PDA

View Full Version : Possible Malware Infection. Please Help. Thanks.



KodieWithAK
2008-02-03, 08:44
I'm not exactly sure what's wrong with my girlfriends laptop but i'm pretty sure its malware.


HJT LOG:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:39:40 AM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\admin\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: {0d8a7520-c74f-8739-c214-ddea3bd1e964} - {469e1db3-aedd-412c-9378-f47c0257a8d0} - C:\WINDOWS\system32\ilofawsq.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {69BCD761-CA18-4D0F-9A4F-3FD016F9AB08} - C:\WINDOWS\system32\nnlij.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [f8baffe1] rundll32.exe "C:\WINDOWS\system32\xxgocmte.dll",b
O4 - HKCU\..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\daemon.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = ?
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166074268879
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10330 bytes

KodieWithAK
2008-02-03, 08:45
KASPERSKY LOG:

Sunday, February 03, 2008 12:38:03 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/02/2008
Kaspersky Anti-Virus database records: 546202
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 58808
Number of viruses found 6
Number of infected objects 17
Number of suspicious objects 0
Duration of the scan process 01:25:43

Infected Object Name Virus Name Last Action
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\jn5jfhc2.default\cert8.db Object is locked skipped
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\jn5jfhc2.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\jn5jfhc2.default\history.dat Object is locked skipped
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\jn5jfhc2.default\key3.db Object is locked skipped
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\jn5jfhc2.default\parent.lock Object is locked skipped
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\jn5jfhc2.default\search.sqlite Object is locked skipped
C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\jn5jfhc2.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\admin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\jn5jfhc2.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\jn5jfhc2.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\jn5jfhc2.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\jn5jfhc2.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\admin\ntuser.dat Object is locked skipped
C:\Documents and Settings\admin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12142006-011109.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-02-02_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\DEA6C860.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YBWKLH79\upgrade[1].cab/upgrade.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.OneStep.a skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YBWKLH79\upgrade[1].cab/upgrade.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YBWKLH79\upgrade[1].cab/upgrade.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YBWKLH79\upgrade[1].cab/upgrade.exe/stream Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YBWKLH79\upgrade[1].cab/upgrade.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YBWKLH79\upgrade[1].cab CAB: infected - 5 skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SymcData\idsdefs\lulock.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SymcData\nco1.0defs\lulock.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\VirusDefs\lulock.dat Object is locked skipped
C:\Program Files\Mozilla Firefox\plugins\NPMySrWB.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B27D65D3-D9D3-4072-A441-299DB1CF71D9}\RP481\A0089372.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{B27D65D3-D9D3-4072-A441-299DB1CF71D9}\RP481\A0089372.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B27D65D3-D9D3-4072-A441-299DB1CF71D9}\RP492\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{91668C6B-4189-40FA-AEFC-97400B32A4CD}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\L3886.tmp/data0002 Infected: Trojan.Win32.Scapur.k skipped
C:\WINDOWS\system32\L3886.tmp NSIS: infected - 1 skipped
C:\WINDOWS\system32\L4FAF.tmp Infected: Trojan-Downloader.Win32.Small.hwg skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ONE39.tmp\upgrade.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.OneStep.a skipped
C:\WINDOWS\Temp\ONE39.tmp\upgrade.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\WINDOWS\Temp\ONE39.tmp\upgrade.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\WINDOWS\Temp\ONE39.tmp\upgrade.exe/stream Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\WINDOWS\Temp\ONE39.tmp\upgrade.exe NSIS: infected - 4 skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

KodieWithAK
2008-02-03, 08:49
SPYBOT LOG:


--- Search result list ---
Virtumonde: [SBI $7342F9D9] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1409082233-507921405-839522115-1003\Software\Microsoft\aldd

Virtumonde: [SBI $8F2A4A7E] Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Virtumonde.generic: [SBI $E7142B62] Settings (Registry value, fixing failed)
HKEY_CLASSES_ROOTCLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\=...C:\WINDOWS\SYSTEM32\GEBYAYX.DLL...

Virtumonde.generic: [SBI $FFB000DB] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GEBYAYX

Virtumonde.generic: [SBI $1BB1339D] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Virtumonde.generic: [SBI $2F10E03B] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Virtumonde: [SBI $050FD60A] Library (File, fixed)
C:\WINDOWS\system32\nnlij.dll

CasaleMedia: [SBI $61F39AC8] Tracking cookie (Internet Explorer: admin) (Cookie, fixed)


ValueClick: [SBI $61F39AC8] Tracking cookie (Internet Explorer: admin) (Cookie, fixed)


DoubleClick: [SBI $61F39AC8] Tracking cookie (Internet Explorer: admin) (Cookie, fixed)


ReliableStats: [SBI $61F39AC8] Tracking cookie (Internet Explorer: admin) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Internet Explorer: admin) (Cookie, fixed)


BlueStreak: [SBI $61F39AC8] Tracking cookie (Internet Explorer: admin) (Cookie, fixed)


FastClick: [SBI $61F39AC8] Tracking cookie (Internet Explorer: admin) (Cookie, fixed)


AdRevolver: [SBI $61F39AC8] Tracking cookie (Internet Explorer: admin) (Cookie, fixed)


MediaPlex: [SBI $61F39AC8] Tracking cookie (Internet Explorer: admin) (Cookie, fixed)


Tradedoubler: [SBI $61F39AC8] Tracking cookie (Internet Explorer: admin) (Cookie, fixed)


Zedo: [SBI $61F39AC8] Tracking cookie (Internet Explorer: admin) (Cookie, fixed)


BurstMedia: [SBI $61F39AC8] Tracking cookie (Internet Explorer: admin) (Cookie, fixed)


DoubleClick: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


AdRevolver: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


AdRevolver: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


AdRevolver: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


MediaPlex: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


MediaPlex: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


BFast: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


BurstMedia: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


BurstMedia: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


BurstMedia: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


DoubleClick: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


DoubleClick: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


DoubleClick: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


MediaPlex: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


MediaPlex: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Zedo: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Zedo: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Zedo: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Zedo: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Zedo: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Zedo: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Zedo: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


Zedo: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


AdRevolver: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


AdRevolver: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


AdRevolver: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


AdRevolver: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


AdRevolver: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


AdRevolver: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


WebTrends live: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)


BurstMedia: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-02-02 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-01-30 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-01-30 Includes\DialerC.sbi (*)
2008-01-30 Includes\HeavyDuty.sbi (*)
2007-12-26 Includes\Hijackers.sbi (*)
2008-01-30 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2008-01-30 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-01-16 Includes\Malware.sbi (*)
2008-01-30 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2008-01-30 Includes\PUPSC.sbi (*)
2008-01-30 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-01-30 Includes\SecurityC.sbi (*)
2008-01-23 Includes\Spybots.sbi (*)
2008-01-30 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-01-16 Includes\Trojans.sbi (*)
2008-01-30 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll