Right think I have the virus aswell. Originally detected by Spybot when I noticed my system running extremely slow after coming back online for the first time in a while.

Virmundo seems to be installing lots of other bad stuff whenever I'm online but spy bot wont remove it and a command entry because they are "running" in the memory.

Now have anti vir pe running which is going crazy detecting viruses every minute. This is the worst time because I'm trying to revise for my finals!

Here is my HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:39 AM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\WINDOWS\Um9icyBDb21w\command.exe
D:\WINDOWS\system32\CTsvcCDA.EXE
D:\WINDOWS\eHome\ehRecvr.exe
D:\WINDOWS\eHome\ehSched.exe
D:\WINDOWS\ehome\RMSvc.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\ehome\McrdSvc.exe
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\ehome\ehtray.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
D:\WINDOWS\system32\Rundll32.exe
D:\Program Files\Transcode360\Transcode360Tray.exe
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\WINDOWS\eHome\ehmsas.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli .exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol .exe
D:\Program Files\Network Associates\Common Framework\UpdaterUI .exe
D:\Program Files\Transcode360\Transcode360Tray .exe
D:\WINDOWS\system32\F?nts\w?auclt.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect .exe
D:\Program Files\iTunes\iTunesHelper .exe
D:\WINDOWS\ehome\RMSysTry.exe
D:\Program Files\NETGEAR\WG111v2\WG111v2.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli .exe
D:\Program Files\ATI Technologies\ATI.ACE\cli .exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avnotify.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\MSN Messenger\usnsvc.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O4 - HKLM\..\Run: [ehTray] D:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

-Delay
O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

/r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Transcode360] D:\Program Files\Transcode360\Transcode360Tray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common

Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NSLauncher] D:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe

/startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask .exe"

-atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe"

/min
O4 - HKCU\..\Run: [Creative Detector] D:\Program

Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Obwc] "D:\WINDOWS\system32\FNTS~1\msconfig.exe" -vt yazb
O4 - HKCU\..\Run: [Fiwqrifx] D:\WINDOWS\system32\F?nts\w?auclt.exe
O4 - Global Startup: Extender Resource Monitor.lnk = D:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = D:\Program

Files\NETGEAR\WG111v2\WG111v2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

D:\Program Files\Messenger\msmsgs.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH -

D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH -

D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common

Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner -

D:\WINDOWS\Um9icyBDb21w\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

D:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program

Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. -

D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\Common

Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6732 bytes


I've read most of this and realsie I'l need the combo fix but I'll wait until someone gets back to me

Thanks

roxley59

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


You do have some nasty things going on , lets do a few things.


Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.




Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall



Your HJT log is hard to read the way you posted it, when it opens in Notepad, make sure Wordwrap is unchecked.



Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.


I need to see ....

1. Vundofix log
2. Combofix log
3. New HJT log

Right well things haven't gone too well. I ran vundofix as instructed, but I wouldn't remove one file, I followed the instructions but it crashed when trying to restart, from then on every time I restarted no programs would run including vundo becasue something was massively draining the resources.

I started the system in safe mode and it booted up, I ran vundofix again and removed about 5 files again but one still remains. Again I followed the instructions and the system restarted and vundofix started up and tried to remove the last file, again it stalled. I'm running vundofix again now and its finding new infected files (again). I'l try another restart after its found the files but I'm not hopeful.


VundoFix V6.7.7

Checking Java version...

Scan started at 12:35:08 PM 1/14/2008

Listing files found while scanning....

D:\WINDOWS\system32\khfcyxy.dll
D:\WINDOWS\system32\ljjiffe.dll
D:\WINDOWS\system32\lnnmp.ini
D:\WINDOWS\system32\lnnmp.ini2
D:\WINDOWS\system32\opnoppp.dll
D:\WINDOWS\system32\pmnnl.dll

Beginning removal...

Attempting to delete D:\WINDOWS\system32\khfcyxy.dll
D:\WINDOWS\system32\khfcyxy.dll Has been deleted!

Attempting to delete D:\WINDOWS\system32\ljjiffe.dll
D:\WINDOWS\system32\ljjiffe.dll Could not be deleted.

Attempting to delete D:\WINDOWS\system32\lnnmp.ini
D:\WINDOWS\system32\lnnmp.ini Has been deleted!

Attempting to delete D:\WINDOWS\system32\lnnmp.ini2
D:\WINDOWS\system32\lnnmp.ini2 Has been deleted!

Attempting to delete D:\WINDOWS\system32\opnoppp.dll
D:\WINDOWS\system32\opnoppp.dll Has been deleted!

Attempting to delete D:\WINDOWS\system32\pmnnl.dll
D:\WINDOWS\system32\pmnnl.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.7.7

Checking Java version...

Scan started at 1:40:35 PM 1/14/2008

Listing files found while scanning....


VundoFix V6.7.7

Checking Java version...

Scan started at 5:25:19 PM 1/14/2008

Listing files found while scanning....

D:\WINDOWS\ehome\ehtray.exe
D:\WINDOWS\system32\ljjiffe.dll
D:\WINDOWS\system32\lnnmp.ini
D:\WINDOWS\system32\lnnmp.ini2
D:\WINDOWS\system32\pmnnl.dll
D:\WINDOWS\system32\pmnnl.exe

Beginning removal...

Attempting to delete D:\WINDOWS\ehome\ehtray.exe
D:\WINDOWS\ehome\ehtray.exe Has been deleted!

Attempting to delete D:\WINDOWS\system32\ljjiffe.dll
D:\WINDOWS\system32\ljjiffe.dll Could not be deleted.

Attempting to delete D:\WINDOWS\system32\lnnmp.ini
D:\WINDOWS\system32\lnnmp.ini Has been deleted!

Attempting to delete D:\WINDOWS\system32\lnnmp.ini2
D:\WINDOWS\system32\lnnmp.ini2 Has been deleted!

Attempting to delete D:\WINDOWS\system32\pmnnl.dll
D:\WINDOWS\system32\pmnnl.dll Has been deleted!

Attempting to delete D:\WINDOWS\system32\pmnnl.exe
D:\WINDOWS\system32\pmnnl.exe Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.7.7

Checking Java version...

Scan started at 6:14:21 PM 1/14/2008

Listing files found while scanning....

D:\WINDOWS\system32\ljjiffe.dll

Beginning removal...

Attempting to delete D:\WINDOWS\system32\ljjiffe.dll
D:\WINDOWS\system32\ljjiffe.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Scan started at 6:48:14 PM 1/14/2008

Listing files found while scanning....



HJT log...




