Probably amvo.exe infection [Archive] - Safer-Networking Forums

View Full Version : Probably amvo.exe infection

Artificial

2008-03-14, 16:56

Ok, my computer seemed to be fine before I took my USB and went to my university to copy some classes that I needed.
I've put it in several laptops and computers.
When I came back home and put my USB on my computer to copy the files, the first thing I noticed is that my Sygate firewall "died".. Then I uninstall it.
The next weird thing that I noticed is when I go to My computer and click on C: it was always opened in another window even though I have the option checked "Open in same window".
The next weird thing was hidden files and folders.. even if I have checked "show hidden files" it still didnt showed them.
I ran Spybot completely updated.. and it fixed some spyware problems i seem to get every week(not serious thing).
I also ran AVG free fully updated it didn't find any virus..
Oh and I also ran the CCleaner.. found problems and fixed I guess.
Anyhow, then I discovered what happened...
Run, msconfig, start up and I found "amvo.exe" which was utterly weird..
I searched the net for that and saw almost all of the guys infected were because of USB..
Before I finish this long intro(sorry!) I must say I tried some of the fixes for "show hidden files and folders" to change the registry etc. but no matter how many times I've changed, it always went back to 0 or 2.

"Method 1:

Go to registry editor by running regedit in the run box.
Go to this key:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced

In the right hand area, double click hidden and change the value to 1.

Now you’re all set to go. Check it in your tools menu if the changes have taken effect."

I AM DEEPLY SORRY FOR THIS LONG INTRO, BUT I THOUGHT YOU MAY WANT TO KNOW THAT

Now the Hijackthislog

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:33:50, on 14.03.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C194CC32-C591-4CD9-A181-48506D261CBE}: NameServer = 217.16.68.140,217.16.69.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{C71C8812-68BC-4D70-A9CD-AD72F50C0D10}: NameServer = 217.16.69.1 217.16.69.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)

--
End of file - 6153 bytes

And the kaspersky online scan

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, March 14, 2008 3:30:06 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/03/2008
Kaspersky Anti-Virus database records: 629539
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 72154
Number of viruses found: 5
Number of infected objects: 38
Number of suspicious objects: 0
Duration of the scan process: 01:23:31

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\zivko\Application Data\Mozilla\Firefox\Profiles\mk1r1fu2.default\cert8.db Object is locked skipped
C:\Documents and Settings\zivko\Application Data\Mozilla\Firefox\Profiles\mk1r1fu2.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\zivko\Application Data\Mozilla\Firefox\Profiles\mk1r1fu2.default\history.dat Object is locked skipped
C:\Documents and Settings\zivko\Application Data\Mozilla\Firefox\Profiles\mk1r1fu2.default\key3.db Object is locked skipped
C:\Documents and Settings\zivko\Application Data\Mozilla\Firefox\Profiles\mk1r1fu2.default\parent.lock Object is locked skipped
C:\Documents and Settings\zivko\Application Data\Mozilla\Firefox\Profiles\mk1r1fu2.default\search.sqlite Object is locked skipped
C:\Documents and Settings\zivko\Application Data\Mozilla\Firefox\Profiles\mk1r1fu2.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\zivko\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\zivko\Desktop\programista\eMule0.48a-Installer.exe/stream/data0249 Infected: not-a-virus:AdWare.Win32.Agent.zr skipped
C:\Documents and Settings\zivko\Desktop\programista\eMule0.48a-Installer.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.zr skipped
C:\Documents and Settings\zivko\Desktop\programista\eMule0.48a-Installer.exe NSIS: infected - 2 skipped
C:\Documents and Settings\zivko\Desktop\programista\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Documents and Settings\zivko\Desktop\programista\mirc631.exe/stream/data0001/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Documents and Settings\zivko\Desktop\programista\mirc631.exe/stream/data0001/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Documents and Settings\zivko\Desktop\programista\mirc631.exe/stream/data0001 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Documents and Settings\zivko\Desktop\programista\mirc631.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Documents and Settings\zivko\Desktop\programista\mirc631.exe NSIS: infected - 4 skipped
C:\Documents and Settings\zivko\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\zivko\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\zivko\Local Settings\Application Data\Mozilla\Firefox\Profiles\mk1r1fu2.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\zivko\Local Settings\Application Data\Mozilla\Firefox\Profiles\mk1r1fu2.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\zivko\Local Settings\Application Data\Mozilla\Firefox\Profiles\mk1r1fu2.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\zivko\Local Settings\Application Data\Mozilla\Firefox\Profiles\mk1r1fu2.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\zivko\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\zivko\Local Settings\Temp\mirc631.exe/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Documents and Settings\zivko\Local Settings\Temp\mirc631.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Documents and Settings\zivko\Local Settings\Temp\mirc631.exe NSIS: infected - 2 skipped
C:\Documents and Settings\zivko\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\zivko\Local Settings\Temporary Internet Files\Content.IE5\38J8IR57\help[1].exe Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
C:\Documents and Settings\zivko\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\zivko\ntuser.dat Object is locked skipped
C:\Documents and Settings\zivko\ntuser.dat.LOG Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\sccfg.sys Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP132\A0025801.dll Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP132\A0025803.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025842.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025856.dll Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025857.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025899.exe Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025900.dll Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025901.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025912.dll Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025913.exe Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\change.log Object is locked skipped
C:\v.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\amvo.exe Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
C:\WINDOWS\system32\amvo0.dll Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
C:\WINDOWS\system32\amvo1.dll Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\yo2mq6.exe Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP132\A0025805.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025844.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025859.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025889.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025892.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025903.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025915.exe Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\change.log Object is locked skipped
D:\v.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
D:\yo2mq6.exe Infected: Trojan-PSW.Win32.OnLineGames.uej skipped

Scan process completed.

steamwiz

2008-03-16, 01:30

Hi

These look like your infectors ...

D:\v.cmd
D:\yo2mq6.exe

C:\v.cmd
C:\yo2mq6.exe

Which created these ..

C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll

Is D:\ your USB ?

Don't delete any yet, you probably wont be able to anyway ... run this first :-

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam

Artificial

2008-03-16, 13:28

Hello, thanks for your reply. My D:\ is not my USB
I have 40 gb HD, 20gb on C:\ and 20gb on D:\
Inpatient guy as I am, I tried to remove it myself. The virus infected other friends who used their USB's on the computers in university. Because I'm not really good with registry, I was afraid to try something I found in a blog on my computer, therefore I tried to remove it on one computer in university.
Tbh I'm 90% sure I removed it.
Then I tried to remove it on my computer too and I think I succeeded as well.
This is what I did (found on a blog)

* First I have checked in task manager, I didn't find any suspicious processes.
* Next I opened MSConfig (Go to run, and type msconfig). I have found one process withe the name amvo.exe under the startup tab. It is located in Windows\System32 folder.
* I unchecked the process, and closed the msconfig window.
* Next I open Registry Editor (go to run, and type regedit). I have searched for "amvo.exe" and found one entry. I have deleted the whole key.
* Next I have tried to set the option to "show hidden files" (Go to Tools> View in windows explorer), as virus file is hidden. But it is not allowing me. As soon as I set it to show hidden files and clicked on ok, it is changing back to "Don't show hidden files".
* Then I have used Bullet Proof FTP software to browse the local disk, because it shows all files even hidden files. (I have already installed FTP software in my system. You can get free trial version from the website.)
* Then I have browsed to Windows\System32 folder, and deleted amvo.exe, amvo0.dll, amvo1.dll.
* This virus put an Autorun.inf file, and .cmd file at every drive's root. I have removed all those.

Sorry but I was inpatient.. So now I didn't try combofix.
I will post new hijack log and kaspersky

Also I forgot to mention back then when I had the virus and when I scanned with AVG and it found this:
c:\windows\system32\drivers\etc\hosts
result/infection: changed
what's that?

Next question from me is: Can a virus be implemented in a video file although the video looks fine?
In a picture?

new Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:36, on 16.03.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C194CC32-C591-4CD9-A181-48506D261CBE}: NameServer = 217.16.68.140,217.16.69.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{C71C8812-68BC-4D70-A9CD-AD72F50C0D10}: NameServer = 217.16.69.1 217.16.69.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5704 bytes

New kaspersky log in next post

Artificial

2008-03-16, 13:30

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 16, 2008 12:11:01 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/03/2008
Kaspersky Anti-Virus database records: 633068
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 72937
Number of viruses found: 7
Number of infected objects: 68
Number of suspicious objects: 0
Duration of the scan process: 01:36:52

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\zivko\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\zivko\Desktop\programista\eMule0.48a-Installer.exe/stream/data0249 Infected: not-a-virus:AdWare.Win32.Agent.zr skipped
C:\Documents and Settings\zivko\Desktop\programista\eMule0.48a-Installer.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.zr skipped
C:\Documents and Settings\zivko\Desktop\programista\eMule0.48a-Installer.exe NSIS: infected - 2 skipped
C:\Documents and Settings\zivko\Desktop\programista\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Documents and Settings\zivko\Desktop\programista\mirc631.exe/stream/data0001/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Documents and Settings\zivko\Desktop\programista\mirc631.exe/stream/data0001/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Documents and Settings\zivko\Desktop\programista\mirc631.exe/stream/data0001 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Documents and Settings\zivko\Desktop\programista\mirc631.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Documents and Settings\zivko\Desktop\programista\mirc631.exe NSIS: infected - 4 skipped
C:\Documents and Settings\zivko\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\zivko\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\zivko\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\zivko\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\zivko\Local Settings\History\History.IE5\MSHist012008031620080317\index.dat Object is locked skipped
C:\Documents and Settings\zivko\Local Settings\Temp\f.dll Infected: Trojan-PSW.Win32.OnLineGames.ulc skipped
C:\Documents and Settings\zivko\Local Settings\Temp\mirc631.exe/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Documents and Settings\zivko\Local Settings\Temp\mirc631.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Documents and Settings\zivko\Local Settings\Temp\mirc631.exe NSIS: infected - 2 skipped
C:\Documents and Settings\zivko\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\zivko\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\zivko\Local Settings\Temporary Internet Files\Content.IE5\K3OZYRR6\help[1].exe Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
C:\Documents and Settings\zivko\ntuser.dat Object is locked skipped
C:\Documents and Settings\zivko\ntuser.dat.LOG Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP132\A0025801.dll Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP132\A0025803.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025842.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025856.dll Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025857.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025899.exe Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025900.dll Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025901.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025912.dll Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025913.exe Object is locked skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025920.exe Object is locked skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025921.dll Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025930.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025931.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025939.dll Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025940.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025941.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP134\A0025955.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP134\A0025956.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP134\A0025964.dll Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP135\A0026082.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP135\A0026083.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026091.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026092.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026214.dll Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026215.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026216.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026225.dll Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026226.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026227.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026241.exe Object is locked skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026242.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026243.exe Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026244.dll Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026250.dll Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
C:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP132\A0025805.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025844.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025859.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025889.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025892.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025903.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025915.exe Object is locked skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025932.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025933.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025942.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP133\A0025943.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP134\A0025957.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP134\A0025958.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP135\A0026084.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP135\A0026085.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026093.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026094.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026217.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026218.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026228.com Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026229.inf Infected: Trojan-PSW.Win32.OnLineGames.uhv skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026239.exe Object is locked skipped
D:\System Volume Information\_restore{5EC1C667-83A1-4753-8AC5-F091891DFF79}\RP136\A0026240.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped

Scan process completed.

steamwiz

2008-03-16, 20:06

You dabbled ...

Combofix would have removed all the Autorun.inf files & the files in system32 ...

Next I open Registry Editor (go to run, and type regedit). I have searched for "amvo.exe" and found one entry. I have deleted the whole key.

So what did you remove from the registry ? the run key ? ... your flash drive will have the infection on it still, this mapped drive will listed in the Mountpoints2 key in the registry, which runs the infected files etc,

I still want you to run Combofix & make sure the flashdrive is inserted when you do.

The Combofix log will tell me a lot more than you have as to how much of the infection you still have...

The Hosts file can be used legitimately to speed up access to sites, it can also be used by malware to redirect or block sites, if you had redirects then hijackthis would tell us, as it doesn't, then possibly some sites have been blocked.

Open the file in notepad and post the contents here ...

Next question from me is: Can a virus be implemented in a video file although the video looks fine?
In a picture?

A virus/malware can add extra code to any file ... video, picture, song, music, anything, so that when you run/view the file, the virus/malware is executed as well.

steam

Artificial

2008-03-17, 10:05

I'm pretty sure I removed all autorun.inf files and all the files in system32 that were infected.
Oh and sorry I forgot to mention that I cleaned the USB too
it had autorun.inf and 1 more i think it was v.cmd or something.

Anyhow, I'm afraid to use the combofix because I think I will mess up something... and I need the computer for the following week because I have exams.
Can we delay this to Friday? I will run combofix on Friday and post results here.

About the hosts file
here it is
[edit] lol sorry can't do that
"(228210 characters)"
It has this

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com

om
127.0.0.1 amediasource.com
127.0.0.1 www.amediasource.com
127.0.0.1 americanautobargains.com
127.0.0.1 www.americanautobargains.com
127.0.0.1 americancarbargains.com
127.0.0.1 www.americancarbargains.com
127.0.0.1 american-teens.net
127.0.0.1 amigeek.com
127.0.0.1 amigobore.com
127.0.0.1 www.amigobore.com
127.0.0.1 amisbusiness.com
127.0.0.1 ampmsearch.com
127.0.0.1 www.ampmsearch.com
127.0.0.1 analcord.com
127.0.0.1 www.analcord.com
127.0.0.1 analmovi.com
127.0.0.1 anarchylolita.com
127.0.0.1 www.anarchylolita.com
127.0.0.1 anarchyporn.com
127.0.0.1 andromedical.com
127.0.0.1 www.andromedical.com
127.0.0.1 animepornmag.com
127.0.0.1 www.animepornmag.com
127.0.0.1 anin.org
127.0.0.1 anjpn-avxiz.biz
127.0.0.1 www.anjpn-avxiz.biz
127.0.0.1 anjpnzqav.biz
127.0.0.1 www.anjpnzqav.biz
127.0.0.1 anjpn-zqav.biz
127.0.0.1 www.anjpn-zqav.biz
127.0.0.1 annaromeo.com
127.0.0.1 antiddos.us
127.0.0.1 www.antiddos.us
127.0.0.1 Antiespiadorado.com
127.0.0.1 www.Antiespiadorado.com
127.0.0.1 Antiespionspack.com
127.0.0.1 www.Antiespionspack.com
127.0.0.1 Antigusanos2008.com

