tmp Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Temp\~DF2482.tmp Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Temp\~DFBFF.tmp Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Temp\~DFC8A.tmp Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Tidigare\History.IE5\MSHist012007081220070813\index.dat Object is locked skipped
H:\Documents and Settings\Victor\NTUSER.DAT Object is locked skipped
H:\Documents and Settings\Victor\ntuser.dat.LOG Object is locked skipped
H:\Documents and Settings\Victor\Skrivbord\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\Documents and Settings\Victor\Skrivbord\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\Documents and Settings\Victor\Skrivbord\SmitfraudFix.zip ZIP: infected - 1 skipped
H:\Hijack\backups\backup-20070805-173145-652.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070728-161550-356.dll Infected: not-a-virus:AdWare.Win32.Agent.db skipped
H:\HijackThis\backups\backup-20070805-054453-621.dll Infected: not-a-virus:AdWare.Win32.BHO.cz skipped
H:\HijackThis\backups\backup-20070805-054453-842.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-054637-633.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-061008-514.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-200929-961.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-214024-185.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-215034-816.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-215055-138.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-215202-368.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-215559-724.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-215759-974.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-221346-932.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-222731-768.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-222755-546.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-222955-984.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-223551-905.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-205753-601.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-211351-525.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-211400-937.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-214344-614.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-221157-782.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-222655-402.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-222708-797.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-222723-923.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-222735-436.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070807-210943-153.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\Program\Analog Devices\SoundMAX\SMax4PNP.exe Infected: Trojan.Win32.Patched.af skipped
H:\Program\Intel\NCS\PROSet\PRONoMgr.exe Infected: Trojan.Win32.Patched.af skipped
H:\Program Files\ASUS\Probe\AsusProb.exe Infected: Trojan.Win32.Patched.af skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp10.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp12.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp14.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp20.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp21.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp23.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp24.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp28.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp32.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp35.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp4.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp5.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp8.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp9.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmpA.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmpB.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmpD.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmpE.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmpF.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\byyvur.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\efdeec.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\gebayw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\geebca.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\hgfgee.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\khijjj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\mlklii.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\opqpmk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\c_1iag.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\d3dell.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\dosvid.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\erstuf.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\findmo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\iccsvr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\mcisnit.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\vturopn.dll.vir Infected: Trojan-Downloader.Win32.ConHook.bg skipped
H:\QooBox\Quarantine\H\WINDOWS\vtrqqp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\wvvsqp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

larssov
2007-08-12, 23:40
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP31\A0003660.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP31\A0003663.dll Infected: not-a-virus:AdWare.Win32.BHO.cz skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP31\A0003668.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP31\A0003741.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0003989.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0003997.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0003999.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004004.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004014.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004016.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004017.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004018.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004019.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004020.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004021.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004106.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004117.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004118.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004119.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004124.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004125.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004127.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004130.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004143.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004144.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004145.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004146.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004147.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004148.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004151.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004170.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004171.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004172.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004173.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004174.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004175.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004176.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004177.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004196.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004216.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004320.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004322.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004323.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004325.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004326.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004328.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004329.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004332.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004335.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004338.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004340.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004341.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004343.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004344.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004345.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004346.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004348.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004349.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004350.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004355.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004605.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004690.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004691.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004692.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004693.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004694.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004695.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004696.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004697.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004698.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004699.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004700.dll Infected: Trojan-Downloader.Win32.ConHook.bg skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004702.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP35\change.log Object is locked skipped
H:\VundoFix Backups\cisdit.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\VundoFix Backups\dcomapi.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\VundoFix Backups\mprrbk.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\VundoFix Backups\vturopn.dll.bad Infected: Trojan-Downloader.Win32.ConHook.bg skipped
H:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
H:\WINDOWS\SchedLgU.Txt Object is locked skipped
H:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
H:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
H:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
H:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
H:\WINDOWS\system32\config\default Object is locked skipped
H:\WINDOWS\system32\config\default.LOG Object is locked skipped
H:\WINDOWS\system32\config\SAM Object is locked skipped
H:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
H:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
H:\WINDOWS\system32\config\SECURITY Object is locked skipped
H:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
H:\WINDOWS\system32\config\software Object is locked skipped
H:\WINDOWS\system32\config\software.LOG Object is locked skipped
H:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
H:\WINDOWS\system32\config\system Object is locked skipped
H:\WINDOWS\system32\config\system.LOG Object is locked skipped
H:\WINDOWS\system32\h323log.txt Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
H:\WINDOWS\WindowsUpdate.log Object is locked skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP35\change.log Object is locked skipped

Scan process completed.

larssov
2007-08-12, 23:41
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:36:52, on 2007-08-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
H:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
H:\Program\Analog Devices\SoundMAX\Smax4.exe
C:\Program\D-Tools\daemon.exe
H:\Program\Java\jre1.6.0_02\bin\jusched.exe
H:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program\Personal\bin\Personal.exe
H:\Program\Delade filer\Teleca Shared\Generic.exe
H:\Program\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
H:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
H:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\Program\Analog Devices\SoundMAX\SMAgent.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\System32\svchost.exe
H:\Program\MSN Messenger\usnsvc.exe
H:\Program\Azureus\Azureus.exe
H:\Program\MSN Messenger\msnmsgr.exe
H:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "H:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [PRONoMgr.exe] H:\Program\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMAXPnP] H:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "H:\Program\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ASUS Probe] H:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "H:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Personal.lnk = H:\Program\Personal\bin\Personal.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - H:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - H:\Program\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - H:\Program\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 3896 bytes

random/random
2007-08-13, 14:36
Hi, this did not seem so nice.. :(

It's not as bad as it looks, most of them are just sitting in quarantine folders of various programs

Unfortunately, there are a few infected files that are slightly worrying

So please upload this file:

H:\Program\Analog Devices\SoundMAX\SMax4PNP.exe

To either jotti (http://virusscan.jotti.org/) or virustotal (http://www.virustotal.com/en/indexf.html) and copy and paste the results as a reply this topic

Repeat for these files:

H:\Program\Intel\NCS\PROSet\PRONoMgr.exe
H:\Program Files\ASUS\Probe\AsusProb.exe

larssov
2007-08-13, 21:56
File: SMax4PNP.exe
Status:
INFECTED/MALWARE
MD5: dc7679ccac924e5b528d3e84b8a9220e
Packers detected:
-
Bit9 reports: File not found


A-Squared
Found nothing
AntiVir
Found HEUR/Malware
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Win32/PEPatch
BitDefender
Found Trojan.Starter.AET
ClamAV
Found W32.Cuter
CPsecure
Found nothing
Dr.Web
Found Trojan.Inject.351
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan.Win32.Patched.af
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Patched.af
NOD32
Found Win32/Agent.AB
Norman Virus Control
Found nothing
Panda Antivirus
Found W32/ZlFake.A
Rising Antivirus
Found Virus.Win32.Agent.b
Sophos Antivirus
Found nothing
VirusBuster
Found Trojan.Patched.S
VBA32
Found nothing

File: PRONoMgr.exe
Status:
INFECTED/MALWARE
MD5: d72afc228488a2c1b85bac7c796426cd
Packers detected:
-
Bit9 reports: File not found

Scan taken on 13 Aug 2007 18:37:47 (GMT)
A-Squared
Found nothing
AntiVir
Found HEUR/Malware
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Win32/PEPatch
BitDefender
Found Trojan.Starter.AET
ClamAV
Found W32.Cuter
CPsecure
Found nothing
Dr.Web
Found Trojan.Inject.351
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan.Win32.Patched.af
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Patched.af
NOD32
Found Win32/Agent.AB
Norman Virus Control
Found nothing
Panda Antivirus
Found W32/ZlFake.A
Rising Antivirus
Found Virus.Win32.Agent.b
Sophos Antivirus
Found nothing
VirusBuster
Found Trojan.Patched.S
VBA32
Found nothing

File: AsusProb.exe
Status:
INFECTED/MALWARE
MD5: 63ae52d4e4ab055026d52a1d04d3180a
Packers detected:
-
Bit9 reports:

A-Squared
Found nothing
AntiVir
Found HEUR/Malware
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Win32/PEPatch
BitDefender
Found Trojan.Starter.AET
ClamAV
Found W32.Cuter
CPsecure
Found nothing
Dr.Web
Found Trojan.Inject.351
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan.Win32.Patched.af
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Patched.af
NOD32
Found Win32/Agent.AB
Norman Virus Control
Found nothing
Panda Antivirus
Found W32/ZlFake.A
Rising Antivirus
Found Virus.Win32.Agent.b
Sophos Antivirus
Found nothing
VirusBuster
Found Trojan.Patched.S
VBA32
Found nothing

random/random
2007-08-14, 13:06
Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is turned off.



dir /a /s "C:\*SMax4PNP*" > patched.txt
dir /a /s "C:\*PRONoMgr*" >> patched.txt
dir /a /s "C:\*AsusProb*" >> patched.txt
notepad.exe patched.txt
del patched.txt


Save it to your Desktop as search.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: search.bat

Locate search.bat on your Desktop and double-click it. A DOS window will open briefly and then close, this is normal

Once it has finished a notepad window will open, copy and paste the contents of that window as a reply to this topic

larssov
2007-08-14, 21:55
Hi I think it should have been H:\ instead of c:\ in your bat file, so I did with your text first, which did not find anything (only the below, then I did with H: (which is my primary drive) and I found what was downwards

Volymen i enhet C har etiketten Sata2
Volymens serienummer „r 7CDF-A56B
Volymen i enhet C har etiketten Sata2
Volymens serienummer „r 7CDF-A56B
Volymen i enhet C har etiketten Sata2
Volymens serienummer „r 7CDF-A56B

And with H: Under

Volymen i enhet H har ingen etikett.
Volymens serienummer „r E43E-A740

Inneh†ll i katalogen H:\Program\Analog Devices\SoundMAX

2003-05-29 16:28 798ÿ720 SMax4PNP.exe
2003-05-29 16:28 790ÿ528 SMax4PNP.ex_
2 fil(er) 1ÿ589ÿ248 byte

Totalt antal filer:
2 fil(er) 1ÿ589ÿ248 byte
0 katalog(er) 27ÿ797ÿ757ÿ952 byte ledigt
Volymen i enhet H har ingen etikett.
Volymens serienummer „r E43E-A740

Inneh†ll i katalogen H:\Program\Intel\NCS\PROSet

2003-03-11 16:24 94ÿ208 PRONoMgr.exe
2003-03-11 16:24 86ÿ016 PRONoMgr.ex_
2 fil(er) 180ÿ224 byte

Totalt antal filer:
2 fil(er) 180ÿ224 byte
0 katalog(er) 27ÿ797ÿ753ÿ856 byte ledigt
Volymen i enhet H har ingen etikett.
Volymens serienummer „r E43E-A740

Inneh†ll i katalogen H:\Program Files\ASUS\Probe

2002-12-06 16:07 626ÿ176 AsusProb.exe
2002-12-06 16:07 617ÿ984 AsusProb.ex_
2 fil(er) 1ÿ244ÿ160 byte

Totalt antal filer:
2 fil(er) 1ÿ244ÿ160 byte
0 katalog(er) 27ÿ797ÿ753ÿ856 byte ledigt

random/random
2007-08-16, 01:07
Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is turned off.



@echo off
nircmd.exe killprocess SMax4PNP.exe
nircmd.exe killprocess PRONoMgr.exe
nircmd.exe killprocess AsusProb.exe
attrib -r -h -s "H:\Program\Analog Devices\SoundMAX\SMax4PNP.exe"
del /f "H:\Program\Analog Devices\SoundMAX\SMax4PNP.exe"
copy /y "H:\Program\Analog Devices\SoundMAX\SMax4PNP.ex_" "H:\Program\Analog Devices\SoundMAX\SMax4PNP.exe"
attrib -r -h -s "H:\Program\Intel\NCS\PROSet\PRONoMgr.exe"
del /f "H:\Program\Intel\NCS\PROSet\PRONoMgr.exe"
copy /y "H:\Program\Intel\NCS\PROSet\PRONoMgr.ex_" "H:\Program\Intel\NCS\PROSet\PRONoMgr.exe"
attrib -r -h -s "H:\Program Files\ASUS\Probe\AsusProb.exe"
del /f "H:\Program Files\ASUS\Probe\AsusProb.exe"
copy /y "H:\Program Files\ASUS\Probe\AsusProb.ex_" "H:\Program Files\ASUS\Probe\AsusProb.exe"
exit


Save it to your Desktop as cleanup.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: cleanup.bat

Locate cleanup.bat on your Desktop and double-click it. A DOS window will open briefly and then close, this is normal

Restart, then run the kaspersky scanner again and post the log

larssov
2007-08-16, 07:33
When I used your file the Dos windows appear, but I was not able to press the start button to restart computer. It was locked. I could however use CTRL+ALT+DEL and restart via the task manager.
The files are still there are they not?

