PDA

View Full Version : Virtuemondo infection



claydavi
2007-09-12, 15:39
Hi group.
I too have fallen victim to Virtumondo.

Before finding this forum the following:
Popups redirecting me to Win (thingy) and optomisers, popups directing to Myspace etc.

I ran Spybot S&D. Fixed all.
Virtumonde persisted.
Ran Adaware. Fixed all.
Virtuemonde persisted.
Ran Bughun22.
Virtumonde persisted.
Vundofix and virtumondobegone and still it persists.

Following instructions I have now run Kaspersky and Hijak This (logs to follow).
Running Spybot S&D from dos prompt half an hour ago revealed:
Clickbank
MediaPlex
Virtumonde
Webtrends Live
Zedo

I also have a laptop here (frineds whom I'm repairing and probably source of infection). Will create a seperate thread for fixing of it.

claydavi
2007-09-12, 15:40
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:50 PM, on 12/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\cisvc.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAMP.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo RX650 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAMP.EXE /FU "C:\DOCUME~1\David\LOCALS~1\Temp\E_S2E7.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet.csiro.au/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189590081126
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186291913078
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/boardid/BoardID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Z-SAN Service (Z-SANService) - Zetera Corporation - C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe

--
End of file - 9644 bytes

claydavi
2007-09-12, 15:46
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:50 PM, on 12/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\cisvc.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAMP.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo RX650 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAMP.EXE /FU "C:\DOCUME~1\David\LOCALS~1\Temp\E_S2E7.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet.csiro.au/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189590081126
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186291913078
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/boardid/BoardID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Z-SAN Service (Z-SANService) - Zetera Corporation - C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe

--
End of file - 9644 bytes

claydavi
2007-09-12, 15:47
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, September 12, 2007 7:28:36 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 12/09/2007
Kaspersky Anti-Virus database records: 412588
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\
I:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 83168
Number of viruses found: 3
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 01:21:27

Infected Object Name / Virus Name / Last Action
C:\0c24fe31eaaca2affad85d343d\baseline.dat Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\deffactory.dat Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\deletetemp.exe Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\dlmgr.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\dw20.exe Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\dwintl20.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1025.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1028.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1029.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1030.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1031.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1032.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1033.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1035.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1036.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1037.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1038.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1040.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1041.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1042.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1043.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1044.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1045.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1046.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1049.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1053.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1055.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.2052.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.2070.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.3082.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\gencomp.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\htmllite.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1025.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1028.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1029.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1030.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1031.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1032.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1035.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1036.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1037.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1038.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1040.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1041.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1042.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1043.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1044.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1045.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1046.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1049.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1053.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1055.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.2052.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.2070.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.3082.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\logo.bmp Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\rebootstub.exe Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\runmsi.exe Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setup.exe Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setup.sdb Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1025.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1028.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1029.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1030.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1031.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1032.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1035.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1036.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1037.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1038.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1040.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1041.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1042.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1043.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1044.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1045.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1046.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1049.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1053.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1055.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.2052.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.2070.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.3082.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\sitsetup.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\vs70uimgr.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\vsbasereqs.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\vsscenario.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\vs_setup.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\vs_setup.msi Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\vs_setup.pdi Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1025.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1028.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1029.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1030.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1031.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1032.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1035.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1036.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1037.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1038.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1040.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1041.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1042.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1043.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1044.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1045.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1046.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1049.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1053.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1055.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.2052.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.2070.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.3082.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapui.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wcu\rgbrast\x86\rgb9rast_x86.msi Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wcu\wcf\wcf.exe Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wcu\wf\wf_3.0_x86.msi Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wcu\wpf\wpf.msi Object is locked skipped
C:\55e84308d7dee7fec87494cc9f1e\msxml4-KB927978-enu.log Object is locked skipped
C:\check_LSA7.txt Object is locked skipped
C:\da7b1db6521cb2f6b389a4\%temp%dd_msxml_retMSI.txt Object is locked skipped