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:47 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Rob\Desktop\VundoFix.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B501843-3617-4A9A-8DD4-1405CB794264} - D:\WINDOWS\system32\pmnnl.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B6F8AE42-1F80-3F5C-D25C-30E674F30CE6} - D:\WINDOWS\system32\fwadnsat.dll
O2 - BHO: (no name) - {D4576C73-52BD-4401-B966-5A128C4433D4} - D:\WINDOWS\system32\ljjiffe.dll
O4 - HKLM\..\Run: [ehTray] D:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Transcode360] D:\Program Files\Transcode360\Transcode360Tray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NSLauncher] D:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [VundoFix] "D:\Documents and Settings\Rob\Desktop\vundofix.exe"
O4 - HKCU\..\Run: [Creative Detector] D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Obwc] "D:\WINDOWS\system32\FNTS~1\msconfig.exe" -vt yazb
O4 - HKCU\..\Run: [Fiwqrifx] D:\WINDOWS\system32\F?nts\w?auclt.exe
O4 - Global Startup: Extender Resource Monitor.lnk = D:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = D:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\Um9icyBDb21w\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5481 bytes

I now cannot boot up in anything but safe mode. Im preparing for a full wipe unless you have anymore decisions. Vundofix can't remove the last part of the trojan and the sap on resources by the virus is preventing me from even loading windows properly

Hello

Just hang in a bit if you can,you have a lot of bad stuff that Combofix will remove, I am not sure but I suspect that the variant of Vundo you have is a file infector , which means that it has infected some programs on your system, but we have had some luck removing this.

Try booting into Safemode with Network Support and download and run Combofix. Another option is to download it to another computer and copy it to disk and install it on this computer, you can run Combofix in Safemode if needed.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


If your successful running Combofix, most of these may be gone.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {0B501843-3617-4A9A-8DD4-1405CB794264} - D:\WINDOWS\system32\pmnnl.dll (file missing)
O2 - BHO: (no name) - {B6F8AE42-1F80-3F5C-D25C-30E674F30CE6} - D:\WINDOWS\system32\fwadnsat.dll
O2 - BHO: (no name) - {D4576C73-52BD-4401-B966-5A128C4433D4} - D:\WINDOWS\system32\ljjiffe.dll
O4 - HKCU\..\Run: [Obwc] "D:\WINDOWS\system32\FNTS~1\msconfig.exe" -vt yazb
O4 - HKCU\..\Run: [Fiwqrifx] D:\WINDOWS\system32\F?nts\w?auclt.exe
O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\Um9icyBDb21w\command.exe


Its important that I see the Combofix log as it will show the programs with the infected files that we need to remove.

Ken

Right have just run combofix and HJT scan. Here are the logs. Am going to get HJT to fix as instructed after posting this

ComboFix 08-01-15.4 - Rob 2008-01-15 10:59:26.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.607 [GMT 0:00]
Running from: D:\Documents and Settings\Rob\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\Rob\Local Settings\Temp\winvsnet .exe
D:\Program Files\Common Files\hokew4444.dll
D:\Program Files\Common Files\hokew83122.dll
D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
D:\Program Files\outerinfo
D:\Program Files\QuickTime\QTTask .exe
D:\Program Files\QuickTime\QTTask .exe
D:\Program Files\QuickTime\QTTask .exe
D:\Program Files\QuickTime\QTTask .exe
D:\Program Files\QuickTime\QTTask .exe
D:\Program Files\QuickTime\QTTask .exe
D:\Program Files\Windows Media Player\lavuqab.dll
D:\Program Files\Windows Media Player\lavuqab454.dll
D:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe
D:\WINDOWS\system32\atmtd.dll.tmp
D:\WINDOWS\system32\fnts~1
D:\WINDOWS\system32\fnts~1\F?nts\
D:\WINDOWS\system32\fnts~1\w?auclt.exe
D:\WINDOWS\system32\fwadnsat.dll
D:\WINDOWS\system32\hjkmp.ini
D:\WINDOWS\system32\hjkmp.ini2
D:\WINDOWS\system32\ljjiffe.dll
D:\WINDOWS\system32\pac.txt
D:\WINDOWS\system32\pmkjh.dll
D:\WINDOWS\system32\pmkjh.exe
D:\WINDOWS\system32\winticomsv32.exe
D:\WINDOWS\tk58.exe
D:\WINDOWS\Um9icyBDb21w\
D:\WINDOWS\Um9icyBDb21w\\asappsrv.dll
D:\WINDOWS\Um9icyBDb21w\\command.exe
D:\WINDOWS\Um9icyBDb21w\\oA62wV1GvZYT.vbs
D:\WINDOWS\Um9icyBDb21w\command.exe
D:\WINDOWS\UpdReg.EXE


<pre>
D:\Documents and Settings\Rob\Local Settings\Temp\winvsnet .exe ---> winvsnet.exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect .exe ---> CTDetect.exe
D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol .exe ---> CTSysVol.exe
D:\Program Files\iTunes\iTunesHelper .exe ---> iTunesHelper.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched .exe ---> jusched.exe
D:\Program Files\MSN Messenger\MsnMsgr .Exe ---> MsnMsgr.Exe
D:\Program Files\Network Associates\Common Framework\UpdaterUI .exe ---> UpdaterUI.exe
D:\Program Files\Nokia\Nokia Software Launcher\NSLauncher .exe ---> NSLauncher.exe
D:\WINDOWS\UpdReg .EXE ---> UpdReg.EXE
</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService


((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-15 10:56 . 2000-08-31 08:00 51,200 --a------ D:\WINDOWS\NirCmd.exe
2008-01-14 12:35 . 2008-01-14 18:48 <DIR> d-------- D:\VundoFix Backups
2008-01-14 11:02 . 2008-01-14 11:02 <DIR> d-------- D:\Program Files\Trend Micro
2008-01-14 10:46 . 2008-01-14 10:46 <DIR> d-------- D:\Program Files\Avira
2008-01-14 10:46 . 2008-01-14 10:46 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Avira
2008-01-13 22:46 . 2008-01-14 13:34 90,112 --a------ D:\WINDOWS\UpdReg.EXE
2008-01-13 22:39 . 2008-01-13 22:39 <DIR> d-------- D:\WINDOWS\system32\pe2
2008-01-13 22:39 . 2008-01-13 22:39 <DIR> d-------- D:\WINDOWS\system32\ka8
2008-01-13 22:39 . 2008-01-13 22:39 <DIR> d-------- D:\WINDOWS\system32\gu5
2008-01-13 22:39 . 2008-01-13 22:39 <DIR> d-------- D:\WINDOWS\system32\edcA01
2008-01-13 03:42 . 2008-01-13 03:43 <DIR> d-------- D:\Program Files\SopCast

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 11:04 --------- d-----w D:\Program Files\MSN Messenger
2008-01-15 11:04 --------- d-----w D:\Program Files\iTunes
2008-01-15 11:03 --------- d-----w D:\Program Files\QuickTime
2008-01-14 10:51 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-14 10:24 --------- d-----w D:\Program Files\Transcode360
2008-01-13 20:31 --------- d-----w D:\Documents and Settings\Rob\Application Data\LimeWire
2008-01-10 10:46 --------- d-----w D:\Program Files\DivX
2007-12-19 19:31 94,208 ----a-w D:\WINDOWS\DUMP4110.tmp
2007-12-13 02:11 94,208 ----a-w D:\WINDOWS\DUMP4a86.tmp
2007-12-12 14:29 --------- d-----w D:\Program Files\Network Associates
2007-12-12 14:29 --------- d-----w D:\Program Files\Common Files\Network Associates
2007-12-12 14:29 --------- d-----w D:\Documents and Settings\All Users\Application Data\Network Associates
2007-12-11 19:19 --------- d-----w D:\Program Files\iPod
2007-12-11 14:16 --------- d-----w D:\Program Files\SpeedFan
2007-11-05 13:08 356,352 ----a-w D:\WINDOWS\eSellerateEngine.dll
2007-10-31 20:33 94,208 ----a-w D:\WINDOWS\DUMP4074.tmp
2007-08-08 15:02 20,840 ----a-w D:\Documents and Settings\Rob\Application Data\GDIPFONTCACHEV1.DAT
.

