PDA

View Full Version : VirtuMonde[Vista]need heLP!



Johaneedsurhelp
2008-05-28, 21:02
First of all, i wanna thank you in advance for helping me..
there are 3 .dll files that are infected

C:\Windows\System32\nnnNeBrP.dll not-a-virus:AdWare.Win32.Virtumonde.trz

C:\windows\system32\khffcukj.dll not-a-virus:AdWare.Win32.Virtumonde.trz

These two are currently under Trusted Zone, i putt'em there so it wont pop-up every time i start my system

Infected: adware not-a-virus:AdWare.Win32.Virtumonde.trz C:\Windows\System32\cbXPHbAS.dll 57 KB

This one i got it deleted, i tried disinfecting and putting it under quarantine but kaspersky suggested that it had to be "deleted on the next system restart"

What do i do next? i already downloaded ComboFix but i dont wanna ruin it as much as it already is.. so pls, im asking and begging for some assistance.. i would very much appreciate it.

Johaneedsurhelp
2008-05-28, 21:34
my hijacklog file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:24:38 AM, on 5/29/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\eMode\PCM\PCMService.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\rundll32.exe
C:\Windows\explorer.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0405C7D3-82A3-4828-833B-7DA0691C6ECE} - C:\Windows\system32\fCrSlKDt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Bit Commet\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] "C:\Acer\Empowering Technology\SysMonitor.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] "C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Acer\Empowering Technology\eMode\PCM\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\cbXPHbAS.dll,#1
O4 - HKLM\..\Run: [BM1321c975] Rundll32.exe "C:\Windows\system32\wkshioep.dll",s
O4 - HKLM\..\Run: [1012fae9] rundll32.exe "C:\Windows\system32\anensgmr.dll",b
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Bit Commet\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Bit Commet\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Bit Commet\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Bit Commet\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Acer\Empowering Technology\eMode\PCM\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Acer\Empowering Technology\eMode\PCM\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe

--
End of file - 8422 bytes

*Note*
Another one just popped out
C:\Users\Guest\AppData\Local\Temp\fccywuVp.dll
not-a-virus:Adware.Win32.Virtumonde.trz

(this im leaving, i wont delete it, skip it, or add it to trusted zone, its just on a Popped Window)

PLS hellllp im desperate!

steamwiz
2008-05-28, 21:35
HI

What do you mean by "These two are currently under Trusted Zone, i putt'em there"

Have you followed the directions here :-

http://forums.spybot.info/showthread.php?t=288

If so, please post the kaspersky report & the hijackthis log.

steam

steamwiz
2008-05-28, 21:48
HI

OK ... we posted together .. So you have Kaspersky AV & it was this which asked about the trusted zone ... right ... you should have let Kaspersky delete them, you only put programs you know & trust in the "trusted zone"

Even though you have Kaspersky Anti-virus installed, I still want you to run the Kaspersky on-line scan...

Have you downloaded Combofix in the last few hours ... if not you need to delete it and download a fresh copy (it is continualy being updated)

So please follow these directions :-

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:

Scan using the following Anti-Virus database:


Extended (if available otherwise Standard)


Scan Options:


Scan Archives Scan Mail Bases

Click OK
Now under select a target to scan:

Select My Computer

The program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Once finished, save the log to your Desktop as filename KAV.txt


THEN ...