claydavi
2007-09-12, 15:48
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_DAVID.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_DAVID.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\00000002.ps1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\00000002.ps2 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\00010004.ci Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\cicat.fid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\cicat.hsh Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiCL0001.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiP10000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiP20000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiSL0001.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiSP0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiST0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiVP0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\INDEX.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\propstor.bk1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\propstor.bk2 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070912_Time-175119687_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070912_Time-175119687_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\EmailOnDeliveryLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\EmailOnDemandLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\David\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Outlook\David.srs Object is locked skipped
C:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-1adc1de6-2bc98b20.zip/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-1adc1de6-2bc98b20.zip/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-1adc1de6-2bc98b20.zip/Baaaaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-1adc1de6-2bc98b20.zip ZIP: infected - 3 skipped
C:\Documents and Settings\David\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Identities\{18105BBC-A45F-4696-847F-ED2C1ACB11CD}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Identities\{18105BBC-A45F-4696-847F-ED2C1ACB11CD}\Microsoft\Outlook Express\Hotmail - Inbox.dbx Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Identities\{18105BBC-A45F-4696-847F-ED2C1ACB11CD}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Identities\{18105BBC-A45F-4696-847F-ED2C1ACB11CD}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\David\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\History\History.IE5\MSHist012007091220070913\index.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\David\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\David\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\David\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010011.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{FDA8FC8C-AF8B-44C8-A185-495CC9AADD3C}\RP173\A0010604.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{FDA8FC8C-AF8B-44C8-A185-495CC9AADD3C}\RP174\A0011835.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{FDA8FC8C-AF8B-44C8-A185-495CC9AADD3C}\RP174\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\inf\wmp.inf Object is locked skipped
C:\WINDOWS\S02CA23DB.tmp Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{DBC09D2F-08AC-410C-9662-C10A620C51C6}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\cbxxxuu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\qpuoflav.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\sfhgxdwf.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\Z-SANService.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{FDA8FC8C-AF8B-44C8-A185-495CC9AADD3C}\RP175\change.log Object is locked skipped

Scan process completed.

Mr_JAk3
2007-09-16, 14:51
Hello and welcome to the Forums :)

Sorry for the delay. You're infected.

Please rename HijackThis.exe to skanneri.exe

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis (skanneri.exe) log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

claydavi
2007-09-17, 12:14
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:40:19 PM, on 17/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\glbnaeee.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAMP.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\skanneri\skanneri.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.csiro.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {632AB9DB-EE1E-43B0-AA06-4DD209EE33BF} - (no file)
O2 - BHO: (no name) - {6AB56860-8A95-4C5B-9BB6-5379100B100D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7DF5D81A-B55E-428B-8BAB-80F3BEB86A95} - C:\WINDOWS\system32\vtsqp.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\creobtqb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo RX650 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAMP.EXE /FU "C:\DOCUME~1\David\LOCALS~1\Temp\E_S2E7.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet.csiro.au/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189590081126
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186291913078
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/boardid/BoardID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: cbxxxuu - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\glbnaeee.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Z-SAN Service (Z-SANService) - Zetera Corporation - C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe

--
End of file - 10864 bytes

Mr_JAk3
2007-09-17, 20:54
Hi :)

Did you run VundoFix?

If not, please run it as instructed and post the contents of C:\vundofix.txt to here :bigthumb:

claydavi
2007-09-18, 13:31
Sorry, I did and I forgot to post ... late nights *yawn*


VundoFix V6.5.8

Checking Java version...

Java version is 1.5.0.10

Scan started at 6:29:44 PM 17/09/2007

Listing files found while scanning....

C:\windows\system32\behtndfi.dll
C:\windows\system32\ifdntheb.ini

Beginning removal...

Attempting to delete C:\windows\system32\behtndfi.dll
C:\windows\system32\behtndfi.dll Has been deleted!

Attempting to delete C:\windows\system32\ifdntheb.ini
C:\windows\system32\ifdntheb.ini Has been deleted!