<pre>
----a-w 45,056 2008-01-14 10:24:06 D:\Program Files\ATI Technologies\ATI.ACE\cli .exe
----a-w 192,512 2008-01-14 10:24:11 D:\Program Files\Transcode360\Transcode360Tray .exe
----a-w 64,512 2008-01-14 13:34:51 D:\WINDOWS\ehome\ehtray .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B501843-3617-4A9A-8DD4-1405CB794264}]
D:\WINDOWS\system32\pmnnl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE01D50F-995A-4A62-83AF-DE08CB9DCFEE}]
D:\WINDOWS\system32\ddayx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2008-01-14 13:35 102400]
"MsnMsgr"="D:\Program Files\MSN Messenger\MsnMsgr.exe" [2008-01-14 21:55 5674352]
"Obwc"="D:\WINDOWS\system32\FNTS~1\msconfig.exe" [ ]
"Fiwqrifx"="D:\WINDOWS\system32\F?nts\w?auclt.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="D:\WINDOWS\ehome\ehtray.exe" [ ]
"ATICCC"="D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [ ]
"CTSysVol"="D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2008-01-14 13:34 57344]
"P17Helper"="P17.dll" [2005-05-03 11:38 64512 D:\WINDOWS\system32\P17.dll]
"UpdReg"="D:\WINDOWS\UpdReg.EXE" [2008-01-14 13:34 90112]
"Transcode360"="D:\Program Files\Transcode360\Transcode360Tray.exe" [ ]
"McAfeeUpdaterUI"="D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2008-01-14 13:34 139320]
"NSLauncher"="D:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2008-01-14 13:35 2658304]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-14 13:35 132496]
"QuickTime Task"="D:\Program Files\QuickTime\QTTask .exe" [ ]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2008-01-14 13:35 267048]
"avgnt"="D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [ ]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Extender Resource Monitor.lnk - D:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 19:55:40]
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
NETGEAR WG111v2 Smart Wizard.lnk - D:\Program Files\NETGEAR\WG111v2\WG111v2.exe [2006-09-06 03:12:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= D:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= D:\WINDOWS\Resources\Themes\Royale.theme

R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;D:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-11-20 15:48]
S2 RMSvc;Media Center Extender Resource Monitor;D:\WINDOWS\ehome\RMSvc.exe [2005-10-20 19:55]
S3 QWAVE;QWAVE service;D:\WINDOWS\system32\svchost.exe [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 19:11:02 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 11:05:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

.
Completion time: 2008-01-15 11:08:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-15 11:08:04







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:39 AM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\WINDOWS\Um9icyBDb21w\command.exe
D:\WINDOWS\system32\CTsvcCDA.EXE
D:\WINDOWS\eHome\ehRecvr.exe
D:\WINDOWS\eHome\ehSched.exe
D:\WINDOWS\ehome\RMSvc.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\ehome\McrdSvc.exe
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\ehome\ehtray.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
D:\WINDOWS\system32\Rundll32.exe
D:\Program Files\Transcode360\Transcode360Tray.exe
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\WINDOWS\eHome\ehmsas.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli .exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol .exe
D:\Program Files\Network Associates\Common Framework\UpdaterUI .exe
D:\Program Files\Transcode360\Transcode360Tray .exe
D:\WINDOWS\system32\F?nts\w?auclt.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect .exe
D:\Program Files\iTunes\iTunesHelper .exe
D:\WINDOWS\ehome\RMSysTry.exe
D:\Program Files\NETGEAR\WG111v2\WG111v2.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli .exe
D:\Program Files\ATI Technologies\ATI.ACE\cli .exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avnotify.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\MSN Messenger\usnsvc.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O4 - HKLM\..\Run: [ehTray] D:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Transcode360] D:\Program Files\Transcode360\Transcode360Tray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NSLauncher] D:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Creative Detector] D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Obwc] "D:\WINDOWS\system32\FNTS~1\msconfig.exe" -vt yazb
O4 - HKCU\..\Run: [Fiwqrifx] D:\WINDOWS\system32\F?nts\w?auclt.exe
O4 - Global Startup: Extender Resource Monitor.lnk = D:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = D:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\Um9icyBDb21w\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6732 bytes

not all the files you list have appeared in the HJT scan so I didnt run the fix this command. Decided to wait and get the expert advice :cool:

I Am still in safe mode

Hello,

Your system is infected with the Vundo File Infector :sad:

Remove these with HJT.

O4 - HKCU\..\Run: [Obwc] "D:\WINDOWS\system32\FNTS~1\msconfig.exe" -vt yazb
O4 - HKCU\..\Run: [Fiwqrifx] D:\WINDOWS\system32\F?nts\w?auclt.exe




Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad. Make sure there is no space above and to the left of File::



File::
D:\WINDOWS\system32\ddayx.dll
D:\WINDOWS\system32\pmnnl.dll

Folder::
D:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B501843-3617-4A9A-8DD4-1405CB794264}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE01D50F-995A-4A62-83AF-DE08CB9DCFEE}]

RenV::
----a-w 45,056 2008-01-14 10:24:06 D:\Program Files\ATI Technologies\ATI.ACE\cli .exe
----a-w 192,512 2008-01-14 10:24:11 D:\Program Files\Transcode360\Transcode360Tray .exe
----a-w 64,512 2008-01-14 13:34:51 D:\WINDOWS\ehome\ehtray .exe


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

It didn't ask for a reboot but everything else seemed to work.....

I'm guessing the vundo file infecter is worse than normal vundo?