127.0.0.1 update.shareaza.com
127.0.0.1 updatemysettings.com
127.0.0.1 www.updatemysettings.com
127.0.0.1 updates.spywarequake.com
127.0.0.1 www.upereva.it
127.0.0.1 upereva.it
127.0.0.1 uploads.180solutions.com
127.0.0.1 upspiral.com
127.0.0.1 www.upspiral.com
127.0.0.1 www.uptodateprotect.com
127.0.0.1 uptodateprotect.com
127.0.0.1 www.uptodatesecurity.com
127.0.0.1 uptodatesecurity.com
127.0.0.1 uptofind.com
127.0.0.1 www.uptofind.com
127.0.0.1 upx.tsx.org
127.0.0.1 uralitel.ru
127.0.0.1 urgentsystemupdate.biz
127.0.0.1 www.urgentsystemupdate.biz
127.0.0.1 www.urgentsystemupdate.com
127.0.0.1 urgentsystemupdate.com
127.0.0.1 www.url.cpvfeed.com
127.0.0.1 urlstat.com
127.0.0.1 urlstat.ru
127.0.0.1 ursie.net
127.0.0.1 www.usecodec.com
127.0.0.1 usecodec.com
127.0.0.1 usefullsoft.net
127.0.0.1 use-play.com
127.0.0.1 www.use-play.com
127.0.0.1 utahsweet.com
127.0.0.1 utiledeprotection.com
127.0.0.1 www.utiledeprotection.com
127.0.0.1 utils.errorsafe.com
127.0.0.1 utils.winantivirus.com
127.0.0.1 www.utils.winfixer.com
127.0.0.1 utils.winfixer.com
127.0.0.1 utopicportal.com
127.0.0.1 uusocialjustice.org
127.0.0.1 uvu-channel.com
127.0.0.1 www.uvu-channel.com
127.0.0.1 uydsiygeds.com
127.0.0.1 www.uydsiygeds.com
127.0.0.1 www.uzoogle.com
127.0.0.1 uzoogle.com
127.0.0.1 v-224.com
127.0.0.1 v61.com
127.0.0.1 www.v61.com
127.0.0.1 v8irgilio.it
127.0.0.1 www.v8irgilio.it
127.0.0.1 v8rgilio.it
127.0.0.1 www.v8rgilio.it
127.0.0.1 v9irgilio.it
127.0.0.1 www.v9irgilio.it
127.0.0.1 v9rgilio.it
127.0.0.1 www.v9rgilio.it
127.0.0.1 vac-soft.com
127.0.0.1 www.vac-soft.com
127.0.0.1 vacwebsoft.com
127.0.0.1 www.vacwebsoft.com
127.0.0.1 www.vadesrunhdefunnjansdeikin.com
127.0.0.1 vadesrunhdefunnjansdeikin.com
127.0.0.1 vaginpics.com
127.0.0.1 valmyers.com
127.0.0.1 vapochille.com
127.0.0.1 www.vapochille.com
127.0.0.1 www.vaserjungenfujinas.com
127.0.0.1 vaserjungenfujinas.com
127.0.0.1 www.vaulimited.com
127.0.0.1 vaulimited.com
127.0.0.1 vaxcodec.com
127.0.0.1 www.vaxcodec.com
127.0.0.1 www.vaxdownload.com
127.0.0.1 vaxdownload.com
127.0.0.1 www.vaxobject.com
127.0.0.1 vaxobject.com
127.0.0.1 www.vaxobjectinstall.com
127.0.0.1 vaxobjectinstall.com
127.0.0.1 vbirgilio.it
127.0.0.1 www.vbirgilio.it
127.0.0.1 vcirgilio.it
127.0.0.1 www.vcirgilio.it
127.0.0.1 www.vcodec.com
127.0.0.1 vcodec.com
127.0.0.1 v-codec.com
127.0.0.1 www.v-codec.com
127.0.0.1 vcodec2007.com
127.0.0.1 www.vcodec2007.com
127.0.0.1 www.vcorriere.it
127.0.0.1 vcorriere.it
127.0.0.1 vegas-free.com
127.0.0.1 vegbuy.com
127.0.0.1 veloventures.com
127.0.0.1 verkaufen.wegvonviren.com
127.0.0.1 vertionkinhunfenrunhasde.com
127.0.0.1 www.vertionkinhunfenrunhasde.com
127.0.0.1 veryeasysearch.com
127.0.0.1 verzila.com
127.0.0.1 vesbiz.biz
127.0.0.1 www.veyyhlucwa.net
127.0.0.1 veyyhlucwa.net
127.0.0.1 vfirgilio.it
127.0.0.1 www.vfirgilio.it
127.0.0.1 vgazzetta.it