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, August 16, 2007 6:17:25 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 16/08/2007
Kaspersky Anti-Virus database records: 381655
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 93780
Number of viruses found: 8
Number of infected objects: 148
Number of suspicious objects: 0
Duration of the scan process: 00:54:55

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP37\change.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP37\change.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP37\change.log Object is locked skipped
H:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
H:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
H:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
H:\Documents and Settings\LocalService\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
H:\Documents and Settings\LocalService\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
H:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
H:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
H:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
H:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
H:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
H:\Documents and Settings\NetworkService\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
H:\Documents and Settings\NetworkService\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
H:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
H:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Azureus\ipfilter.cache Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Azureus\tmp\AZU62956.tmp Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Azureus\tmp\AZU62957.tmp Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Azureus\tmp\AZU62958.tmp Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Azureus\tmp\AZU62959.tmp Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Azureus\tmp\AZU62960.tmp Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Azureus\tmp\AZU62961.tmp Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\appLauncher_all_log.txt Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\DM_log.txt Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\HookStarter_log.txt Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\TlibCmnDlgs_log.txt Object is locked skipped
H:\Documents and Settings\Victor\Cookies\index.dat Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Temp\hsperfdata_Victor\4004 Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Tidigare\History.IE5\MSHist012007081620070817\index.dat Object is locked skipped
H:\Documents and Settings\Victor\NTUSER.DAT Object is locked skipped
H:\Documents and Settings\Victor\ntuser.dat.LOG Object is locked skipped
H:\Documents and Settings\Victor\Skrivbord\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\Documents and Settings\Victor\Skrivbord\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\Documents and Settings\Victor\Skrivbord\SmitfraudFix.zip ZIP: infected - 1 skipped
H:\Hijack\backups\backup-20070805-173145-652.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070728-161550-356.dll Infected: not-a-virus:AdWare.Win32.Agent.db skipped
H:\HijackThis\backups\backup-20070805-054453-621.dll Infected: not-a-virus:AdWare.Win32.BHO.cz skipped
H:\HijackThis\backups\backup-20070805-054453-842.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-054637-633.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-061008-514.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-200929-961.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-214024-185.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-215034-816.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-215055-138.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-215202-368.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-215559-724.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-215759-974.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-221346-932.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-222731-768.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-222755-546.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-222955-984.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-223551-905.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-205753-601.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-211351-525.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-211400-937.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-214344-614.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-221157-782.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-222655-402.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-222708-797.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-222723-923.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-222735-436.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070807-210943-153.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\Program\Analog Devices\SoundMAX\SMax4PNP.exe Infected: Trojan.Win32.Patched.af skipped
H:\Program\Intel\NCS\PROSet\PRONoMgr.exe Infected: Trojan.Win32.Patched.af skipped
H:\Program Files\ASUS\Probe\AsusProb.exe Infected: Trojan.Win32.Patched.af skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp10.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp12.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp14.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp20.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp21.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp23.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp24.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp28.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp32.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp35.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp4.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp5.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp8.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp9.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmpA.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmpB.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmpD.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmpE.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmpF.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\byyvur.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\efdeec.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\gebayw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\geebca.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\hgfgee.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\khijjj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\mlklii.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\opqpmk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\c_1iag.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\d3dell.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\dosvid.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\erstuf.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\findmo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\iccsvr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\mcisnit.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\vturopn.dll.vir Infected: Trojan-Downloader.Win32.ConHook.bg skipped
H:\QooBox\Quarantine\H\WINDOWS\vtrqqp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\wvvsqp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP31\A0003660.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP31\A0003663.dll Infected: not-a-virus:AdWare.Win32.BHO.cz skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP31\A0003668.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP31\A0003741.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0003989.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0003997.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0003999.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004004.exe Infected: Trojan.Win32.Agent.aoy skipped

larssov
2007-08-16, 07:34
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004014.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004016.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004017.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004018.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004019.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004020.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004021.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004106.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004117.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004118.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004119.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004124.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004125.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004127.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004130.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004143.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004144.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004145.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004146.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004147.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004148.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004151.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004170.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004171.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004172.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004173.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004174.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004175.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004176.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004177.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004196.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004216.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004320.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004322.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004323.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004325.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004326.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004328.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004329.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004332.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004335.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004338.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004340.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004341.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004343.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004344.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004345.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004346.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004348.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004349.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004350.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004355.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004605.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skippedH:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004690.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004691.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004692.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004693.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004694.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004695.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004696.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004697.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004698.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004699.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004700.dll Infected: Trojan-Downloader.Win32.ConHook.bg skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004702.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP37\change.log Object is locked skipped
H:\VundoFix Backups\cisdit.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\VundoFix Backups\dcomapi.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\VundoFix Backups\mprrbk.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\VundoFix Backups\vturopn.dll.bad Infected: Trojan-Downloader.Win32.ConHook.bg skipped
H:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
H:\WINDOWS\SchedLgU.Txt Object is locked skipped
H:\WINDOWS\SoftwareDistribution\EventCache\{30540CEA-6408-4B1A-90BB-6C28CFFA57DD}.bin Object is locked skipped
H:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
H:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
H:\WINDOWS\system32\config\default Object is locked skipped
H:\WINDOWS\system32\config\default.LOG Object is locked skipped
H:\WINDOWS\system32\config\SAM Object is locked skipped
H:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
H:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
H:\WINDOWS\system32\config\SECURITY Object is locked skipped
H:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
H:\WINDOWS\system32\config\software Object is locked skipped
H:\WINDOWS\system32\config\software.LOG Object is locked skipped
H:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
H:\WINDOWS\system32\config\system Object is locked skipped
H:\WINDOWS\system32\config\system.LOG Object is locked skipped
H:\WINDOWS\system32\h323log.txt Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
H:\WINDOWS\WindowsUpdate.log Object is locked skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP37\change.log Object is locked skipped

Scan process completed.

random/random
2007-08-16, 14:17
The files are still there are they not?