ComboFix 08-01-15.4 - Rob 2008-01-15 12:57:04.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.600 [GMT 0:00]
Running from: D:\Documents and Settings\Rob\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Rob\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
D:\WINDOWS\system32\ddayx.dll
D:\WINDOWS\system32\pmnnl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\VundoFix Backups
D:\VundoFix Backups\addmorefiles.txt
D:\VundoFix Backups\ddayx.dll.bad
D:\VundoFix Backups\ddayx.exe.bad
D:\VundoFix Backups\ehtray.exe.bad
D:\VundoFix Backups\khfcyxy.dll.bad
D:\VundoFix Backups\ljjiffe.dll.bad
D:\VundoFix Backups\lnnmp.ini.bad
D:\VundoFix Backups\lnnmp.ini2.bad
D:\VundoFix Backups\opnoppp.dll.bad
D:\VundoFix Backups\pmnnl.dll.bad
D:\VundoFix Backups\pmnnl.exe.bad
D:\VundoFix Backups\xyadd.ini.bad
D:\VundoFix Backups\xyadd.ini2.bad

.
((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-15 10:56 . 2000-08-31 08:00 51,200 --a------ D:\WINDOWS\NirCmd.exe
2008-01-14 11:02 . 2008-01-14 11:02 <DIR> d-------- D:\Program Files\Trend Micro
2008-01-14 10:46 . 2008-01-14 10:46 <DIR> d-------- D:\Program Files\Avira
2008-01-14 10:46 . 2008-01-14 10:46 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Avira
2008-01-13 22:46 . 2008-01-14 13:34 90,112 --a------ D:\WINDOWS\UpdReg.EXE
2008-01-13 22:39 . 2008-01-13 22:39 <DIR> d-------- D:\WINDOWS\system32\pe2
2008-01-13 22:39 . 2008-01-13 22:39 <DIR> d-------- D:\WINDOWS\system32\ka8
2008-01-13 22:39 . 2008-01-13 22:39 <DIR> d-------- D:\WINDOWS\system32\gu5
2008-01-13 22:39 . 2008-01-13 22:39 <DIR> d-------- D:\WINDOWS\system32\edcA01
2008-01-13 03:42 . 2008-01-13 03:43 <DIR> d-------- D:\Program Files\SopCast

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 12:57 --------- d-----w D:\Program Files\Transcode360
2008-01-15 11:04 --------- d-----w D:\Program Files\MSN Messenger
2008-01-15 11:04 --------- d-----w D:\Program Files\iTunes
2008-01-15 11:03 --------- d-----w D:\Program Files\QuickTime
2008-01-14 10:51 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 20:31 --------- d-----w D:\Documents and Settings\Rob\Application Data\LimeWire
2008-01-10 10:46 --------- d-----w D:\Program Files\DivX
2007-12-19 19:31 94,208 ----a-w D:\WINDOWS\DUMP4110.tmp
2007-12-13 02:11 94,208 ----a-w D:\WINDOWS\DUMP4a86.tmp
2007-12-12 14:29 --------- d-----w D:\Program Files\Network Associates
2007-12-12 14:29 --------- d-----w D:\Program Files\Common Files\Network Associates
2007-12-12 14:29 --------- d-----w D:\Documents and Settings\All Users\Application Data\Network Associates
2007-12-11 19:19 --------- d-----w D:\Program Files\iPod
2007-12-11 14:16 --------- d-----w D:\Program Files\SpeedFan
2007-11-29 22:30 200,704 ----a-w D:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w D:\WINDOWS\system32\libdivx.dll
2007-11-05 13:08 356,352 ----a-w D:\WINDOWS\eSellerateEngine.dll
2007-10-31 20:33 94,208 ----a-w D:\WINDOWS\DUMP4074.tmp
2007-08-08 15:02 20,840 ----a-w D:\Documents and Settings\Rob\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-01-15_11.07.51.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-14 13:34:51 64,512 ----a-w D:\WINDOWS\ehome\ehtray.exe
- 2008-01-15 10:58:37 233,472 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-15 12:57:00 233,472 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-15 10:58:37 8,192 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-15 12:57:00 8,192 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-15 10:58:37 233,472 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-15 12:57:00 233,472 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-15 10:58:37 8,192 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-15 12:57:00 8,192 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-15 10:58:37 4,247,552 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-15 12:57:00 4,247,552 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-15 10:58:37 249,856 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-15 12:57:00 249,856 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2008-01-14 13:35 102400]
"MsnMsgr"="D:\Program Files\MSN Messenger\MsnMsgr.exe" [2008-01-14 21:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="D:\WINDOWS\ehome\ehtray.exe" [2008-01-14 13:34 64512]
"ATICCC"="D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2008-01-14 10:24 45056]
"CTSysVol"="D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2008-01-14 13:34 57344]
"P17Helper"="P17.dll" [2005-05-03 11:38 64512 D:\WINDOWS\system32\P17.dll]
"UpdReg"="D:\WINDOWS\UpdReg.EXE" [2008-01-14 13:34 90112]
"Transcode360"="D:\Program Files\Transcode360\Transcode360Tray.exe" [2008-01-14 10:24 192512]
"McAfeeUpdaterUI"="D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2008-01-14 13:34 139320]
"NSLauncher"="D:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2008-01-14 13:35 2658304]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-14 13:35 132496]
"QuickTime Task"="D:\Program Files\QuickTime\QTTask .exe" [ ]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2008-01-14 13:35 267048]
"avgnt"="D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [ ]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Extender Resource Monitor.lnk - D:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 19:55:40]
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
NETGEAR WG111v2 Smart Wizard.lnk - D:\Program Files\NETGEAR\WG111v2\WG111v2.exe [2006-09-06 03:12:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= D:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= D:\WINDOWS\Resources\Themes\Royale.theme

R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;D:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-11-20 15:48]
S2 RMSvc;Media Center Extender Resource Monitor;D:\WINDOWS\ehome\RMSvc.exe [2005-10-20 19:55]
S3 QWAVE;QWAVE service;D:\WINDOWS\system32\svchost.exe [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 19:11:02 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 12:58:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-15 12:59:00
ComboFix-quarantined-files.txt 2008-01-15 12:58:46
ComboFix2.txt 2008-01-15 11:08:07










ComboFix 08-01-15.4 - Rob 2008-01-15 12:57:04.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.600 [GMT 0:00]
Running from: D:\Documents and Settings\Rob\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Rob\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
D:\WINDOWS\system32\ddayx.dll
D:\WINDOWS\system32\pmnnl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\VundoFix Backups
D:\VundoFix Backups\addmorefiles.txt
D:\VundoFix Backups\ddayx.dll.bad
D:\VundoFix Backups\ddayx.exe.bad
D:\VundoFix Backups\ehtray.exe.bad
D:\VundoFix Backups\khfcyxy.dll.bad
D:\VundoFix Backups\ljjiffe.dll.bad
D:\VundoFix Backups\lnnmp.ini.bad
D:\VundoFix Backups\lnnmp.ini2.bad
D:\VundoFix Backups\opnoppp.dll.bad
D:\VundoFix Backups\pmnnl.dll.bad
D:\VundoFix Backups\pmnnl.exe.bad
D:\VundoFix Backups\xyadd.ini.bad
D:\VundoFix Backups\xyadd.ini2.bad

.
((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-15 10:56 . 2000-08-31 08:00 51,200 --a------ D:\WINDOWS\NirCmd.exe
2008-01-14 11:02 . 2008-01-14 11:02 <DIR> d-------- D:\Program Files\Trend Micro
2008-01-14 10:46 . 2008-01-14 10:46 <DIR> d-------- D:\Program Files\Avira
2008-01-14 10:46 . 2008-01-14 10:46 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Avira
2008-01-13 22:46 . 2008-01-14 13:34 90,112 --a------ D:\WINDOWS\UpdReg.EXE
2008-01-13 22:39 . 2008-01-13 22:39 <DIR> d-------- D:\WINDOWS\system32\pe2
2008-01-13 22:39 . 2008-01-13 22:39 <DIR> d-------- D:\WINDOWS\system32\ka8
2008-01-13 22:39 . 2008-01-13 22:39 <DIR> d-------- D:\WINDOWS\system32\gu5
2008-01-13 22:39 . 2008-01-13 22:39 <DIR> d-------- D:\WINDOWS\system32\edcA01
2008-01-13 03:42 . 2008-01-13 03:43 <DIR> d-------- D:\Program Files\SopCast

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 12:57 --------- d-----w D:\Program Files\Transcode360
2008-01-15 11:04 --------- d-----w D:\Program Files\MSN Messenger
2008-01-15 11:04 --------- d-----w D:\Program Files\iTunes
2008-01-15 11:03 --------- d-----w D:\Program Files\QuickTime
2008-01-14 10:51 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 20:31 --------- d-----w D:\Documents and Settings\Rob\Application Data\LimeWire
2008-01-10 10:46 --------- d-----w D:\Program Files\DivX
2007-12-19 19:31 94,208 ----a-w D:\WINDOWS\DUMP4110.tmp
2007-12-13 02:11 94,208 ----a-w D:\WINDOWS\DUMP4a86.tmp
2007-12-12 14:29 --------- d-----w D:\Program Files\Network Associates
2007-12-12 14:29 --------- d-----w D:\Program Files\Common Files\Network Associates
2007-12-12 14:29 --------- d-----w D:\Documents and Settings\All Users\Application Data\Network Associates
2007-12-11 19:19 --------- d-----w D:\Program Files\iPod
2007-12-11 14:16 --------- d-----w D:\Program Files\SpeedFan
2007-11-29 22:30 200,704 ----a-w D:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w D:\WINDOWS\system32\libdivx.dll
2007-11-05 13:08 356,352 ----a-w D:\WINDOWS\eSellerateEngine.dll
2007-10-31 20:33 94,208 ----a-w D:\WINDOWS\DUMP4074.tmp
2007-08-08 15:02 20,840 ----a-w D:\Documents and Settings\Rob\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-01-15_11.07.51.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-14 13:34:51 64,512 ----a-w D:\WINDOWS\ehome\ehtray.exe
- 2008-01-15 10:58:37 233,472 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-15 12:57:00 233,472 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-15 10:58:37 8,192 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-15 12:57:00 8,192 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-15 10:58:37 233,472 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-15 12:57:00 233,472 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-15 10:58:37 8,192 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-15 12:57:00 8,192 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-15 10:58:37 4,247,552 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-15 12:57:00 4,247,552 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-15 10:58:37 249,856 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-15 12:57:00 249,856 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2008-01-14 13:35 102400]
"MsnMsgr"="D:\Program Files\MSN Messenger\MsnMsgr.exe" [2008-01-14 21:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="D:\WINDOWS\ehome\ehtray.exe" [2008-01-14 13:34 64512]
"ATICCC"="D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2008-01-14 10:24 45056]
"CTSysVol"="D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2008-01-14 13:34 57344]
"P17Helper"="P17.dll" [2005-05-03 11:38 64512 D:\WINDOWS\system32\P17.dll]
"UpdReg"="D:\WINDOWS\UpdReg.EXE" [2008-01-14 13:34 90112]
"Transcode360"="D:\Program Files\Transcode360\Transcode360Tray.exe" [2008-01-14 10:24 192512]
"McAfeeUpdaterUI"="D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2008-01-14 13:34 139320]
"NSLauncher"="D:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2008-01-14 13:35 2658304]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-14 13:35 132496]
"QuickTime Task"="D:\Program Files\QuickTime\QTTask .exe" [ ]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2008-01-14 13:35 267048]
"avgnt"="D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [ ]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Extender Resource Monitor.lnk - D:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 19:55:40]
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
NETGEAR WG111v2 Smart Wizard.lnk - D:\Program Files\NETGEAR\WG111v2\WG111v2.exe [2006-09-06 03:12:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= D:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= D:\WINDOWS\Resources\Themes\Royale.theme

R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;D:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-11-20 15:48]
S2 RMSvc;Media Center Extender Resource Monitor;D:\WINDOWS\ehome\RMSvc.exe [2005-10-20 19:55]
S3 QWAVE;QWAVE service;D:\WINDOWS\system32\svchost.exe [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 19:11:02 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 12:58:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-15 12:59:00
ComboFix-quarantined-files.txt 2008-01-15 12:58:46
ComboFix2.txt 2008-01-15 11:08:07

Hello,

The Vundo File infecter is a bit worse but it looks like Combofix removed it. You posted Combofix twice and no HJT log, I need to see that log

Ken

oopss sorry, heres the local HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:20:57 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\explorer.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ehTray] D:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Transcode360] D:\Program Files\Transcode360\Transcode360Tray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NSLauncher] D:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Creative Detector] D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Extender Resource Monitor.lnk = D:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = D:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 4637 bytes

Remove this entry with HJT as its still looks infected.

O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask .exe" -atboottime

FYI...can you see the difference??
D:\Program Files\QuickTime\QTTask .exe <--Infected File
D:\Program Files\QuickTime\QTTask.exe <-- Legit

Go to your Add Remove Programs in the Control Panel and uninstall QuickTime After your clean you can redownload and install it if you wish.

D:\Program Files\QuickTime<-- Delete this entire folder.



Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up



Reboot and see if you can get into Normal Windows, if you can , post a HJT log as the one from Safemode does not show everything.

Right heres the latest HJT log from normal mode
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:36 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\WINDOWS\ehome\ehtray.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
D:\WINDOWS\system32\Rundll32.exe
D:\Program Files\Transcode360\Transcode360Tray.exe
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINDOWS\ehome\RMSysTry.exe
D:\Program Files\NETGEAR\WG111v2\WG111v2.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\WINDOWS\system32\CTsvcCDA.EXE
D:\WINDOWS\eHome\ehRecvr.exe
D:\WINDOWS\eHome\ehSched.exe
D:\WINDOWS\ehome\RMSvc.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\eHome\ehmsas.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\MSN Messenger\usnsvc.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\update.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ehTray] D:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Transcode360] D:\Program Files\Transcode360\Transcode360Tray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NSLauncher] D:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Creative Detector] D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Extender Resource Monitor.lnk = D:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = D:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6224 bytes


While i was waiting i ran kaspersky and it found a lot of viruses. I'm going to run it again while I wait for your next reply

esday, January 15, 2008 7:38:30 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/01/2008
Kaspersky Anti-Virus database records: 512262
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 49019
Number of viruses found 13
Number of infected objects 267
Number of suspicious objects 0
Duration of the scan process 00:55:17

Infected Object Name Virus Name Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\Rob\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Rob\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\Rob\ntuser.dat.LOG Object is locked skipped
D:\Program Files\QuickTime\QTTask.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\Program Files\Windows Media Player\profsyfsyrt.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
D:\QooBox\Quarantine\D\Documents and Settings\Rob\Local Settings\Temp\winvsnet .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\Common Files\hokew4444.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
D:\QooBox\Quarantine\D\Program Files\Common Files\hokew83122.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
D:\QooBox\Quarantine\D\Program Files\Creative\MediaSource\Detector\CTDetect.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\iTunes\iTunesHelper.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\Java\jre1.6.0_03\bin\jusched.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\MSN Messenger\MsnMsgr.Exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\Network Associates\Common Framework\UpdaterUI.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\QuickTime\QTTask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\QuickTime\QTTask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\QuickTime\QTTask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\QuickTime\QTTask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\QuickTime\QTTask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\QuickTime\QTTask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\VundoFix Backups\ddayx.exe.bad.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\VundoFix Backups\ehtray.exe.bad.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\FNTS~1\wυauclt.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\fwadnsat.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gl skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\pmkjh.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\WINDOWS\Um9icyBDb21w\asappsrv.dll.vir Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
D:\QooBox\Quarantine\D\WINDOWS\UpdReg.EXE.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0000003.exe Infected: Trojan-Downloader.Win32.PurityScan.ez skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0000009.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0000010.Exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0000011.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0000014.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0000017.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0000018.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0000019.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0000020.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0000021.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0000022.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0000024.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0000030.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0000031.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dlm skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0000032.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dlm skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0000036.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0000037.Exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0000039.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0000040.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0000041.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0000042.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0000043.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0000044.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0001036.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0001038.Exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0001039.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0001040.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0001041.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0001042.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0001043.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0001044.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0001045.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0001046.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0002036.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0002038.Exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0002039.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0002040.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0002041.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0002042.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0002043.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0002044.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0002045.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0002046.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0003037.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0003038.Exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0003039.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0003040.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0003041.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0003042.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0003043.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0003044.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0003045.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0003046.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0004037.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0004038.Exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0004039.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0004040.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0004041.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0004042.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0004043.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0004044.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0004045.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0004046.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0005037.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0005038.Exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0005039.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0005040.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0005041.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped

D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0005042.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0005043.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0005044.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0005045.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0005046.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0006037.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0006038.Exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0006039.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0006040.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0006041.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0006042.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0006043.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0006044.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0006045.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0006046.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0007037.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0007038.Exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0007039.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0007040.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0007041.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0007042.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0007043.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0007044.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0007045.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0007046.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0008037.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0008038.Exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0008039.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0008040.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0008041.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0008042.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0008043.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0008044.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0008045.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0009037.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0009038.Exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0009039.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0009040.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0009041.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0009042.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0009043.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0009044.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0009045.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0010037.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0010038.Exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0010039.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0010040.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0010041.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0010042.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0010043.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0010044.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0010045.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0011037.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0011038.Exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0011039.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0011040.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0011041.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0011042.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0011043.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0011044.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0011045.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0011046.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0012036.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0012037.Exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0012038.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0012039.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0012040.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0012041.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0012042.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0012043.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0012044.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0012045.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0013054.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0013055.Exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0013056.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0013057.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0013058.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0013059.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0013060.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0013061.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016067.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016068.Exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016069.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016070.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016071.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016072.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016073.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016074.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016081.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016082.Exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016083.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016084.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016085.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016086.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016087.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016088.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016089.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016096.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016097.Exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016098.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016099.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016100.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016101.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016102.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016103.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0016104.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0017096.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0017097.Exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0017098.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0017099.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0017100.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0017101.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0017102.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0017103.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0017104.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0018096.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0018097.Exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0018098.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0018099.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0018100.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0018101.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0018102.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0018103.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0018104.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0018113.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0018114.Exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0018115.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0018116.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0018117.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0018118.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0018119.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0018120.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0018121.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0019113.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0019114.Exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0019115.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0019116.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0019117.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0019118.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0019119.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0019120.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0019121.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020113.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020114.Exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020115.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020116.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020117.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020118.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020119.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020120.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020121.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020123.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gl skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020124.dll Infected: Trojan.Win32.BHO.ab skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020125.dll Infected: Trojan.Win32.BHO.ab skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020126.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020127.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020128.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dlm skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020129.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020130.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020131.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020132.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020133.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020134.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020135.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020136.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020137.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020139.exe Infected: Trojan.Win32.BHO.ab skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020283.exe Infected: Trojan-Downloader.Win32.VB.caw skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020284.exe Infected: Trojan-Downloader.Win32.Small.hqc skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\A0020285.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP2\change.log Object is locked skipped
D:\WINDOWS\CSC\00000001 Object is locked skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\ehome\ehtray.exe.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
D:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\default Object is locked skipped
D:\WINDOWS\system32\config\default.LOG Object is locked skipped
D:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\software Object is locked skipped
D:\WINDOWS\system32\config\software.LOG Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\system Object is locked skipped
D:\WINDOWS\system32\config\system.LOG Object is locked skipped
D:\WINDOWS\system32\ka8\tycodllz83122.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
D:\WINDOWS\system32\ka8\tycodllz83122.exe NSIS: infected - 1 skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.

Hey,

It looks like you where able to boot normally :bigthumb: Your log is looking good, what Kaspersky has found is a ton of entries in your System Restore Program . Lets do a few more things.


Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up

===============================

Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad. Make sure there is no space above and to the left of File::



File::
D:\WINDOWS\ehome\ehtray.exe.tmp
D:\WINDOWS\system32\ka8\tycodllz83122.exe


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


================================

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.


Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.



Reboot your computer


Turn ON System Restore.


Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.



Create a new Restore Point <-- Very Important


Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point

System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it


===============================


Please download SuperAntiSpyware (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.


Let me see the New Combofix log, the SAS log and a new HJT log.