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam

Johaneedsurhelp
2008-05-29, 07:57
Tnx for you fast reply!

i deleted 2 out of 4 files that are infectected, you see everytime i start my system it pops a dialog box saying "DLL error".. it looks like windows are looking for it/using it when i deleted them, now i'll try to delete the other 2, i just figured that kaspersky is copying the file and makes back-up of deleted files

right now im trying kaspersky online scanner, and i'll follow your steps and post right back as soon as possible, again thank you very much

Johaneedsurhelp
2008-05-29, 10:43
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 29, 2008 2:49:08 PM
Operating System: Microsoft Windows Vista Home Edition, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/05/2008
Kaspersky Anti-Virus database records: 811007
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 78111
Number of viruses found: 2
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 01:15:58

Infected Object Name / Virus Name / Last Action
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\HiTRUSTDrive\eDS_PSD_drive.vmdf Object is locked skipped
C:\ProgramData\CyberLink\TinyDB\CurEPGEpisode Object is locked skipped
C:\ProgramData\CyberLink\TinyDB\EPGSignal Object is locked skipped
C:\ProgramData\CyberLink\TinyDB\iEPGChInfo Object is locked skipped
C:\ProgramData\CyberLink\TinyDB\RecEpisode Object is locked skipped
C:\ProgramData\CyberLink\TinyDB\Schedule Object is locked skipped
C:\ProgramData\CyberLink\TinyDB\Series Object is locked skipped
C:\ProgramData\Kaspersky Lab\AVP7\Report\1f47_File_Monitoring_eventcritlog.rpt Object is locked skipped
C:\ProgramData\Kaspersky Lab\AVP7\Report\1f47_File_Monitoring_eventlog.rpt Object is locked skipped
C:\ProgramData\Kaspersky Lab\AVP7\Report\1f49_Web_Monitoring_eventlog.rpt Object is locked skipped
C:\ProgramData\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped
C:\ProgramData\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped
C:\ProgramData\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped
C:\ProgramData\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped
C:\ProgramData\Kaspersky Lab\~PRCustomProps#141.dat Object is locked skipped
C:\ProgramData\Kaspersky Lab\~PRObjects#141.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.124.Crwl Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.124.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.ci Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wsb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000E.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001002F.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy104.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf9201.tmp Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf9222.tmp Object is locked skipped
C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-11022006-050025.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\Users\Guest\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCYU24OJ\kb456456[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.vnb skipped
C:\Users\Guest\AppData\Local\Temp\hdrhcigi.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vnb skipped
C:\Users\My Computer\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Users\My Computer\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\My Computer\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\My Computer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\My Computer\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\My Computer\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\My Computer\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\My Computer\AppData\Local\Microsoft\Windows\UsrClass.dat{69c6f25d-cd3e-11dc-93ff-001c25237f1e}.TM.blf Object is locked skipped
C:\Users\My Computer\AppData\Local\Microsoft\Windows\UsrClass.dat{69c6f25d-cd3e-11dc-93ff-001c25237f1e}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\My Computer\AppData\Local\Microsoft\Windows\UsrClass.dat{69c6f25d-cd3e-11dc-93ff-001c25237f1e}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\My Computer\AppData\Local\Microsoft\Windows Defender\FileTracker\{9BA22319-7B94-496C-85C4-AEE640E6E54D} Object is locked skipped
C:\Users\My Computer\AppData\Local\Mozilla\Firefox\Profiles\txy4pq08.default\Cache\C2711A93d01 Object is locked skipped
C:\Users\My Computer\AppData\Local\Mozilla\Firefox\Profiles\txy4pq08.default\Cache\_CACHE_001_ Object is locked skipped
C:\Users\My Computer\AppData\Local\Mozilla\Firefox\Profiles\txy4pq08.default\Cache\_CACHE_002_ Object is locked skipped
C:\Users\My Computer\AppData\Local\Mozilla\Firefox\Profiles\txy4pq08.default\Cache\_CACHE_003_ Object is locked skipped
C:\Users\My Computer\AppData\Local\Mozilla\Firefox\Profiles\txy4pq08.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\fla1A35.tmp Object is locked skipped
C:\Users\My Computer\AppData\Roaming\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped
C:\Users\My Computer\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\My Computer\AppData\Roaming\Mozilla\Firefox\Profiles\txy4pq08.default\cert8.db Object is locked skipped
C:\Users\My Computer\AppData\Roaming\Mozilla\Firefox\Profiles\txy4pq08.default\history.dat Object is locked skipped
C:\Users\My Computer\AppData\Roaming\Mozilla\Firefox\Profiles\txy4pq08.default\key3.db Object is locked skipped
C:\Users\My Computer\AppData\Roaming\Mozilla\Firefox\Profiles\txy4pq08.default\parent.lock Object is locked skipped
C:\Users\My Computer\AppData\Roaming\Mozilla\Firefox\Profiles\txy4pq08.default\search.sqlite Object is locked skipped
C:\Users\My Computer\AppData\Roaming\Mozilla\Firefox\Profiles\txy4pq08.default\urlclassifier2.sqlite Object is locked skipped
C:\Users\My Computer\NTUSER.DAT Object is locked skipped
C:\Users\My Computer\ntuser.dat.LOG1 Object is locked skipped
C:\Users\My Computer\ntuser.dat.LOG2 Object is locked skipped
C:\Users\My Computer\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TM.blf Object is locked skipped
C:\Users\My Computer\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\My Computer\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\bthservsdp.dat Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\sam.log Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{d8932e65-6a6f-11db-b6ab-a038f15a5785}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{d8932e65-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{d8932e65-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{d8932e61-6a6f-11db-b6ab-a038f15a5785}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{d8932e61-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{d8932e61-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped
C:\Windows\System32\drivers\fidbox.dat Object is locked skipped
C:\Windows\System32\drivers\fidbox.idx Object is locked skipped
C:\Windows\System32\jfnkrdrp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vjr skipped
C:\Windows\System32\kqycdneb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vnb skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WMI\WdiContextLog.etl.003 Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTm.blf Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\swcwqvys.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vnb skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\Repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\Temp\cch~a16d479a9f.htp Object is locked skipped
C:\Windows\Temp\cch~a16d47c6b3.htp Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Malware 1st attempt

Malwarebytes' Anti-Malware 1.12
Database version: 797

Scan type: Quick Scan
Objects scanned: 39063
Time elapsed: 6 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 9
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\anensgmr.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Windows\System32\fCrSlKDt.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Windows\System32\kqycdneb.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0405c7d3-82a3-4828-833b-7da0691c6ece} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0405c7d3-82a3-4828-833b-7da0691c6ece} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bad9a9b6-16ee-4fcf-b4f9-36aa8f7cc848} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1012fae9 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM1321c975 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fcrslkdt -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fcrslkdt -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\anensgmr.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\rmgsnena.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\fCrSlKDt.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\tDKlSrCf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\tDKlSrCf.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\jfnkrdrp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\prdrknfj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\kqycdneb.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\bendcyqk.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\swcwqvys.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\syvqwcws.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\aqipfjal.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Windows\System32\csincjso.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\eeurhjts.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Windows\System32\ionwbwfy.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Windows\System32\jwmfnhja.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\xafquahs.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Windows\System32\yabfmgjk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\My Computer\Local Settings\Temporary Internet Files\Content.IE5\VZQ4EF7V\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\My Computer\Local Settings\Temporary Internet Files\Content.IE5\VZQ4EF7V\kb713501[1] (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Windows\System32\wkshioep.dll (Trojan.Agent) -> Delete on reboot.