Unfortunately, yes, that method failed to remove the infected files

We will use a more powerful method to attempt to remove them now


Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard

File::
H:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
H:\Program\Intel\NCS\PROSet\PRONoMgr.exe
H:\Program Files\ASUS\Probe\AsusProb.exe
Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

larssov
2007-08-16, 22:41
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:39:47, on 2007-08-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
H:\Program\Analog Devices\SoundMAX\Smax4.exe
C:\Program\D-Tools\daemon.exe
H:\Program\Java\jre1.6.0_02\bin\jusched.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program\Personal\bin\Personal.exe
H:\Program\Delade filer\Teleca Shared\Generic.exe
H:\Program\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
H:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
H:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\Program\Analog Devices\SoundMAX\SMAgent.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\System32\svchost.exe
H:\Program\MSN Messenger\usnsvc.exe
H:\WINDOWS\explorer.exe
H:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "H:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [PRONoMgr.exe] H:\Program\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMAXPnP] H:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "H:\Program\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ASUS Probe] H:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "H:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Personal.lnk = H:\Program\Personal\bin\Personal.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - H:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - H:\Program\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - H:\Program\Analog Devices\SoundMAX\SMAgent.exe
End of file - 3746 bytes
"Victor" - 2007-08-16 21:36:45 [GMT 2:00] - ComboFix 07-07-24 - Service Pack 2 NTFS
Command switches used :: H:\Documents and Settings\Victor\Skrivbord\CFscript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


H:\Program Files\ASUS\Probe\AsusProb.exe
H:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
H:\Program\Intel\NCS\PROSet\PRONoMgr.exe


((((((((((((((((((((((((( Files Created from 2007-07-16 to 2007-08-16 )))))))))))))))))))))))))))))))


2007-08-13 21:54 880,640 --a------ H:\WINDOWS\system32\NCTAudioEditor2.dll
2007-08-13 21:54 835,584 --a------ H:\WINDOWS\system32\NCTAudioCDGrabber2.dll
2007-08-13 21:54 602,112 --a------ H:\WINDOWS\system32\NCTAudioTransform2.dll
2007-08-13 21:54 544,768 --a------ H:\WINDOWS\system32\msvcr71d.dll
2007-08-13 21:54 479,232 --a------ H:\WINDOWS\system32\NCTAudioVisualization2.dll
2007-08-13 21:54 458,752 --a------ H:\WINDOWS\system32\NCTAudioRecord2.dll
2007-08-13 21:54 458,752 --a------ H:\WINDOWS\system32\NCTAudioPlayer2.dll
2007-08-13 21:54 417,792 --a------ H:\WINDOWS\system32\NCTAudioDisplay2.dll
2007-08-13 21:54 348,160 --a------ H:\WINDOWS\system32\NCTWMAFile2.dll
2007-08-13 21:54 2,084,864 --a------ H:\WINDOWS\system32\NCTAudioDesign2.dll
2007-08-13 21:54 1,986,560 --a------ H:\WINDOWS\system32\NCTAudioFile2.dll
2007-08-13 21:54 1,212,416 --a------ H:\WINDOWS\system32\NCTAudioInformation2.dll
2007-08-13 21:54 1,101,824 --a------ H:\WINDOWS\system32\NMSDVDXU.dll
2007-08-13 21:54 <KAT> d-------- H:\Program\Magic Music Factory
2007-08-12 21:19 <KAT> d-------- H:\WINDOWS\system32\Kaspersky Lab
2007-08-12 21:19 <KAT> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-07 20:24 99,080 -ra------ H:\WINDOWS\system32\drivers\s116unic.sys
2007-08-07 20:24 98,696 -ra------ H:\WINDOWS\system32\drivers\s116obex.sys
2007-08-07 20:24 23,176 -ra------ H:\WINDOWS\system32\drivers\s116nd5.sys
2007-08-07 20:24 11,016 -ra------ H:\WINDOWS\system32\drivers\s116cr.sys
2007-08-07 20:24 100,488 -ra------ H:\WINDOWS\system32\drivers\s116mgmt.sys
2007-08-07 20:23 15,112 -ra------ H:\WINDOWS\system32\drivers\s116mdfl.sys
2007-08-07 20:23 12,424 -ra------ H:\WINDOWS\system32\drivers\s116cmnt.sys
2007-08-07 20:23 12,424 -ra------ H:\WINDOWS\system32\drivers\s116cm.sys
2007-08-07 20:23 108,680 -ra------ H:\WINDOWS\system32\drivers\s116mdm.sys
2007-08-07 20:08 83,336 -ra------ H:\WINDOWS\system32\drivers\s116bus.sys
2007-08-07 20:08 12,424 -ra------ H:\WINDOWS\system32\drivers\s116whnt.sys
2007-08-07 20:08 12,424 -ra------ H:\WINDOWS\system32\drivers\s116wh.sys
2007-08-06 22:20 <KAT> d-------- H:\WINDOWS\ERUNT
2007-08-06 22:03 24,576 --a------ H:\WINDOWS\system32\VundoFixSVC.exe
2007-08-06 21:21 1,132 --a------ H:\WINDOWS\mozver.dat
2007-08-06 20:27 <KAT> d-------- H:\WINDOWS\CSC
2007-08-06 07:05 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\Talkback
2007-08-06 07:04 0 --a------ H:\WINDOWS\nsreg.dat
2007-08-06 00:16 118,784 --a------ H:\WINDOWS\system32\MSSTDFMT.DLL
2007-08-06 00:16 <KAT> d-------- H:\Program\SpywareBlaster
2007-08-05 16:37 10,872 --a------ H:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-05 16:33 <KAT> d-------- H:\Program\Lavasoft
2007-08-05 16:33 <KAT> d-------- H:\Program\Delade filer\Wise Installation Wizard
2007-08-05 16:33 <KAT> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-05 16:18 51,200 --a------ H:\WINDOWS\nircmd.exe
2007-08-05 15:58 2,598 --a------ H:\WINDOWS\system32\tmp.reg
2007-08-05 15:56 <KAT> d-------- H:\VundoFix Backups
2007-08-05 06:15 524,288 --ah----- H:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-05 06:15 <KAT> dr------- H:\DOCUME~1\ADMINI~1\Start-meny
2007-08-05 06:15 <KAT> d--h----- H:\DOCUME~1\ADMINI~1\Skrivare
2007-08-05 06:15 <KAT> d--h----- H:\DOCUME~1\ADMINI~1\N„tverket
2007-08-05 06:15 <KAT> d--h----- H:\DOCUME~1\ADMINI~1\Mallar
2007-08-05 06:15 <KAT> d--h----- H:\DOCUME~1\ADMINI~1\Lokala inst„llningar
2007-08-05 06:15 <KAT> d-------- H:\DOCUME~1\ADMINI~1\Skrivbord
2007-08-05 06:15 <KAT> d-------- H:\DOCUME~1\ADMINI~1\Mina dokument
2007-08-05 06:15 <KAT> d-------- H:\DOCUME~1\ADMINI~1\Favoriter
2007-08-04 20:20 68,888 --a------ H:\WINDOWS\system32\xinput1_3.dll
2007-08-04 20:20 62,744 --a------ H:\WINDOWS\system32\xinput1_2.dll
2007-08-04 20:20 3,426,072 --a------ H:\WINDOWS\system32\d3dx9_32.dll
2007-08-04 20:20 255,848 --a------ H:\WINDOWS\system32\xactengine2_6.dll
2007-08-04 20:20 251,672 --a------ H:\WINDOWS\system32\xactengine2_5.dll
2007-08-04 20:20 237,848 --a------ H:\WINDOWS\system32\xactengine2_4.dll
2007-08-04 20:20 236,824 --a------ H:\WINDOWS\system32\xactengine2_3.dll
2007-08-04 20:20 2,414,360 --a------ H:\WINDOWS\system32\d3dx9_31.dll
2007-08-04 20:20 15,128 --a------ H:\WINDOWS\system32\x3daudio1_1.dll
2007-08-04 20:19 2,297,552 --a------ H:\WINDOWS\system32\d3dx9_26.dll
2007-08-04 20:09 <KAT> d--hs---- H:\WINDOWS\ftpcache
2007-08-02 23:01 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\GlobalSCAPE
2007-08-02 23:01 <KAT> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\GlobalSCAPE
2007-08-02 23:00 <KAT> d-------- H:\Program\GlobalSCAPE
2007-07-29 10:42 <KAT> d-------- H:\Program\IZArc
2007-07-28 03:00 <KAT> d-------- H:\Program\MSXML 4.0
2007-07-26 12:39 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\Teleca
2007-07-26 12:37 <KAT> d-------- H:\Program\Sony Ericsson
2007-07-26 12:37 <KAT> d-------- H:\Program\Delade filer\Teleca Shared
2007-07-26 12:37 <KAT> d-------- H:\Program\Delade filer\Sony Ericsson Shared
2007-07-26 12:37 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\Sony Ericsson
2007-07-26 12:37 <KAT> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\Teleca
2007-07-26 12:37 <KAT> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony Ericsson
2007-07-24 17:20 <KAT> d-------- H:\Program\Personal
2007-07-24 17:20 <KAT> d-------- H:\DOCUME~1\Victor\cbt
2007-07-24 17:20 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\Personal
2007-07-24 17:20 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\Netscape
2007-07-24 15:23 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\dvdcss
2007-07-24 12:59 <KAT> d-------- H:\DOCUME~1\Victor\Incomplete
2007-07-24 12:59 <KAT> d-------- H:\DOCUME~1\Victor\APPLIC~1\LimeWire
2007-07-24 12:58 <KAT> d-------- H:\Program\LimeWire
2007-07-24 11:13 2,368 --a------ H:\WINDOWS\system32\STEC3.sys
2007-07-23 18:27 <KAT> d-------- H:\Program\Spybot
2007-07-23 18:27 <KAT> d-------- H:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-16 19:35:24 -------- d-----w H:\DOCUME~1\Victor\APPLIC~1\Azureus
2007-08-04 18:19:41 -------- d--h--w H:\Program\InstallShield Installation Information
2007-07-04 20:13:01 -------- d-----w H:\Program\Azureus
2007-07-03 01:00:53 -------- d-----w H:\Program\Messenger
2007-07-02 21:36:48 -------- d-----w H:\Program\MSN Messenger
2007-07-02 20:01:19 -------- d-----w H:\Program\Delade filer\EZB Systems
2007-07-02 19:25:54 -------- d-----w H:\DOCUME~1\Victor\APPLIC~1\Help
2007-07-02 19:24:17 -------- d-----w H:\Program\Delade filer\InstallShield
2007-07-02 01:13:36 47,784 ----a-w H:\WINDOWS\system32\perfc01D.dat
2007-07-02 01:13:36 315,006 ----a-w H:\WINDOWS\system32\perfh01D.dat
2007-06-30 18:52:13 -------- d-----w H:\DOCUME~1\Victor\APPLIC~1\vlc
2007-06-30 18:47:49 -------- d-----w H:\Program\VideoLAN
2007-06-30 18:21:12 -------- d-----w H:\Program\Delade filer\ODBC
2007-06-30 18:21:08 -------- d-----w H:\Program\Delade filer\SpeechEngines
2007-06-30 17:20:48 -------- d-----w H:\Program\ASUS
2007-06-30 17:18:32 -------- d-----w H:\Program\Intel
2007-06-30 17:15:56 -------- d-----w H:\Program\Analog Devices
2007-06-30 16:33:56 -------- d-----w H:\Program\microsoft frontpage
2007-06-30 16:32:30 -------- d--h--w H:\Program\WindowsUpdate
2007-06-30 16:32:27 -------- d-----w H:\Program\Onlinetjänster
2007-06-30 16:31:23 -------- d-----w H:\Program\Delade filer\MSSoap
2007-06-30 16:31:11 -------- d-----w H:\Program\Movie Maker
2007-06-30 16:30:14 21,700 ----a-w H:\WINDOWS\system32\emptyregdb.dat
2007-06-30 16:29:48 -------- d-----w H:\Program\MSN Gaming Zone
2007-06-30 16:29:36 -------- d-----w H:\Program\Windows NT
2007-06-13 19:25:36 339,968 ----a-w H:\WINDOWS\system32\ATIDEMGX.dll
2007-06-13 19:24:32 268,288 ----a-w H:\WINDOWS\system32\ati2dvag.dll
2007-06-13 19:23:23 307,200 ----a-w H:\WINDOWS\system32\atiiiexx.dll
2007-06-13 19:17:37 139,264 ----a-w H:\WINDOWS\system32\atipdlxx.dll
2007-06-13 19:17:26 118,784 ----a-w H:\WINDOWS\system32\Oemdspif.dll
2007-06-13 19:17:18 26,112 ----a-w H:\WINDOWS\system32\Ati2mdxx.exe
2007-06-13 19:17:12 42,496 ----a-w H:\WINDOWS\system32\ati2edxx.dll
2007-06-13 19:16:59 118,784 ----a-w H:\WINDOWS\system32\ati2evxx.dll
2007-06-13 19:15:39 483,328 ----a-w H:\WINDOWS\system32\ati2evxx.exe
2007-06-13 19:14:51 53,248 ----a-w H:\WINDOWS\system32\ATIDDC.DLL
2007-06-13 19:10:33 8,097,792 ----a-w H:\WINDOWS\system32\atioglx2.dll
2007-06-13 19:07:26 2,922,208 ----a-w H:\WINDOWS\system32\ati3duag.dll
2007-06-13 18:57:21 1,512,960 ----a-w H:\WINDOWS\system32\ativvaxx.dll
2007-06-13 18:57:04 972,072 ----a-w H:\WINDOWS\system32\ativva6x.dat
2007-06-13 18:57:04 3,107,788 ----a-w H:\WINDOWS\system32\ativvaxx.dat
2007-06-13 18:57:04 3,107,788 ----a-w H:\WINDOWS\system32\ativva5x.dat
2007-06-13 18:46:28 5,431,296 ----a-w H:\WINDOWS\system32\atioglxx.dll
2007-06-13 18:43:53 262,144 ----a-w H:\WINDOWS\system32\atikvmag.dll
2007-06-13 18:42:29 17,408 ----a-w H:\WINDOWS\system32\atitvo32.dll
2007-06-13 18:41:06 50,176 ----a-w H:\WINDOWS\system32\atiok3x2.dll
2007-06-13 18:36:45 368,640 ----a-w H:\WINDOWS\system32\ati2cqag.dll
2007-06-13 12:29:00 520,192 ------w H:\WINDOWS\system32\ati2sgag.exe
2007-05-16 15:20:05 683,520 ----a-w H:\WINDOWS\system32\inetcomm.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="H:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25]
"PRONoMgr.exe"="H:\Program\Intel\NCS\PROSet\PRONoMgr.exe" []
"SoundMAXPnP"="H:\Program\Analog Devices\SoundMAX\SMax4PNP.exe" []
"SoundMAX"="H:\Program\Analog Devices\SoundMAX\Smax4.exe" [2003-05-30 09:42]
"ASUS Probe"="H:\Program Files\ASUS\Probe\AsusProb.exe" []
"DAEMON Tools-1033"="C:\Program\D-Tools\daemon.exe" [2004-08-22 17:05]
"SunJavaUpdateSched"="H:\Program\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Adobe Reader Speed Launcher"="H:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Sony Ericsson PC Suite"="H:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 10:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="H:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:34]

H:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Personal.lnk - H:\Program\Personal\bin\Personal.exe [2007-07-24 17:20:42]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

R0 hotcore3;hotcore3;H:\WINDOWS\system32\drivers\hotcore3.sys
R1 ISODrive;ISO DVD/CD-ROM Device Driver;\??\C:\Program\UltraISO\drivers\ISODrive.sys
R1 mnmdd;mnmdd;H:\WINDOWS\system32\drivers\mnmdd.sys
R2 aslm75;aslm75;\??\H:\WINDOWS\system32\drivers\aslm75.sys
R2 lanmanserver;Server;H:\WINDOWS\system32\svchost.exe -k netsvcs
R2 lanmanworkstation;Workstation;H:\WINDOWS\system32\svchost.exe -k netsvcs
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;H:\Program\Analog Devices\SoundMAX\SMAgent.exe
R2 STEC3;STEC3;\??\H:\WINDOWS\system32\STEC3.sys
R2 winmgmt;Windows Management Instrumentation;H:\WINDOWS\system32\svchost.exe -k netsvcs
R3 E1000;Intel(R) PRO/1000 Adapter Driver;H:\WINDOWS\system32\DRIVERS\e1000325.sys
R3 wdmaud;Drivrutin f”r Microsoft WINMM WDM-ljudkompatibilitet;H:\WINDOWS\system32\drivers\wdmaud.sys
S3 MidiSyn;MidiSyn;H:\WINDOWS\system32\drivers\MidiSyn.sys
S3 mnmsrvc;NetMeeting Remote Desktop Sharing;H:\WINDOWS\system32\mnmsrvc.exe
S3 nm;Network Monitor Driver;H:\WINDOWS\system32\DRIVERS\NMnt.sys
S3 s116bus;Sony Ericsson Device 116 driver (WDM);H:\WINDOWS\system32\DRIVERS\s116bus.sys
S3 s116mdfl;Sony Ericsson Device 116 USB WMC Modem Filter;H:\WINDOWS\system32\DRIVERS\s116mdfl.sys
S3 s116mdm;Sony Ericsson Device 116 USB WMC Modem Driver;H:\WINDOWS\system32\DRIVERS\s116mdm.sys
S3 s116mgmt;Sony Ericsson Device 116 USB WMC Device Management Drivers (WDM);H:\WINDOWS\system32\DRIVERS\s116mgmt.sys
S3 s116nd5;Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (NDIS);H:\WINDOWS\system32\DRIVERS\s116nd5.sys
S3 s116obex;Sony Ericsson Device 116 USB WMC OBEX Interface;H:\WINDOWS\system32\DRIVERS\s116obex.sys
S3 s116unic;Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (WDM);H:\WINDOWS\system32\DRIVERS\s116unic.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-16 21:37:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-16 21:38:22
H:\ComboFix-quarantined-files.txt ... 2007-08-16 21:38
H:\ComboFix2.txt ... 2007-08-09 19:43
H:\ComboFix3.txt ... 2007-08-09 02:15

--- E O F ---

random/random
2007-08-17, 00:55
Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is turned off.




copy /y "H:\Program\Analog Devices\SoundMAX\SMax4PNP.ex_" "H:\Program\Analog Devices\SoundMAX\SMax4PNP.exe"
copy /y "H:\Program\Intel\NCS\PROSet\PRONoMgr.ex_" "H:\Program\Intel\NCS\PROSet\PRONoMgr.exe"
copy /y "H:\Program Files\ASUS\Probe\AsusProb.ex_" "H:\Program Files\ASUS\Probe\AsusProb.exe"


Save it to your Desktop as cleanup2.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: cleanup2.bat

Locate cleanup2.bat on your Desktop and double-click it. A DOS window will open briefly and then close, this is normal

Restart, then run kaspersky again and post the log

larssov
2007-08-18, 10:41
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, August 17, 2007 9:23:01 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 17/08/2007
Kaspersky Anti-Virus database records: 383056
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 90762
Number of viruses found: 8
Number of infected objects: 147
Number of suspicious objects: 0
Duration of the scan process: 00:53:53

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
H:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
H:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
H:\Documents and Settings\LocalService\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
H:\Documents and Settings\LocalService\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
H:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
H:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
H:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
H:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
H:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
H:\Documents and Settings\NetworkService\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
H:\Documents and Settings\NetworkService\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
H:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
H:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\appLauncher_all_log.txt Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\DM_log.txt Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\HookStarter_log.txt Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\TlibCmnDlgs_log.txt Object is locked skipped
H:\Documents and Settings\Victor\Cookies\index.dat Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Tidigare\History.IE5\MSHist012007081720070818\index.dat Object is locked skipped
H:\Documents and Settings\Victor\NTUSER.DAT Object is locked skipped
H:\Documents and Settings\Victor\ntuser.dat.LOG Object is locked skipped
H:\Documents and Settings\Victor\Skrivbord\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\Documents and Settings\Victor\Skrivbord\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\Documents and Settings\Victor\Skrivbord\SmitfraudFix.zip ZIP: infected - 1 skipped
H:\Documents and Settings\Victor\UserData\index.dat Object is locked skipped
H:\Hijack\backups\backup-20070805-173145-652.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070728-161550-356.dll Infected: not-a-virus:AdWare.Win32.Agent.db skipped
H:\HijackThis\backups\backup-20070805-054453-621.dll Infected: not-a-virus:AdWare.Win32.BHO.cz skipped
H:\HijackThis\backups\backup-20070805-054453-842.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-054637-633.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-061008-514.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-200929-961.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-214024-185.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-215034-816.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-215055-138.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-215202-368.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-215559-724.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-215759-974.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-221346-932.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-222731-768.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-222755-546.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-222955-984.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070805-223551-905.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-205753-601.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-211351-525.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-211400-937.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-214344-614.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-221157-782.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-222655-402.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-222708-797.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-222723-923.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070806-222735-436.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\HijackThis\backups\backup-20070807-210943-153.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp10.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp12.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp14.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp20.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp21.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp23.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp24.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp28.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp32.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp35.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp4.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp5.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp8.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmp9.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmpA.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmpB.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmpD.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmpE.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
H:\QooBox\Quarantine\H\DOCUME~1\Victor\APPLIC~1\tmpF.tmp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\Program\Analog Devices\SoundMAX\SMax4PNP.exe.vir Infected: Trojan.Win32.Patched.af skipped
H:\QooBox\Quarantine\H\Program\Intel\NCS\PROSet\PRONoMgr.exe.vir Infected: Trojan.Win32.Patched.af skipped
H:\QooBox\Quarantine\H\Program Files\ASUS\Probe\AsusProb.exe.vir Infected: Trojan.Win32.Patched.af skipped
H:\QooBox\Quarantine\H\WINDOWS\byyvur.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\efdeec.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\gebayw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\geebca.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\hgfgee.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\khijjj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\mlklii.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\opqpmk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\c_1iag.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\d3dell.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\dosvid.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\erstuf.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\findmo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\iccsvr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\mcisnit.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\QooBox\Quarantine\H\WINDOWS\system32\vturopn.dll.vir Infected: Trojan-Downloader.Win32.ConHook.bg skipped
H:\QooBox\Quarantine\H\WINDOWS\vtrqqp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\QooBox\Quarantine\H\WINDOWS\wvvsqp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

larssov
2007-08-18, 10:42
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0003989.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0003997.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0003999.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004004.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004014.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004016.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004017.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004018.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004019.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004020.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004021.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004106.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004117.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004118.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004119.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004124.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004125.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004127.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004130.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004143.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004144.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004145.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004146.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004147.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004148.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004151.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004170.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004171.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004172.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004173.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004174.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004175.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004176.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004177.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004196.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP32\A0004216.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004320.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004322.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004323.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004325.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004326.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004328.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004329.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004332.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004335.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004338.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004340.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004341.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004343.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004344.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004345.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004346.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004348.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004349.exe Infected: Trojan.Win32.Agent.aoy skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004350.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004355.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP33\A0004605.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004690.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004691.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004692.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004693.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004694.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004695.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004696.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004697.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004698.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004699.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004700.dll Infected: Trojan-Downloader.Win32.ConHook.bg skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP34\A0004702.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP38\A0004933.exe Infected: Trojan.Win32.Patched.af skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP38\A0004934.exe Infected: Trojan.Win32.Patched.af skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP38\A0004935.exe Infected: Trojan.Win32.Patched.af skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP39\change.log Object is locked skipped
H:\VundoFix Backups\cisdit.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\VundoFix Backups\dcomapi.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\VundoFix Backups\mprrbk.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\VundoFix Backups\vturopn.dll.bad Infected: Trojan-Downloader.Win32.ConHook.bg skipped
H:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
H:\WINDOWS\SchedLgU.Txt Object is locked skipped
H:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
H:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
H:\WINDOWS\system32\config\default Object is locked skipped
H:\WINDOWS\system32\config\default.LOG Object is locked skipped
H:\WINDOWS\system32\config\SAM Object is locked skipped
H:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
H:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
H:\WINDOWS\system32\config\SECURITY Object is locked skipped
H:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
H:\WINDOWS\system32\config\software Object is locked skipped
H:\WINDOWS\system32\config\software.LOG Object is locked skipped
H:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
H:\WINDOWS\system32\config\system Object is locked skipped
H:\WINDOWS\system32\config\system.LOG Object is locked skipped
H:\WINDOWS\system32\h323log.txt Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
H:\WINDOWS\WindowsUpdate.log Object is locked skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Shaba
2007-08-18, 13:43
Hi larssov

random/random is on holiday and I'll handle this thread meanwhile.

Empty these folders:

H:\VundoFix Backups
H:\QooBox\Quarantine

Delete these files:

H:\Hijack\backups\backup-20070805-173145-652.dll
H:\HijackThis\backups\backup-20070728-161550-356.dll
H:\HijackThis\backups\backup-20070805-054453-621.dll
H:\HijackThis\backups\backup-20070805-054453-842.dll
H:\HijackThis\backups\backup-20070805-054637-633.dll
H:\HijackThis\backups\backup-20070805-061008-514.dll
H:\HijackThis\backups\backup-20070805-200929-961.dll
H:\HijackThis\backups\backup-20070805-214024-185.dll
H:\HijackThis\backups\backup-20070805-215034-816.dll
H:\HijackThis\backups\backup-20070805-215055-138.dll
H:\HijackThis\backups\backup-20070805-215202-368.dll
H:\HijackThis\backups\backup-20070805-215559-724.dll
H:\HijackThis\backups\backup-20070805-215759-974.dll
H:\HijackThis\backups\backup-20070805-221346-932.dll
H:\HijackThis\backups\backup-20070805-222731-768.dll
H:\HijackThis\backups\backup-20070805-222755-546.dll
H:\HijackThis\backups\backup-20070805-222955-984.dll
H:\HijackThis\backups\backup-20070805-223551-905.dll
H:\HijackThis\backups\backup-20070806-205753-601.dll
H:\HijackThis\backups\backup-20070806-211351-525.dll
H:\HijackThis\backups\backup-20070806-211400-937.dll
H:\HijackThis\backups\backup-20070806-214344-614.dll
H:\HijackThis\backups\backup-20070806-221157-782.dll
H:\HijackThis\backups\backup-20070806-222655-402.dll
H:\HijackThis\backups\backup-20070806-222708-797.dll
H:\HijackThis\backups\backup-20070806-222723-923.dll
H:\HijackThis\backups\backup-20070806-222735-436.dll
H:\HijackThis\backups\backup-20070807-210943-153.dll

Empty Recycle Bin

Install one antivirus and one firewall from below:

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/doc/1) - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (http://www.personalfirewall.comodo.com/)
2) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
3) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
4) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

After that, re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report

larssov
2007-08-19, 18:25
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:23:55, on 2007-08-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
H:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
H:\Program\Intel\NCS\PROSet\PRONoMgr.exe
H:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
H:\Program\Analog Devices\SoundMAX\Smax4.exe
C:\Program\D-Tools\daemon.exe
H:\Program\Java\jre1.6.0_02\bin\jusched.exe
H:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
H:\Program\AVG7\avgcc.exe
H:\Program\Comodo\Firewall\CPF.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program\Personal\bin\Personal.exe
H:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
H:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\Program\AVG7\avgamsvr.exe
H:\Program\AVG7\avgupsvc.exe
H:\Program\Comodo\Firewall\cmdagent.exe
H:\Program\Analog Devices\SoundMAX\SMAgent.exe
H:\WINDOWS\System32\svchost.exe
H:\Program\Delade filer\Teleca Shared\Generic.exe
H:\Program\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
H:\Program\MSN Messenger\msnmsgr.exe
H:\Program\MSN Messenger\usnsvc.exe
H:\WINDOWS\system32\NOTEPAD.EXE
H:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "H:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [PRONoMgr.exe] H:\Program\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMAXPnP] H:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "H:\Program\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ASUS Probe] H:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "H:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [AVG7_CC] H:\Program\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "H:\Program\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] H:\Program\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Personal.lnk = H:\Program\Personal\bin\Personal.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - H:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\Program\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\Program\AVG7\avgupsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - H:\Program\Comodo\Firewall\cmdagent.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - H:\Program\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - H:\Program\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4671 bytes

larssov
2007-08-19, 18:26
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, August 19, 2007 5:22:26 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 19/08/2007
Kaspersky Anti-Virus database records: 385119
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 90275
Number of viruses found: 4
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 01:26:37

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP41\change.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP41\change.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{037264E8-5ECB-4A17-8DAE-5675BA25E7B8}\RP40\A0016082.exe Object is locked skipped
E:\System Volume Information\_restore{037264E8-5ECB-4A17-8DAE-5675BA25E7B8}\RP40\A0016083.exe Object is locked skipped
E:\System Volume Information\_restore{037264E8-5ECB-4A17-8DAE-5675BA25E7B8}\RP40\A0016091.exe Object is locked skipped
E:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP41\change.log Object is locked skipped
H:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
H:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
H:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
H:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
H:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
H:\Documents and Settings\LocalService\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
H:\Documents and Settings\LocalService\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
H:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
H:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
H:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
H:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
H:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
H:\Documents and Settings\NetworkService\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
H:\Documents and Settings\NetworkService\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
H:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
H:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Azureus\ipfilter.cache Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Azureus\tmp\AZU38114.tmp Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Azureus\tmp\AZU38115.tmp Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Azureus\tmp\AZU38116.tmp Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Azureus\tmp\AZU38117.tmp Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Azureus\tmp\AZU38118.tmp Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Azureus\tmp\AZU38119.tmp Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\appLauncher_all_log.txt Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\DM_log.txt Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\FM_log.txt Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\HookStarter_log.txt Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt Object is locked skipped
H:\Documents and Settings\Victor\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\TlibCmnDlgs_log.txt Object is locked skipped
H:\Documents and Settings\Victor\Cookies\index.dat Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Messenger\testudent@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Messenger\testudent@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Messenger\testudent@hotmail.com\SharingMetadata\Working\database_14E4_3EC3_E43E_A740\dfsr.db Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Messenger\testudent@hotmail.com\SharingMetadata\Working\database_14E4_3EC3_E43E_A740\fsr.log Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Messenger\testudent@hotmail.com\SharingMetadata\Working\database_14E4_3EC3_E43E_A740\fsrtmp.log Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Messenger\testudent@hotmail.com\SharingMetadata\Working\database_14E4_3EC3_E43E_A740\tmp.edb Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Windows Live Contacts\testudent@hotmail.com\real\members.stg Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Application Data\Microsoft\Windows Live Contacts\testudent@hotmail.com\shadow\members.stg Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Temp\hsperfdata_Victor\1776 Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Temp\~DF7345.tmp Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Temp\~DF7351.tmp Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Temp\~DF8CCE.tmp Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Temp\~DF98B2.tmp Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Temp\~DF9921.tmp Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
H:\Documents and Settings\Victor\Lokala inställningar\Tidigare\History.IE5\MSHist012007081920070820\index.dat Object is locked skipped
H:\Documents and Settings\Victor\NTUSER.DAT Object is locked skipped
H:\Documents and Settings\Victor\ntuser.dat.LOG Object is locked skipped
H:\Documents and Settings\Victor\Skrivbord\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\Documents and Settings\Victor\Skrivbord\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\Documents and Settings\Victor\Skrivbord\SmitfraudFix.zip ZIP: infected - 1 skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP38\A0004933.exe Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP38\A0004934.exe Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP38\A0004935.exe Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0004983.dll Infected: not-a-virus:AdWare.Win32.Agent.db skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0004984.dll Infected: not-a-virus:AdWare.Win32.BHO.cz skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0004985.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0004986.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0004988.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0004989.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0004990.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0004991.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0004992.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0004993.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0004994.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0004995.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0004996.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0004997.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0004998.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0004999.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0005000.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0005001.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0005002.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0005003.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0005004.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0005005.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0005006.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0005007.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0005008.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0005009.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0005010.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0005011.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0005012.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0005013.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0005014.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0005015.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0005016.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0005018.dll Object is locked skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP40\A0005019.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
H:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP41\change.log Object is locked skipped
H:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
H:\WINDOWS\SchedLgU.Txt Object is locked skipped
H:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
H:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
H:\WINDOWS\system32\config\default Object is locked skipped
H:\WINDOWS\system32\config\default.LOG Object is locked skipped
H:\WINDOWS\system32\config\SAM Object is locked skipped
H:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
H:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
H:\WINDOWS\system32\config\SECURITY Object is locked skipped
H:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
H:\WINDOWS\system32\config\software Object is locked skipped
H:\WINDOWS\system32\config\software.LOG Object is locked skipped
H:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
H:\WINDOWS\system32\config\system Object is locked skipped
H:\WINDOWS\system32\config\system.LOG Object is locked skipped
H:\WINDOWS\system32\h323log.txt Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
H:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
H:\WINDOWS\WindowsUpdate.log Object is locked skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\System Volume Information\_restore{32FD04AE-367C-420E-97B0-C5894323361E}\RP41\change.log Object is locked skipped

Scan process completed.

Shaba
2007-08-19, 19:36
Hi

Logs look good.

All viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?

Shaba
2007-08-29, 17:39
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.