Hang in, where almost done

Just want to say thanks so far. Ok did all that....... Heres the logs




ComboFix 08-01-15.4 - Rob 2008-01-16 11:13:33.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.477 [GMT 0:00]
Running from: D:\Documents and Settings\Rob\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Rob\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
D:\WINDOWS\ehome\ehtray.exe.tmp
D:\WINDOWS\system32\ka8\tycodllz83122.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\WINDOWS\ehome\ehtray.exe.tmp
D:\WINDOWS\system32\ka8\tycodllz83122.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-15 18:01 . 2008-01-15 18:01 <DIR> d-------- D:\WINDOWS\system32\Kaspersky Lab
2008-01-15 18:01 . 2008-01-15 18:01 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-15 17:00 . 2008-01-15 17:00 <DIR> d-------- D:\VundoFix Backups
2008-01-15 10:56 . 2000-08-31 08:00 51,200 --a------ D:\WINDOWS\NirCmd.exe
2008-01-14 11:02 . 2008-01-14 11:02 <DIR> d-------- D:\Program Files\Trend Micro
2008-01-14 10:46 . 2008-01-14 10:46 <DIR> d-------- D:\Program Files\Avira
2008-01-14 10:46 . 2008-01-14 10:46 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Avira
2008-01-13 22:46 . 2008-01-14 13:34 90,112 --a------ D:\WINDOWS\UpdReg.EXE
2008-01-13 22:39 . 2008-01-15 16:58 <DIR> d-------- D:\WINDOWS\system32\pe2
2008-01-13 22:39 . 2008-01-16 11:16 <DIR> d-------- D:\WINDOWS\system32\ka8
2008-01-13 22:39 . 2008-01-15 16:58 <DIR> d-------- D:\WINDOWS\system32\gu5
2008-01-13 22:39 . 2008-01-15 16:58 <DIR> d-------- D:\WINDOWS\system32\edcA01
2008-01-13 03:42 . 2008-01-13 03:43 <DIR> d-------- D:\Program Files\SopCast

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 10:53 --------- d-----w D:\Program Files\Transcode360
2008-01-15 11:04 --------- d-----w D:\Program Files\MSN Messenger
2008-01-15 11:04 --------- d-----w D:\Program Files\iTunes
2008-01-14 10:51 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 20:31 --------- d-----w D:\Documents and Settings\Rob\Application Data\LimeWire
2008-01-10 10:46 --------- d-----w D:\Program Files\DivX
2007-12-19 19:31 94,208 ----a-w D:\WINDOWS\DUMP4110.tmp
2007-12-13 02:11 94,208 ----a-w D:\WINDOWS\DUMP4a86.tmp
2007-12-12 14:29 --------- d-----w D:\Program Files\Network Associates
2007-12-12 14:29 --------- d-----w D:\Program Files\Common Files\Network Associates
2007-12-12 14:29 --------- d-----w D:\Documents and Settings\All Users\Application Data\Network Associates
2007-12-11 19:19 --------- d-----w D:\Program Files\iPod
2007-12-11 14:16 --------- d-----w D:\Program Files\SpeedFan
2007-11-29 22:30 200,704 ----a-w D:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w D:\WINDOWS\system32\libdivx.dll
2007-11-05 13:08 356,352 ----a-w D:\WINDOWS\eSellerateEngine.dll
2007-10-31 20:33 94,208 ----a-w D:\WINDOWS\DUMP4074.tmp
2007-08-08 15:02 20,840 ----a-w D:\Documents and Settings\Rob\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-01-15_11.07.51.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-14 13:34:51 64,512 ----a-w D:\WINDOWS\ehome\ehtray.exe
- 2008-01-15 10:58:37 233,472 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-16 11:13:11 233,472 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-15 10:58:37 8,192 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-16 11:13:11 8,192 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-15 10:58:37 233,472 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-16 11:13:11 233,472 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-15 10:58:37 8,192 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-16 11:13:12 8,192 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-15 10:58:37 4,247,552 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-16 11:13:12 4,329,472 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-15 10:58:37 249,856 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-16 11:13:12 249,856 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2005-05-24 12:27:16 213,048 ----a-w D:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 15:47:20 94,208 ----a-w D:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 15:49:54 950,272 ----a-w D:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-01-16 10:53:14 16,384 ----atw D:\WINDOWS\TEMP\Perflib_Perfdata_40c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2008-01-14 13:35 102400]
"MsnMsgr"="D:\Program Files\MSN Messenger\MsnMsgr.exe" [2008-01-14 21:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="D:\WINDOWS\ehome\ehtray.exe" [2008-01-14 13:34 64512]
"ATICCC"="D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2008-01-14 10:24 45056]
"CTSysVol"="D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2008-01-14 13:34 57344]
"P17Helper"="P17.dll" [2005-05-03 11:38 64512 D:\WINDOWS\system32\P17.dll]
"UpdReg"="D:\WINDOWS\UpdReg.EXE" [2008-01-14 13:34 90112]
"Transcode360"="D:\Program Files\Transcode360\Transcode360Tray.exe" [2008-01-14 10:24 192512]
"McAfeeUpdaterUI"="D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2008-01-14 13:34 139320]
"NSLauncher"="D:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2008-01-14 13:35 2658304]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-14 13:35 132496]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2008-01-14 13:35 267048]
"avgnt"="D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-15 21:22 249896]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Extender Resource Monitor.lnk - D:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 19:55:40]
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
NETGEAR WG111v2 Smart Wizard.lnk - D:\Program Files\NETGEAR\WG111v2\WG111v2.exe [2006-09-06 03:12:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= D:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= D:\WINDOWS\Resources\Themes\Royale.theme

R2 RMSvc;Media Center Extender Resource Monitor;D:\WINDOWS\ehome\RMSvc.exe [2005-10-20 19:55]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;D:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-11-20 15:48]
S3 QWAVE;QWAVE service;D:\WINDOWS\system32\svchost.exe [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 19:11:02 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 11:16:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-16 11:17:05
ComboFix-quarantined-files.txt 2008-01-16 11:16:49
ComboFix2.txt 2008-01-15 23:33:30
ComboFix3.txt 2008-01-15 19:50:31
ComboFix4.txt 2008-01-15 12:59:01
ComboFix5.txt 2008-01-15 11:08:07



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/16/2008 at 12:02 PM

Application Version : 3.9.1008

Core Rules Database Version : 3380
Trace Rules Database Version: 1374

Scan type : Complete Scan
Total Scan Time : 00:27:55

Memory items scanned : 553
Memory threats detected : 0
Registry items scanned : 5443
Registry threats detected : 0
File items scanned : 28806
File threats detected : 14

Adware.Tracking Cookie
D:\Documents and Settings\Rob\Cookies\rob@doubleclick[1].txt
D:\Documents and Settings\Rob\Cookies\rob@atdmt[2].txt
D:\Documents and Settings\Rob\Cookies\rob@serving-sys[1].txt
D:\Documents and Settings\Rob\Cookies\rob@bs.serving-sys[2].txt

Unclassified.Unknown Origin
D:\QOOBOX\QUARANTINE\D\PROGRAM FILES\COMMON FILES\HOKEW4444.DLL.VIR
D:\QOOBOX\QUARANTINE\D\PROGRAM FILES\COMMON FILES\HOKEW83122.DLL.VIR

Trojan.Vundo/Variant-Installer
D:\QOOBOX\QUARANTINE\D\VUNDOFIX BACKUPS\DDAYX.EXE.BAD.VIR

Malware.LocusSoftware Inc-Installer
D:\QOOBOX\QUARANTINE\D\WINDOWS\DOWNLOADED PROGRAM FILES\UGA6P_0001_N122M2210NETINSTALLER.EXE.VIR

Adware.ClickSpring
D:\QooBox\Quarantine\D\WINDOWS\system32\FNTS~1\WAUCLT~1.VIR
D:\QOOBOX\QUARANTINE\D\WINDOWS\SYSTEM32\FWADNSAT.DLL.VIR