Malware 2nd attempt

Malwarebytes' Anti-Malware 1.12
Database version: 797

Scan type: Quick Scan
Objects scanned: 39063
Time elapsed: 6 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 9
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\anensgmr.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Windows\System32\fCrSlKDt.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Windows\System32\kqycdneb.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0405c7d3-82a3-4828-833b-7da0691c6ece} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0405c7d3-82a3-4828-833b-7da0691c6ece} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bad9a9b6-16ee-4fcf-b4f9-36aa8f7cc848} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1012fae9 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM1321c975 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fcrslkdt -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fcrslkdt -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\anensgmr.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\rmgsnena.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\fCrSlKDt.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\tDKlSrCf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\tDKlSrCf.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\jfnkrdrp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\prdrknfj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\kqycdneb.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\bendcyqk.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\swcwqvys.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\syvqwcws.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\aqipfjal.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Windows\System32\csincjso.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\eeurhjts.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Windows\System32\ionwbwfy.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Windows\System32\jwmfnhja.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\xafquahs.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Windows\System32\yabfmgjk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\My Computer\Local Settings\Temporary Internet Files\Content.IE5\VZQ4EF7V\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\My Computer\Local Settings\Temporary Internet Files\Content.IE5\VZQ4EF7V\kb713501[1] (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Windows\System32\wkshioep.dll (Trojan.Agent) -> Delete on reboot.

*Heres where Im at*

-Haven't tried Combo fix yet, i read further and it requires Windows CD boot up to recover w\c i dont have

will this be a problem? i already finished the malware removal w/c requires to reboot the PC, when the PC booted the .dll errors was gone!
but something wierd popped up after the scan

http://img144.imageshack.us/img144/8748/678fs4.jpg

what do i do next?

Johaneedsurhelp
2008-05-29, 19:09
ok i tried it, whats the next step?
while trying combo fix, kaspersky warned me a couple of times but then i allowed it, after the reboot kaspersky did not start on the taskbar,

im sorry for not posting the combofix log the right way, but somehow its not allowing me to post it, saying


You have included 18 images in your message. You are limited to using 10 images so please go back and correct the problem and then continue again.

i cant attach it either, saying its too large =( :oops:

can i send it to you instead?

Johaneedsurhelp
2008-05-29, 19:16
Rapidshare, again im sorry and i hope it works

http://rapidshare.com/files/118607721/combofixlog.txt.html

steamwiz
2008-05-29, 22:51
Hi

First a little info ...



i deleted 2 out of 4 files that are infectected, you see everytime i start my system it pops a dialog box saying "DLL error"..

When you delete the malware file e.g. :- C:\Windows\system32\cbXPHbAS.dll

But leave the registry run key for the file...

O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\cbXPHbAS.dll,#1

Windows will still look to run the file when you boot up, when it doesn't find it, it gives you the dll errors ...



when the PC booted the .dll errors was gone!
but something wierd popped up after the scan


That pop-up was a standard message telling you to reboot your computer ...

The files/registry keys it showed are malware which is "in use" & can only be deleted during a reboot, before windows loads... you need to reboot at that point ...



Quote:
You have included 18 images in your message. You are limited to using 10 images so please go back and correct the problem and then continue again.


unfortunate ... your log included entries like this :-



UDP:D:\ggc


which when posted show as smilies like this :-

UDP:D:\ggc

I guess you had 18 of them in your log ...

You have evidence of several flash drive infections, they may just be leftovers ...

So this is what I need you to do....

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)


File::
C:\Users\Guest\AppData\Local\Temp\hdrhcigi.dll
C:\Windows\System32\jfnkrdrp.dll
C:\Windows\System32\kqycdneb.dll
C:\Windows\System32\swcwqvys.dll

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B6E95516-27C0-443D-9BA9-ABD8C12BAE16}"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c311272-11b4-11dd-9b7f-001c25237f1e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c3112bd-11b4-11dd-9b7f-001c25237f1e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb850fdd-1344-11dd-8d89-001c25237f1e}]



Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Try to copy & past the combofix log again, then attach of it wont... only use Rapidshare as a last resort (it's a lot of messing to retrieve the log)

steam

Johaneedsurhelp
2008-05-30, 00:06
Rapidshare.. again im soo sryy >.<

http://rapidshare.com/files/118671988/Combofixlog2.txt

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:51:01 AM, on 5/30/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\eMode\PCM\PCMService.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Bit Commet\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] "C:\Acer\Empowering Technology\SysMonitor.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] "C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Acer\Empowering Technology\eMode\PCM\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Bit Commet\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Bit Commet\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Bit Commet\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Bit Commet\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Acer\Empowering Technology\eMode\PCM\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Acer\Empowering Technology\eMode\PCM\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe

--
End of file - 7472 bytes

Combofix did not ask for reboot
THANK YOU THANK YOU VERY VERY MUCH FOR UR HELP

steamwiz
2008-05-30, 00:42
Hi

That log's clean now :)

Please Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

THEN ...

Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

http://img.photobucket.com/albums/v624/29wood/Clipboard01-1.gif

THEN ...

Please run & post a new KASPERSKY ONLINE SCANNER REPORT

cheers

steam

Johaneedsurhelp
2008-05-30, 06:08
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, May 30, 2008 11:03:10 AM
Operating System: Microsoft Windows Vista Home Edition, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/05/2008
Kaspersky Anti-Virus database records: 813037
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 75399
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:00:25

Infected Object Name / Virus Name / Last Action
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\HiTRUSTDrive\eDS_PSD_drive.vmdf Object is locked skipped
C:\ProgramData\CyberLink\TinyDB\CurEPGEpisode Object is locked skipped
C:\ProgramData\CyberLink\TinyDB\EPGSignal Object is locked skipped
C:\ProgramData\CyberLink\TinyDB\iEPGChInfo Object is locked skipped
C:\ProgramData\CyberLink\TinyDB\RecEpisode Object is locked skipped
C:\ProgramData\CyberLink\TinyDB\Schedule Object is locked skipped
C:\ProgramData\CyberLink\TinyDB\Series Object is locked skipped
C:\ProgramData\Kaspersky Lab\AVP7\Report\1fdb_File_Monitoring_eventlog.rpt Object is locked skipped
C:\ProgramData\Kaspersky Lab\AVP7\Report\1fdd_Web_Monitoring_eventlog.rpt Object is locked skipped
C:\ProgramData\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped
C:\ProgramData\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped
C:\ProgramData\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped
C:\ProgramData\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped
C:\ProgramData\Kaspersky Lab\~PRCustomProps#141.dat Object is locked skipped
C:\ProgramData\Kaspersky Lab\~PRObjects#141.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.125.Crwl Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.125.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.ci Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wsb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000C.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000D.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000E.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010011.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010012.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001002F.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy104.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf4F4B.tmp Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf4F4C.tmp Object is locked skipped
C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-11022006-050025.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\Users\My Computer\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Users\My Computer\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\My Computer\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\My Computer\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008053020080531\index.dat Object is locked skipped
C:\Users\My Computer\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\My Computer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\My Computer\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\My Computer\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\My Computer\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\My Computer\AppData\Local\Microsoft\Windows\UsrClass.dat{69c6f25d-cd3e-11dc-93ff-001c25237f1e}.TM.blf Object is locked skipped
C:\Users\My Computer\AppData\Local\Microsoft\Windows\UsrClass.dat{69c6f25d-cd3e-11dc-93ff-001c25237f1e}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\My Computer\AppData\Local\Microsoft\Windows\UsrClass.dat{69c6f25d-cd3e-11dc-93ff-001c25237f1e}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\My Computer\AppData\Local\Mozilla\Firefox\Profiles\txy4pq08.default\Cache\_CACHE_001_ Object is locked skipped
C:\Users\My Computer\AppData\Local\Mozilla\Firefox\Profiles\txy4pq08.default\Cache\_CACHE_002_ Object is locked skipped
C:\Users\My Computer\AppData\Local\Mozilla\Firefox\Profiles\txy4pq08.default\Cache\_CACHE_003_ Object is locked skipped
C:\Users\My Computer\AppData\Local\Mozilla\Firefox\Profiles\txy4pq08.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\sqlite_9H1u9mzPwtNWF4e Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\sqlite_cS5nzzyqIglONvk Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\sqlite_lhrdF7YQQYSTgiq Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\sqlite_OnHA85LXPddiZck Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\sqlite_Qwser4reeEAwKUm Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF14C9.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF14D2.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF14DA.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF14E3.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF2107.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF2110.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF2117.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF2120.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF2127.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF2130.