Performing Repairs to the registry.
Done!

Mr_JAk3
2007-09-18, 21:17
OK don't worry :)

Story continues...

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

claydavi
2007-09-20, 03:49
Ok I set combofix going last night about 7:30pm. It continued to run over night and was still going when I left for work this morning ... it's been going for 12 hours so far. Is this normal?

claydavi
2007-09-20, 11:44
ComboFix 07-09-18.4 - "David" 2007-09-19 18:25:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1412 [GMT 9.5:30]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\creobtqb.dll
C:\WINDOWS\system32\glbnaeee.exe
C:\WINDOWS\system32\pqstv.bak1
C:\WINDOWS\system32\pqstv.bak2
C:\WINDOWS\system32\pqstv.ini
C:\WINDOWS\system32\qovirhbv.exe
C:\WINDOWS\system32\qpuoflav.exe
C:\WINDOWS\system32\sfhgxdwf.exe
C:\WINDOWS\system32\vtsqp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-08-19 to 2007-09-19 )))))))))))))))))))))))))))))))
.

2007-09-19 18:28 125,504 --a------ C:\WINDOWS\system32\snalnkfo.dll
2007-09-19 18:24 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-13 21:05 <DIR> d-------- C:\Program Files\Windows Defender
2007-09-12 22:02 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-12 19:33 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-09-12 19:21 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2007-09-11 23:00 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-11 23:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-11 20:25 <DIR> d-------- C:\VundoFix Backups
2007-09-10 18:32 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-10 18:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-10 18:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-10 17:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-09 17:31 44,054 --a------ C:\WINDOWS\system32\cbxxxuu.dll.vir

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-13 21:31 --------- d-------- C:\DOCUME~1\David\APPLIC~1\Skype
2007-08-29 17:46 --------- d-------- C:\Program Files\EPSON Print CD
2007-08-08 05:18 25160 --a------ C:\WINDOWS\system32\drivers\ElbyCDIO.sys
2007-08-07 19:36 --------- d-------- C:\Program Files\ptrk
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-06 22:07 --------- d-------- C:\DOCUME~1\David\APPLIC~1\Help
2007-08-05 16:09 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-08-05 16:09 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\EPSON
2007-08-05 16:09 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\ATI
2007-08-05 12:53 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-05 12:37 --------- d-------- C:\Program Files\Photomatix
2007-08-02 07:38 --------- d-------- C:\Program Files\PowerQuest
2007-08-01 20:24 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Acronis
2007-08-01 20:20 99776 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2007-08-01 20:20 388000 --a------ C:\WINDOWS\system32\drivers\timntr.sys
2007-08-01 20:20 32288 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
2007-08-01 20:20 --------- d-------- C:\Program Files\Common Files\Acronis
2007-08-01 20:20 --------- d-------- C:\Program Files\Acronis
2007-07-30 20:51 --------- d-------- C:\Program Files\Libronix DLS
2007-07-30 20:50 --------- d-------- C:\DOCUME~1\David\APPLIC~1\Libronix DLS
2007-07-30 20:50 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Libronix DLS
2007-07-30 20:45 --------- d-------- C:\Program Files\NETGEAR
2007-07-23 19:33 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-23 19:32 --------- d-------- C:\Program Files\Symantec
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{632AB9DB-EE1E-43B0-AA06-4DD209EE33BF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AB56860-8A95-4C5B-9BB6-5379100B100D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" [2005-12-07 02:55]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 19:00]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 C:\WINDOWS\system32\TWEAKUI.CPL]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 13:48]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 08:27]
"IMONTRAY"="C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe" [2005-05-02 21:21]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 14:07]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-04 16:19]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"EEventManager"="C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-10-12 15:57]
"GhostStartTrayApp"="C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2002-08-14 15:21]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe" [2006-07-21 09:03]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe" [2006-07-21 00:15]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-07-21 00:13]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
NETGEAR WG111v2 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111v2\WG111v2.exe [2007-08-05 12:53:18]

C:\DOCUME~1\David\STARTM~1\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [2004-10-09 15:18 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxxxuu]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINDOWS\system32\ocipjvcq.dll",forkonce

R0 megasas;megasas;C:\WINDOWS\system32\DRIVERS\megasas.sys
R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis True Image Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R0 vmscsi;vmscsi;C:\WINDOWS\system32\DRIVERS\vmscsi.sys
R0 ZetSFD;ZetSFD;C:\WINDOWS\system32\DRIVERS\ZetSFD.sys
R1 GhPciScan;GhostPciScanner;\??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R2 SFSZ;DataPlow SFS for Zetera Storage Devices;C:\WINDOWS\system32\drivers\sfsz.sys
R2 SIODRV;SIODRV;\??\C:\WINDOWS\system32\drivers\SIODRV.SYS
R2 tifsfilter;Acronis True Image FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
R2 Z-SANService;Z-SAN Service;C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe
R3 smbusp;Intel(R) SMBus 2.0 Driver;C:\WINDOWS\system32\DRIVERS\smb.sys
R3 ZetBus;Zetera Virtual Bus;C:\WINDOWS\system32\DRIVERS\ZetBus.sys
S3 EntDrv51;EntDrv51;\??\C:\WINDOWS\system32\drivers\EntDrv51.sys
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys
S3 ZetMPD;ZetMPD;C:\WINDOWS\system32\DRIVERS\ZetMPD.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57dfae85-f92a-11db-aeab-000cf1ecf584}]
audit\command- G:\ezflash.exe
AutoRun\command- G:\ezflash.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-19 16:31:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-09-20 08:31:44 C:\WINDOWS\Tasks\Update Software.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-20 18:01:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-20 18:03:44 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-20 18:03
.
--- E O F ---

Mr_JAk3
2007-09-20, 18:39
Hi :)

We'll scan one file before we continue...

Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:

C:\WINDOWS\system32\snalnkfo.dll
Click on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

claydavi
2007-09-21, 11:14
File snalnkfo.dll received on 09.21.2007 10:09:46 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.9.21.0 2007.09.20 -
AntiVir 7.6.0.15 2007.09.21 TR/Vundo.DMP.33
Authentium 4.93.8 2007.09.20 -
Avast 4.7.1043.0 2007.09.20 Win32:Vundo-gen48
AVG 7.5.0.485 2007.09.20 Lop.CV
BitDefender 7.2 2007.09.21 Trojan.Vundo.DMP
CAT-QuickHeal 9.00 2007.09.20 -
ClamAV 0.91.2 2007.09.21 -
DrWeb 4.33 2007.09.20 Trojan.Virtumod
eSafe 7.0.15.0 2007.09.19 Suspicious Trojan/Worm
eTrust-Vet 31.2.5153 2007.09.21 Win32/Vundo!generic
Ewido 4.0 2007.09.20 -
FileAdvisor 1 2007.09.21 -
Fortinet 3.11.0.0 2007.09.21 -
F-Prot 4.3.2.48 2007.09.20 W32/VmondeP.AK
F-Secure 6.70.13030.0 2007.09.21 W32/Vundo.dam
Ikarus T3.1.1.12 2007.09.21 Trojan.Virtumod
Kaspersky 4.0.2.24 2007.09.21 -
McAfee 5124 2007.09.20 -
Microsoft 1.2803 2007.09.21 Trojan:Win32/Virtumonde.O
NOD32v2 2543 2007.09.21 a variant of Win32/Adware.Virtumonde
Norman 5.80.02 2007.09.20 W32/Vundo.dam
Panda 9.0.0.4 2007.09.21 Suspicious file
Prevx1 V2 2007.09.21 Trojan.Vundo
Rising 19.41.41.00 2007.09.21 -
Sophos 4.21.0 2007.09.21 Virtumundo
Sunbelt 2.2.907.0 2007.09.20 VIPRE.Suspicious
Symantec 10 2007.09.21 -
TheHacker 6.2.5.064 2007.09.21 -
VBA32 3.12.2.4 2007.09.20 -
VirusBuster 4.3.26:9 2007.09.20 Adware.Vundo.P.Gen
Webwasher-Gateway 6.0.1 2007.09.21 Trojan.Vundo.DMP.33
Additional information
File size: 125504 bytes
MD5: b3bab4a58a04bc01daab9c4d3b758e2e
SHA1: ef75a32872d4910fe2011955f532a8e0332396ff
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=EE4DE13B407AB9D9EA090168EF183E0097E5BFFC
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