Trojan.Unknown Origin
D:\QOOBOX\QUARANTINE\D\WINDOWS\SYSTEM32\KA8\TYCODLLZ83122.EXE.VIR
D:\QOOBOX\QUARANTINE\D\WINDOWS\SYSTEM32\WINTICOMSV32.EXE.VIR
D:\QOOBOX\QUARANTINE\D\WINDOWS\UM9ICYBDB21W\OA62WV1GVZYT.VBS.VIR

Adware.Adservs
D:\QOOBOX\QUARANTINE\D\WINDOWS\UM9ICYBDB21W\ASAPPSRV.DLL.VIR



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:00 PM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\WINDOWS\ehome\ehtray.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
D:\WINDOWS\system32\Rundll32.exe
D:\Program Files\Transcode360\Transcode360Tray.exe
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\WINDOWS\ehome\RMSysTry.exe
D:\Program Files\NETGEAR\WG111v2\WG111v2.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\WINDOWS\system32\CTsvcCDA.EXE
D:\WINDOWS\eHome\ehRecvr.exe
D:\WINDOWS\eHome\ehSched.exe
D:\WINDOWS\ehome\RMSvc.exe
D:\WINDOWS\eHome\ehmsas.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\system32\wbem\wmiapsrv.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\MSN Messenger\usnsvc.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ehTray] D:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Transcode360] D:\Program Files\Transcode360\Transcode360Tray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NSLauncher] D:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Creative Detector] D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Extender Resource Monitor.lnk = D:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = D:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6359 bytes

Hi thought I would do another Kaperski scan while I waited. It found a vastly reduced number of infections.....

KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 16, 2008 3:41:43 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/01/2008
Kaspersky Anti-Virus database records: 512843
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 48038
Number of viruses found 2
Number of infected objects 18
Number of suspicious objects 0
Duration of the scan process 00:55:36

Infected Object Name Virus Name Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\Rob\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\Application Data\ApplicationHistory\cli.exe.2643172.ini.inuse Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\Application Data\ApplicationHistory\Transcode360Tray.exe.762e664f.ini.inuse Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\History\History.IE5\MSHist012008011620080117\index.dat Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\Temp\Perflib_Perfdata_2f4.dat Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\Temp\Perflib_Perfdata_490.dat Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\Temp\Perflib_Perfdata_4cc.dat Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Rob\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\Rob\ntuser.dat.LOG Object is locked skipped
D:\Program Files\Transcode360\Transcode360_080116_1435_49000.log Object is locked skipped
D:\Program Files\Windows Media Player\profsyfsyrt.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
D:\QooBox\Quarantine\D\Documents and Settings\Rob\Local Settings\Temp\winvsnet .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\Creative\MediaSource\Detector\CTDetect.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\iTunes\iTunesHelper.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\Java\jre1.6.0_03\bin\jusched.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\MSN Messenger\MsnMsgr.Exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\Network Associates\Common Framework\UpdaterUI.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\QuickTime\QTTask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\QuickTime\QTTask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\QuickTime\QTTask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\QuickTime\QTTask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\QuickTime\QTTask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\Program Files\QuickTime\QTTask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\VundoFix Backups\ehtray.exe.bad.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\WINDOWS\ehome\ehtray.exe.tmp.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\QooBox\Quarantine\D\WINDOWS\UpdReg.EXE.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP3\change.log Object is locked skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5848CA33-2351-4C51-86CF-38C31F1EE68F}.crmlog Object is locked skipped
D:\WINDOWS\RTacDbg.txt Object is locked skipped
D:\WINDOWS\SchedLgU.Txt Object is locked skipped
D:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\default Object is locked skipped
D:\WINDOWS\system32\config\default.LOG Object is locked skipped
D:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\software Object is locked skipped
D:\WINDOWS\system32\config\software.LOG Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\system Object is locked skipped
D:\WINDOWS\system32\config\system.LOG Object is locked skipped
D:\WINDOWS\system32\h323log.txt Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\WINDOWS\TEMP\Perflib_Perfdata_254.dat Object is locked skipped
D:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase

Log looks good :bigthumb:

D:\QooBox <-- delete this folder, all it is is the backups of what Combofix removed.

After you remove it, run another scan with Kaspersky, post the log and let me know how your system is running now??

Latest report, only one infection found althugh the systems seems a little sluggish



KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 16, 2008 8:29:27 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/01/2008
Kaspersky Anti-Virus database records: 513165
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 48248
Number of viruses found 1
Number of infected objects 1
Number of suspicious objects 0
Duration of the scan process 00:57:04

Infected Object Name Virus Name Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP6\change.log Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\Rob\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\Application Data\ApplicationHistory\cli.exe.2643172.ini.inuse Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\Application Data\ApplicationHistory\Transcode360Tray.exe.762e664f.ini.inuse Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\History\History.IE5\MSHist012008011620080117\index.dat Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\Temp\Perflib_Perfdata_1e8.dat Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\Temp\Perflib_Perfdata_1f0.dat Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\Temp\Perflib_Perfdata_450.dat Object is locked skipped
D:\Documents and Settings\Rob\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Rob\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\Rob\ntuser.dat.LOG Object is locked skipped
D:\Program Files\Transcode360\Transcode360_080116_1731_20203.log Object is locked skipped
D:\Program Files\Windows Media Player\profsyfsyrt.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{5946BD48-99B5-48AA-9A63-444D015B629C}\RP6\change.log Object is locked skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7FC356AC-28E5-48CF-8CBD-B4FA195D1FDE}.crmlog Object is locked skipped
D:\WINDOWS\RTacDbg.txt Object is locked skipped
D:\WINDOWS\SchedLgU.Txt Object is locked skipped
D:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
D:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\default Object is locked skipped
D:\WINDOWS\system32\config\default.LOG Object is locked skipped
D:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\software Object is locked skipped
D:\WINDOWS\system32\config\software.LOG Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\system Object is locked skipped
D:\WINDOWS\system32\config\system.LOG Object is locked skipped
D:\WINDOWS\system32\h323log.txt Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\WINDOWS\TEMP\Perflib_Perfdata_43c.dat Object is locked skipped
D:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.

Hi,

D:\Program Files\Windows Media Player\profsyfsyrt.html <--You can delete this file

Your system has come through quite a bit, it was very seriously infected , you may have to run it for a few days to give it time to catch its breath. All SAS found and removed where backups and bad entries in your system restore, it did not remove any files that were critical for running your computer. You can try reading some of these tips that may help you .


It's Not Always Malware

Slow Computer (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)
Microsoft (http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx)

Speedup Windows
TechBuilder (http://www.techbuilder.org/recipes/59201471)

Windows Tips
Techruler (http://www.techruler.com/tips.html#1)
Kellys Korner (http://www.kellys-korner-xp.com/xp_abc.htm)




How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0.0.6 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.


Glad we could help

Safe Surfn
Ken

Thank you very much for all your help, My system will be far more secure from now on:euro:

Your very welcome,

Stay well,
Ken