127.0.0.1 www.vgazzetta.it
127.0.0.1 vgirgilio.it
127.0.0.1 www.vgirgilio.it
127.0.0.1 vgoogle.it
127.0.0.1 www.vgoogle.it
127.0.0.1 vi4gilio.it
127.0.0.1 www.vi4gilio.it
127.0.0.1 vi4rgilio.it
127.0.0.1 www.vi4rgilio.it
127.0.0.1 www.vi5gilio.it
127.0.0.1 vi5gilio.it
127.0.0.1 www.vi5rgilio.it
127.0.0.1 vi5rgilio.it
127.0.0.1 vi8rgilio.it
127.0.0.1 www.vi8rgilio.it
127.0.0.1 www.vi9rgilio.it
127.0.0.1 vi9rgilio.it
127.0.0.1 vicodec.com
127.0.0.1 www.vicodec.com
127.0.0.1 victoriaadam.com
127.0.0.1 vidaccess.net
127.0.0.1 www.vidaccess.net
127.0.0.1 www.vidcodecs.com
127.0.0.1 vidcodecs.com
127.0.0.1 www.videoaccessactivex.com
127.0.0.1 videoaccessactivex.com
127.0.0.1 www.videoactivexlist.com
127.0.0.1 videoactivexlist.com
127.0.0.1 videoactivexmode.com
127.0.0.1 www.videoactivexmode.com
127.0.0.1 videoactivexnote.com
127.0.0.1 www.videoactivexnote.com
127.0.0.1 videoactivexsetup.com
127.0.0.1 www.videoactivexsetup.com
127.0.0.1 videoactivexsoft.com
127.0.0.1 www.videoactivexsoft.com
127.0.0.1 videoactivexsoftware.com
127.0.0.1 www.videoactivexsoftware.com
127.0.0.1 videoadaptation.com
127.0.0.1 www.videoadaptation.com
127.0.0.1 www.videoaxdata.com
127.0.0.1 videoaxdata.com
127.0.0.1 www.videoaxdownload.com
127.0.0.1 videoaxdownload.com
127.0.0.1 www.videoaxobject.com
127.0.0.1 videoaxobject.com
127.0.0.1 videoaxproject.com
127.0.0.1 www.videoaxproject.com
127.0.0.1 videoaxsoftware.com
127.0.0.1 www.videoaxsoftware.com
127.0.0.1 videoaxsolution.com
127.0.0.1 www.videoaxsolution.com
127.0.0.1 videocategories.com
127.0.0.1 video-clips.in
127.0.0.1 www.video-clips.in
127.0.0.1 www.videoobjectax.com
127.0.0.1 videoobjectax.com
127.0.0.1 videoobjectmedia.com
127.0.0.1 www.videoobjectmedia.com
127.0.0.1 videoplayersite.com
127.0.0.1 www.videoplayersite.com
127.0.0.1 videos-access.com
127.0.0.1 www.videos-access.com
127.0.0.1 www.videosaccess.net
127.0.0.1 videosaccess.net
127.0.0.1 videoscodec.com
127.0.0.1 www.videoscodec.com
127.0.0.1 videosfan.com
127.0.0.1 www.videosfan.com
127.0.0.1 videosoftonline.com
127.0.0.1 www.videosoftonline.com
127.0.0.1 videosoftwareax.com
127.0.0.1 www.videosoftwareax.com
127.0.0.1 www.videossoftware.com
127.0.0.1 videossoftware.com
127.0.0.1 www.videowebproject.com
127.0.0.1 videowebproject.com
127.0.0.1 videowebsoft.com
127.0.0.1 www.videowebsoft.com
127.0.0.1 www.videozapping.com
127.0.0.1 videozapping.com
127.0.0.1 www.vidrgilio.it
127.0.0.1 vidrgilio.it
127.0.0.1 vids-access.com
127.0.0.1 www.vids-access.com
127.0.0.1 www.vidscodec.com
127.0.0.1 vidscodec.com
127.0.0.1 www.vidsfest.com
127.0.0.1 vidsfest.com
127.0.0.1 viegilio.it
127.0.0.1 www.viegilio.it
127.0.0.1 www.viergilio.it
127.0.0.1 viergilio.it
127.0.0.1 www.viewdevice.com
127.0.0.1 viewdevice.com
127.0.0.1 www.viewimageonline.com
127.0.0.1 viewimageonline.com
127.0.0.1 viewutility.com
127.0.0.1 www.viewutility.com
127.0.0.1 vifgilio.it
127.0.0.1 www.vifgilio.it
127.0.0.1 www.vifrgilio.it
127.0.0.1 vifrgilio.it
127.0.0.1 vigrgilio.it
127.0.0.1 www.vigrgilio.it
127.0.0.1 vigrilio.it
127.0.0.1 www.vigrilio.it
127.0.0.1 vijrgilio.it
127.0.0.1 www.vijrgilio.it
127.0.0.1 vikrgilio.it
127.0.0.1 www.vikrgilio.it
127.0.0.1 vilrgilio.it
127.0.0.1 www.vilrgilio.it
127.0.0.1 viorgilio.it
127.0.0.1 www.viorgilio.it
127.0.0.1 www.vipcodecvip.com
127.0.0.1 vipcodecvip.com
127.0.0.1 www.vipru.com
127.0.0.1 vipru.com
127.0.0.1 www.vir4gilio.it
127.0.0.1 vir4gilio.it
127.0.0.1 vir5gilio.it
127.0.0.1 www.vir5gilio.it
127.0.0.1 virbgilio.it
127.0.0.1 www.virbgilio.it
127.0.0.1 virbilio.it
127.0.0.1 www.virbilio.it
127.0.0.1 virdgilio.it
127.0.0.1 www.virdgilio.it
127.0.0.1 viregilio.it
127.0.0.1 www.viregilio.it
127.0.0.1 virfgilio.it
127.0.0.1 www.virfgilio.it
127.0.0.1 www.virg8ilio.it
127.0.0.1 virg8ilio.it
127.0.0.1 www.virg8lio.it
127.0.0.1 virg8lio.it
127.0.0.1 virg9ilio.it
127.0.0.1 www.virg9ilio.it
127.0.0.1 www.virg9lio.it
127.0.0.1 virg9lio.it
127.0.0.1 www.virgbilio.it
127.0.0.1 virgbilio.it
127.0.0.1 virgfilio.it
127.0.0.1 www.virgfilio.it
127.0.0.1 www.virghilio.it
127.0.0.1 virghilio.it
127.0.0.1 www.virgi8lio.it
127.0.0.1 virgi8lio.it
127.0.0.1 virgi9lio.it
127.0.0.1 www.virgi9lio.it
127.0.0.1 www.virgiilo.it
127.0.0.1 virgiilo.it
127.0.0.1 www.virgiio.it
127.0.0.1 virgiio.it
127.0.0.1 virgijlio.it
127.0.0.1 www.virgijlio.it
127.0.0.1 www.virgiklio.it
127.0.0.1 virgiklio.it
127.0.0.1 www.virgil8io.it
127.0.0.1 virgil8io.it
127.0.0.1 www.virgil9io.it
127.0.0.1 virgil9io.it
127.0.0.1 virgili0.it
127.0.0.1 www.virgili0.it
127.0.0.1 virgili8o.it
127.0.0.1 www.virgili8o.it
127.0.0.1 www.virgili9.it
127.0.0.1 virgili9.it
127.0.0.1 www.virgili9o.it
127.0.0.1 virgili9o.it
127.0.0.1 virgilijo.it
127.0.0.1 www.virgilijo.it
127.0.0.1 www.virgiliko.it
127.0.0.1 virgiliko.it
127.0.0.1 virgilil.it
127.0.0.1 www.virgilil.it
127.0.0.1 virgililo.it
127.0.0.1 www.virgililo.it
127.0.0.1 virgilio0.it
127.0.0.1 www.virgilio0.it
127.0.0.1 www.virgilio9.it
127.0.0.1 virgilio9.it
127.0.0.1 virgilioi.it
127.0.0.1 www.virgilioi.it
127.0.0.1 virgiliok.it
127.0.0.1 www.virgiliok.it
127.0.0.1 virgiliol.it
127.0.0.1 www.virgiliol.it
127.0.0.1 virgiliop.it
127.0.0.1 www.virgiliop.it
127.0.0.1 virgilipo.it
127.0.0.1 www.virgilipo.it
127.0.0.1 virgiliuo.it
127.0.0.1 www.virgiliuo.it
127.0.0.1 www.virgiljio.it
127.0.0.1 virgiljio.it
127.0.0.1 www.virgilkio.it
127.0.0.1 virgilkio.it
127.0.0.1 www.virgiloio.it
127.0.0.1 virgiloio.it
127.0.0.1 www.virgiloo.it
127.0.0.1 virgiloo.it
127.0.0.1 www.virgilpio.it
127.0.0.1 virgilpio.it
127.0.0.1 virgiluio.it
127.0.0.1 www.virgiluio.it
127.0.0.1 virgiluo.it
127.0.0.1 www.virgiluo.it
127.0.0.1 virgin-tgp.net
127.0.0.1 virgioio.it
127.0.0.1 www.virgioio.it
127.0.0.1 virgiolio.it
127.0.0.1 www.virgiolio.it
127.0.0.1 www.virgiplio.it
127.0.0.1 virgiplio.it

127.0.0.1 www.yourcodec.com
127.0.0.1 yourcodec.com
127.0.0.1 yourieprotect.com
127.0.0.1 www.yourieprotect.com
127.0.0.1 youriesafety.com
127.0.0.1 www.youriesafety.com
127.0.0.1 www.youriesecure.com
127.0.0.1 youriesecure.com
127.0.0.1 www.yourphotozone.com
127.0.0.1 yourphotozone.com
127.0.0.1 your-prescriptions.net
127.0.0.1 www.yoursearchspace.com
127.0.0.1 yoursearchspace.com
127.0.0.1 yoursitebar.com
127.0.0.1 you-search.com
127.0.0.1 you-search.com.ru
127.0.0.1 ypir.com
127.0.0.1 ysa-info.net
127.0.0.1 ysbweb.com
127.0.0.1 www.ysbweb.com
127.0.0.1 www.ytiscali.it
127.0.0.1 ytiscali.it
127.0.0.1 ytrenitalia.it
127.0.0.1 www.ytrenitalia.it
127.0.0.1 yukohamano.com
127.0.0.1 www.yunibo.it
127.0.0.1 yunibo.it
127.0.0.1 ywebsearch.info
127.0.0.1 www.zabywjwzlr.biz.biz
127.0.0.1 zabywjwzlr.biz.biz
127.0.0.1 www.zalitalia.it
127.0.0.1 zalitalia.it
127.0.0.1 www.zangcodec.net
127.0.0.1 zangcodec.net
127.0.0.1 zangocash.com
127.0.0.1 www.zangocash.com
127.0.0.1 zapros.com
127.0.0.1 zcodec.com
127.0.0.1 www.zcodec.com
127.0.0.1 zdrqmpad.com
127.0.0.1 www.zdrqmpad.com
127.0.0.1 zelaznyworld.com
127.0.0.1 www.zelaznyworld.com
127.0.0.1 www.zenotecnico.com
127.0.0.1 zenotecnico.com
127.0.0.1 www.zenotecnico2.com
127.0.0.1 zenotecnico2.com
127.0.0.1 zero.bestmanage.org
127.0.0.1 zero.bestmanage0.org
127.0.0.1 zero.bestmanage1.org
127.0.0.1 zero.bestmanage2.org
127.0.0.1 zero.bestmanage3.org
127.0.0.1 zero.bestmanage4.org
127.0.0.1 zero.bestmanage5.org
127.0.0.1 zero.bestmanage6.org
127.0.0.1 zero.bestmanage7.org
127.0.0.1 zero.bestmanage8.org
127.0.0.1 zero.bestmanage9.org
127.0.0.1 zero.serverc.org
127.0.0.1 zero.sisdotnet.com
127.0.0.1 zerocodec.com
127.0.0.1 www.zerocodec.com
127.0.0.1 zero-codec.com
127.0.0.1 www.zero-codec.com
127.0.0.1 zesearch.com
127.0.0.1 www.zestyfind.com
127.0.0.1 zestyfind.com
127.0.0.1 www.zfxaqzkevi.com
127.0.0.1 zfxaqzkevi.com
127.0.0.1 zhmbscwdgk.biz
127.0.0.1 www.zhmbscwdgk.biz
127.0.0.1 zipcodec.com
127.0.0.1 www.zipcodec.com
127.0.0.1 ziportal.com
127.0.0.1 zipportal.com
127.0.0.1 www.zippy-lookup.com
127.0.0.1 zippy-lookup.com
127.0.0.1 www.zjkjw.gov.cn
127.0.0.1 zjkjw.gov.cn
127.0.0.1 znext.com
127.0.0.1 www.znext.com
127.0.0.1 zonealarm-download-now.com
127.0.0.1 www.zonealarm-download-now.com
127.0.0.1 www.zonealarm-stop.com
127.0.0.1 zonealarm-stop.com
127.0.0.1 zone-media.com
127.0.0.1 www.zone-media.com
127.0.0.1 zoneoffreeporn.com
127.0.0.1 zoofil.com
127.0.0.1 zoomegasite.com
127.0.0.1 zpwebsource.com
127.0.0.1 www.zpwebsource.com
127.0.0.1 zqavanjpn.biz
127.0.0.1 www.zqavanjpn.biz
127.0.0.1 z-quest.com
127.0.0.1 www.z-quest.com
127.0.0.1 www.zsupereva.it
127.0.0.1 zsupereva.it
127.0.0.1 zsvcompany.com
127.0.0.1 www.zsvcompany.com
127.0.0.1 www.zurrusco.com
127.0.0.1 zurrusco.com
127.0.0.1 zvimigdal.com
127.0.0.1 www.zxcsolution.com
127.0.0.1 zxcsolution.com
127.0.0.1 www.zxlinks.com
127.0.0.1 zxlinks.com
127.0.0.1 zyban-zocor-levitra.com

And many others...

# This list is Copyright 2000-2008 Safer Networking Limited
# End of entries inserted by Spybot - Search & Destroy

steamwiz

2008-03-17, 23:00

Hi

OK ... but seriously consider running Combofix when you are ready, as I'm sure it will find more hidden malware ...

Also I forgot to mention back then when I had the virus and when I scanned with AVG and it found this:
c:\windows\system32\drivers\etc\hosts
result/infection: changed
what's that?

The entries you posted from your HOSTS file were entries placed there to block known BAD sites, by spybot ... there could be other entries blocking legitimate sites, placed there by malware, or if you immunized with spybot before running the AVG scan, the AVG will have noticed the extra entries inserted by spybot & allerted you to them... so no problem ...

IN your HOSTS file, are there any other entries which do NOT fall between :-

# Start of entries inserted by Spybot - Search & Destroy

&

# This list is Copyright 2000-2008 Safer Networking Limited
# End of entries inserted by Spybot - Search & Destroy

---
There are a couple of other programs I'd like you to run as well, but it can wait till the weekend when you post back.

steam

Artificial

2008-03-18, 11:01

IN your HOSTS file, are there any other entries which do NOT fall between :-

# Start of entries inserted by Spybot - Search & Destroy

&

# This list is Copyright 2000-2008 Safer Networking Limited
# End of entries inserted by Spybot - Search & Destroy

No there aren't.
Also I forgot to mention, when my computer was formatted by a colleague of my mother, he probably changed something in registry so I could never run Windows auto update. And I would like that to stay that way :)
I remember Spybot found that, but I disabled it.. I mean I told spybot not to inform me about that anymore.
Is there are a chance that combofix will find that and change? Cuz I wouldn't like that..

anyway, cya in Friday

steamwiz

2008-03-18, 21:35

a colleague of my mother, he probably changed something in registry so I could never run Windows auto update. And I would like that to stay that way

You mean to say you NEVER visit Windows update to download the latest security updates ?

Then it's a waste if time cleaning your computer, malware is forever finding new vulnerabilities in the operating system, IE and other software, unless you religiously download at least all critical updates immediately they become available, your computer will never be secure ...

Also I'm not going to keep justifying you running combofix or any other program, there is always a chance something could go wrong when removing malware, with any program. If you don't feel happy running combofix, then don't ... but also don't be surprised when malware comes back.

If you want your computer cleaning by me, the you do what I say without question, run what I say without question, unless you don't understand what I'm telling you, then by all means ask.

As for renaming hijackthis, certain strains of vundo do hide from hijackthis, but not the one you have ... rename hijackthis if you want, it wont hurt anything, but it wont make any difference.

steam

Artificial

2008-03-18, 21:46

Well I'm like that for a year now and had no problems with malware :)
No one hacked my accounts/mails, the computer never reacted strange.. I'm not using bank accounts/credit cards etc
I visit only certain web pages(gaming related)..
I think I can go through without those updates.
The guy did like that probably because I have a pirate version for my OS so as 90% of the population in my country.
But as you can see unexpected things can happens like that amvo.

Anyway sorry for all this, wasting your time.. :sad:
We stop this cleaning process now as I'm buying new HD next week.

Last question, can a hacker access my computer even if I am disconnected from the internet?

steamwiz

2008-03-18, 22:23

I think I can go through without those updates.
The guy did like that probably because I have a pirate version for my OS so as 90% of the population in my country.

We stop this cleaning process now as I'm buying new HD next week.

It's not a new HD you need, it's a legit O/S

Because with or without a new HD, you'll be in trouble again very soon.

steam