claydavi
2007-09-21, 11:15
Doesn't look too healthy.
Thanks for your help so far.
McAfee has stopped popping up alerts, and this has been my first login without Tea Timer flashing warnings of registry changes.

David

Mr_JAk3
2007-09-22, 17:29
Ok we'll get rid of it and it's buddies...

At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...

Disable Spybot S&D Teatimer.
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer


Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\WINDOWS\system32\snalnkfo.dll
C:\WINDOWS\system32\cbxxxuu.dll.vir
C:\WINDOWS\system32\ocipjvcq.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{632AB9DB-EE1E-43B0-AA06-4DD209EE33BF}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AB56860-8A95-4C5B-9BB6-5379100B100D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxxxuu]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]




Save this as "CFScript"

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

claydavi
2007-09-23, 05:55
ComboFix 07-09-18.4 - "David" 2007-09-23 12:18:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1492 [GMT 9.5:30]
* Created a new restore point

FILE::
C:\WINDOWS\system32\snalnkfo.dll
C:\WINDOWS\system32\cbxxxuu.dll.vir
C:\WINDOWS\system32\ocipjvcq.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cbxxxuu.dll.vir

.
((((((((((((((((((((((((( Files Created from 2007-08-23 to 2007-09-23 )))))))))))))))))))))))))))))))
.

2007-09-19 18:24 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-13 21:05 <DIR> d-------- C:\Program Files\Windows Defender
2007-09-12 22:02 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-12 19:33 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-09-12 19:21 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2007-09-11 23:00 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-11 23:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-11 20:25 <DIR> d-------- C:\VundoFix Backups
2007-09-10 18:32 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-10 18:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-10 18:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-10 17:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-13 21:31 --------- d-------- C:\DOCUME~1\David\APPLIC~1\Skype
2007-08-29 17:46 --------- d-------- C:\Program Files\EPSON Print CD
2007-08-08 05:18 25160 --a------ C:\WINDOWS\system32\drivers\ElbyCDIO.sys
2007-08-07 19:36 --------- d-------- C:\Program Files\ptrk
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-06 22:07 --------- d-------- C:\DOCUME~1\David\APPLIC~1\Help
2007-08-05 16:09 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-08-05 16:09 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\EPSON
2007-08-05 16:09 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\ATI
2007-08-05 12:53 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-05 12:37 --------- d-------- C:\Program Files\Photomatix
2007-08-02 07:38 --------- d-------- C:\Program Files\PowerQuest
2007-08-01 20:24 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Acronis
2007-08-01 20:20 99776 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2007-08-01 20:20 388000 --a------ C:\WINDOWS\system32\drivers\timntr.sys
2007-08-01 20:20 32288 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
2007-08-01 20:20 --------- d-------- C:\Program Files\Common Files\Acronis
2007-08-01 20:20 --------- d-------- C:\Program Files\Acronis
2007-07-30 20:51 --------- d-------- C:\Program Files\Libronix DLS
2007-07-30 20:50 --------- d-------- C:\DOCUME~1\David\APPLIC~1\Libronix DLS
2007-07-30 20:50 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Libronix DLS
2007-07-30 20:45 --------- d-------- C:\Program Files\NETGEAR
2007-07-23 19:33 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-23 19:32 --------- d-------- C:\Program Files\Symantec
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" [2005-12-07 02:55]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 19:00]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 C:\WINDOWS\system32\TWEAKUI.CPL]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 13:48]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 08:27]
"IMONTRAY"="C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe" [2005-05-02 21:21]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 14:07]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-04 16:19]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"EEventManager"="C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-10-12 15:57]
"GhostStartTrayApp"="C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2002-08-14 15:21]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe" [2006-07-21 09:03]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe" [2006-07-21 00:15]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-07-21 00:13]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
NETGEAR WG111v2 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111v2\WG111v2.exe [2007-08-05 12:53:18]