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF224A.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF231C.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF2325.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF232C.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF2335.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF233C.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF2345.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF234C.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF2355.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF2436.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF243F.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF2446.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF244F.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF2456.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF245F.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF2466.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF246F.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF91AF.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF91B8.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF91BF.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF91C8.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF91CF.tmp Object is locked skipped
C:\Users\My Computer\AppData\Local\Temp\~DF91D8.tmp Object is locked skipped
C:\Users\My Computer\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat Object is locked skipped
C:\Users\My Computer\AppData\Roaming\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped
C:\Users\My Computer\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\My Computer\AppData\Roaming\Mozilla\Firefox\Profiles\txy4pq08.default\cert8.db Object is locked skipped
C:\Users\My Computer\AppData\Roaming\Mozilla\Firefox\Profiles\txy4pq08.default\history.dat Object is locked skipped
C:\Users\My Computer\AppData\Roaming\Mozilla\Firefox\Profiles\txy4pq08.default\key3.db Object is locked skipped
C:\Users\My Computer\AppData\Roaming\Mozilla\Firefox\Profiles\txy4pq08.default\parent.lock Object is locked skipped
C:\Users\My Computer\AppData\Roaming\Mozilla\Firefox\Profiles\txy4pq08.default\search.sqlite Object is locked skipped
C:\Users\My Computer\AppData\Roaming\Mozilla\Firefox\Profiles\txy4pq08.default\urlclassifier2.sqlite Object is locked skipped
C:\Users\My Computer\NTUSER.DAT Object is locked skipped
C:\Users\My Computer\ntuser.dat.LOG1 Object is locked skipped
C:\Users\My Computer\ntuser.dat.LOG2 Object is locked skipped
C:\Users\My Computer\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TM.blf Object is locked skipped
C:\Users\My Computer\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\My Computer\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\bthservsdp.dat Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\sam.log Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{d8932e65-6a6f-11db-b6ab-a038f15a5785}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{d8932e65-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{d8932e65-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{d8932e61-6a6f-11db-b6ab-a038f15a5785}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{d8932e61-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{d8932e61-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped
C:\Windows\System32\drivers\fidbox.dat Object is locked skipped
C:\Windows\System32\drivers\fidbox.idx Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WMI\WdiContextLog.etl.001 Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTm.blf Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped
C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT Object is locked skipped
C:\Windows\System32\SMI\Store\Machine\schema.dat.LOG1 Object is locked skipped
C:\Windows\System32\SMI\Store\Machine\schema.dat.LOG2 Object is locked skipped
C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{d8932e69-6a6f-11db-b6ab-a038f15a5785}.TM.blf Object is locked skipped
C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{d8932e69-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{d8932e69-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\wbem\Repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winsock-WS2HELP%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
D:\GGC\client.db Object is locked skipped
D:\GGC\user\2726730\banlist.db Object is locked skipped
D:\GGC\user\2726730\buddy.db Object is locked skipped
D:\GGC\user\2726730\category.db Object is locked skipped
D:\GGC\user\2726730\message.db Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

-its clean and i hope it stays that way, tnx for all your help, i really appreciate it.. it seems that im a bit noob bout these kinds of stuff :eek:

i hope u get paid for this :laugh:

steamwiz
2008-05-30, 20:34
Hi

Yes ... All clean :)



i hope u get paid for this


Nope ... it's a labour of love ...

Before you leave the site have a look here at ways to keep your computer clean :-

So how did I get infected in the first place? by Tony klein

http://forums.spybot.info/showthread.php?t=279

If all your problems are resolved .... Happy surfing

steam