C:\DOCUME~1\David\STARTM~1\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [2004-10-09 15:18 49152]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

R0 megasas;megasas;C:\WINDOWS\system32\DRIVERS\megasas.sys
R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis True Image Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R0 vmscsi;vmscsi;C:\WINDOWS\system32\DRIVERS\vmscsi.sys
R0 ZetSFD;ZetSFD;C:\WINDOWS\system32\DRIVERS\ZetSFD.sys
R1 GhPciScan;GhostPciScanner;\??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R2 SFSZ;DataPlow SFS for Zetera Storage Devices;C:\WINDOWS\system32\drivers\sfsz.sys
R2 SIODRV;SIODRV;\??\C:\WINDOWS\system32\drivers\SIODRV.SYS
R2 tifsfilter;Acronis True Image FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
R2 Z-SANService;Z-SAN Service;C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe
R3 EntDrv51;EntDrv51;\??\C:\WINDOWS\system32\drivers\EntDrv51.sys
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys
R3 smbusp;Intel(R) SMBus 2.0 Driver;C:\WINDOWS\system32\DRIVERS\smb.sys
R3 ZetBus;Zetera Virtual Bus;C:\WINDOWS\system32\DRIVERS\ZetBus.sys
S3 ZetMPD;ZetMPD;C:\WINDOWS\system32\DRIVERS\ZetMPD.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57dfae85-f92a-11db-aeab-000cf1ecf584}]
audit\command- G:\ezflash.exe
AutoRun\command- G:\ezflash.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-23 01:24:53 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-09-23 02:52:53 C:\WINDOWS\Tasks\Update Software.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-23 12:22:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-23 12:24:35 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-23 12:24
C:\ComboFix2.txt ... 2007-09-20 18:03
.
--- E O F ---
:sick:

Mr_JAk3
2007-09-23, 13:13
Ok better already :)

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post along with a fresh HijackThis log.

claydavi
2007-09-24, 14:54
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, September 24, 2007 9:23:53 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 24/09/2007
Kaspersky Anti-Virus database records: 422815
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\
I:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 80203
Number of viruses found: 3
Number of infected objects: 14
Number of suspicious objects: 0
Duration of the scan process: 01:10:24

Infected Object Name / Virus Name / Last Action
C:\0c24fe31eaaca2affad85d343d\baseline.dat Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\deffactory.dat Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\deletetemp.exe Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\dlmgr.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\dw20.exe Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\dwintl20.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1025.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1028.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1029.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1030.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1031.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1032.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1033.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1035.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1036.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1037.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1038.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1040.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1041.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1042.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1043.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1044.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1045.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1046.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1049.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1053.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.1055.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.2052.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.2070.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\eula.3082.rtf Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\gencomp.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\htmllite.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1025.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1028.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1029.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1030.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1031.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1032.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1035.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1036.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1037.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1038.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1040.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1041.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1042.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1043.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1044.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1045.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1046.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1049.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1053.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.1055.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.2052.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.2070.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.3082.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\locdata.ini Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\logo.bmp Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\rebootstub.exe Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\runmsi.exe Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setup.exe Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setup.sdb Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1025.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1028.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1029.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1030.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1031.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1032.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1035.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1036.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1037.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1038.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1040.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1041.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1042.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1043.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1044.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1045.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1046.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1049.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1053.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.1055.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.2052.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.2070.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.3082.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\setupres.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\sitsetup.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\vs70uimgr.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\vsbasereqs.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\vsscenario.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\vs_setup.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\vs_setup.msi Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\vs_setup.pdi Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1025.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1028.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1029.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1030.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1031.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1032.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1035.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1036.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1037.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1038.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1040.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1041.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1042.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1043.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1044.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1045.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1046.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1049.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1053.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.1055.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.2052.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.2070.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.3082.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapres.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wapui.dll Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wcu\rgbrast\x86\rgb9rast_x86.msi Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wcu\wcf\wcf.exe Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wcu\wf\wf_3.0_x86.msi Object is locked skipped
C:\0c24fe31eaaca2affad85d343d\wcu\wpf\wpf.msi Object is locked skipped
C:\55e84308d7dee7fec87494cc9f1e\msxml4-KB927978-enu.log Object is locked skipped
C:\da7b1db6521cb2f6b389a4\%temp%dd_msxml_retMSI.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_DAVID.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_DAVID.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-09132007-210600.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070924_Time-175213156_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070924_Time-175213156_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\David\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-1adc1de6-2bc98b20.zip/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-1adc1de6-2bc98b20.zip/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-1adc1de6-2bc98b20.zip/Baaaaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-1adc1de6-2bc98b20.zip ZIP: infected - 3 skipped
C:\Documents and Settings\David\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{05910515-0DE9-47FE-A08A-42138B1A4E8A} Object is locked skipped
C:\Documents and Settings\David\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temp\Perflib_Perfdata_de4.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temp\Perflib_Perfdata_f54.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\David\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\David\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\temp\MpCmdRun-5E-421CFC91-A93E-42AB-A35C-F06F127FCC44.lock Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\temp\MpCmdRun.log Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\cbxxxuu.dll.vir.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\glbnaeee.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\qovirhbv.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\qpuoflav.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\sfhgxdwf.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{FDA8FC8C-AF8B-44C8-A185-495CC9AADD3C}\RP173\A0010604.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{FDA8FC8C-AF8B-44C8-A185-495CC9AADD3C}\RP189\A0013733.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{FDA8FC8C-AF8B-44C8-A185-495CC9AADD3C}\RP189\A0013734.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{FDA8FC8C-AF8B-44C8-A185-495CC9AADD3C}\RP189\A0013735.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{FDA8FC8C-AF8B-44C8-A185-495CC9AADD3C}\RP189\A0013736.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{FDA8FC8C-AF8B-44C8-A185-495CC9AADD3C}\RP195\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\inf\wmp.inf Object is locked skipped
C:\WINDOWS\S02CA23DB.tmp Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{75E55053-CDBB-4EA9-8BDF-5F321926E48B}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\Z-SANService.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

claydavi
2007-09-24, 14:55
Still a few little mongrels in there, but not nearly as many as the first scan! :)

Mr_JAk3
2007-09-24, 22:32
Hi :)

Only some backups and leftovers in temp folder/System restore folder.

May I see the fresh HijackThis log too :bigthumb:

claydavi
2007-09-25, 15:46
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:33 PM, on 25/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.csiro.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet.csiro.au/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189590081126
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186291913078
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/boardid/BoardID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Z-SAN Service (Z-SANService) - Zetera Corporation - C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe

--
End of file - 10032 bytes

Mr_JAk3
2007-09-26, 21:50
Hi again, it is looking clean now :)

You can fix this leftover with HijackThis:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

You can remove the tools we used.

Then you should update your Java to the latest version (6u2) Start
Control Panel
Add/Remove Programs
Delete the old Java,
J2SE Runtime Environment 5.0 Update 10

Download the latest version of Java Runtime Environment (JRE) 6u2 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)

Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)

claydavi
2007-10-01, 16:02
Thanks for your help Mr_Jak3 :bigthumb:
Everything is all clean .. I've even made a back up!!

Mr_JAk3
2007-10-01, 22:17
That's great news and you're very welcome :D:

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb: