PDA

View Full Version : Virtumonde has me in it clutches



Madnezz
2008-06-06, 04:44
Hello I would apreaciate any help I can get, U have helped before and it was a most excellent job well done. Alas here I am again, and I believe it is Virtumonde that has me in its clutches... I have renamed hjthis to scanner.exe and here is the log, I am at your mercy. Thanx in advance.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:39: VIRUS ALERT!, on 6/5/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\Madnezz\Desktop\music\Stuff from Tys machine\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {B0EA550B-0C3B-4B56-95BE-A90F5362D6A9} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {11635C4A-ECC7-4ED7-A172-FA5D54D3E3EE} - C:\WINDOWS\system32\rqRHaXQh.dll (disabled by BHODemon)
O2 - BHO: (no name) - {524B3524-DC50-4550-8D8D-BCB03C13AA91} - C:\WINDOWS\system32\hgGvtUNf.dll (disabled by BHODemon)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (disabled by BHODemon)
O2 - BHO: (no name) - {95F1AE09-15E9-4D9F-84F9-3ADF02A21CE8} - C:\WINDOWS\system32\geBqQIXp.dll (file missing)
O2 - BHO: (no name) - {9E179AAD-18CD-4EA2-81B8-EAF021292969} - C:\WINDOWS\system32\wvUoNgHB.dll (file missing)
O2 - BHO: (no name) - {A06EE1D2-3E4C-42E4-B8EA-B19E8C5A82CE} - C:\WINDOWS\system32\pmnnLCrs.dll (file missing)
O2 - BHO: (no name) - {B23BA466-DAED-44B7-B2BF-4BA3101C1517} - C:\WINDOWS\system32\opnnoonM.dll
O2 - BHO: (no name) - {C1B9D7F9-6B21-44B2-BE34-DDB11C5C75D9} - C:\WINDOWS\system32\iiffCTlL.dll
O2 - BHO: (no name) - {E1B88270-F79D-45EF-A34B-99BA72C8CEC0} - C:\WINDOWS\system32\rqRJaxWp.dll (disabled by BHODemon)
O2 - BHO: (no name) - {EA4C63D4-87F0-4F6F-BC12-FF3D530B25CF} - C:\WINDOWS\system32\yayyaWNF.dll (disabled by BHODemon)
O2 - BHO: (no name) - {EA8DC75A-3505-4126-B126-4D967EC5A9A0} - C:\WINDOWS\system32\nnnkKebB.dll (disabled by BHODemon)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [muBlinder] C:\Documents and Settings\Madnezz\Desktop\muBlinder\muBlinder.exe -startup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [60d94983] rundll32.exe "C:\WINDOWS\system32\wctvklmq.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Search - ?p=ZKfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1206489383437
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206486870125
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206486863578
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: ddcCRHBU - C:\WINDOWS\
O20 - Winlogon Notify: iiffCTlL - C:\WINDOWS\SYSTEM32\iiffCTlL.dll
O20 - Winlogon Notify: rqRHaXQh - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

--
End of file - 10732 bytes

http://forums.spybot.info/showthread.php?p=192713#post192713

pskelley
2008-06-07, 03:18
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

If you still need help, please read the directions pinned (sticky) to the top of the forum and posted above. You supplied the HJT log, now I need the required Kaspersky Online Scan (KOS):

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

Madnezz
2008-06-07, 18:39
sorry about that here are both logs HJthis then kaspersky:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37: VIRUS ALERT!, on 6/7/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Madnezz\Desktop\music\Stuff from Tys machine\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {B0EA550B-0C3B-4B56-95BE-A90F5362D6A9} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {11635C4A-ECC7-4ED7-A172-FA5D54D3E3EE} - C:\WINDOWS\system32\rqRHaXQh.dll (disabled by BHODemon)
O2 - BHO: (no name) - {524B3524-DC50-4550-8D8D-BCB03C13AA91} - C:\WINDOWS\system32\hgGvtUNf.dll (disabled by BHODemon)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {70546826-8467-4099-B465-62A320CC3025} - C:\WINDOWS\system32\opnnoonM.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (disabled by BHODemon)
O2 - BHO: (no name) - {95F1AE09-15E9-4D9F-84F9-3ADF02A21CE8} - C:\WINDOWS\system32\geBqQIXp.dll (file missing)
O2 - BHO: (no name) - {9E179AAD-18CD-4EA2-81B8-EAF021292969} - C:\WINDOWS\system32\wvUoNgHB.dll (file missing)
O2 - BHO: (no name) - {A06EE1D2-3E4C-42E4-B8EA-B19E8C5A82CE} - C:\WINDOWS\system32\pmnnLCrs.dll (file missing)
O2 - BHO: (no name) - {B23BA466-DAED-44B7-B2BF-4BA3101C1517} - (no file)
O2 - BHO: (no name) - {C1B9D7F9-6B21-44B2-BE34-DDB11C5C75D9} - C:\WINDOWS\system32\iiffCTlL.dll
O2 - BHO: (no name) - {E1B88270-F79D-45EF-A34B-99BA72C8CEC0} - C:\WINDOWS\system32\rqRJaxWp.dll (disabled by BHODemon)
O2 - BHO: (no name) - {EA4C63D4-87F0-4F6F-BC12-FF3D530B25CF} - C:\WINDOWS\system32\yayyaWNF.dll (disabled by BHODemon)
O2 - BHO: (no name) - {EA8DC75A-3505-4126-B126-4D967EC5A9A0} - C:\WINDOWS\system32\nnnkKebB.dll (disabled by BHODemon)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [60d94983] rundll32.exe "C:\WINDOWS\system32\efwxmajb.dll",b
O4 - HKLM\..\Run: [muBlinder] C:\Documents and Settings\Madnezz\Desktop\muBlinder\muBlinder.exe -startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Search - ?p=ZKfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1206489383437
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206486870125
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206486863578
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: ddcCRHBU - C:\WINDOWS\
O20 - Winlogon Notify: iiffCTlL - C:\WINDOWS\SYSTEM32\iiffCTlL.dll
O20 - Winlogon Notify: rqRHaXQh - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

--
End of file - 9851 bytes









Now Kaspersky :


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, June 07, 2008 10:33: VIRUS AMLERT!
Operating System: Microsoft Windows XP Professional, Service Pack 3, v.3264 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/06/2008
Kaspersky Anti-Virus database records: 836505
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 157014
Number of viruses found: 60
Number of infected objects: 190
Number of suspicious objects: 0
Duration of the scan process: 03:44:02

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-03252008-235307.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\udizglwb\yxkhmhiv.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\Documents and Settings\All Users\Documents\My Music\01 Track 1.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\All Users\Documents\My Music\06 Track 6.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\All Users\Documents\My Music\hood nigar.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\Documents and Settings\All Users\Documents\My Music\my dick mickey avalon.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\Documents and Settings\All Users\Documents\My Music\TOTALLY HIP TRACK.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Madnezz\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Madnezz\Desktop\music\Stuff from Tys machine\Desktop Clean-up\EblessV8\mIRC.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped
C:\Documents and Settings\Madnezz\Desktop\music\Stuff from Tys machine\Desktop Clean-up\EblessV8.zip/EblessV8/mIRC.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped
C:\Documents and Settings\Madnezz\Desktop\music\Stuff from Tys machine\Desktop Clean-up\EblessV8.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Madnezz\Desktop\music\Stuff from Tys machine\EblessV8\mIRC.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped
C:\Documents and Settings\Madnezz\Desktop\music\Stuff from Tys machine\EblessV8.zip/EblessV8/mIRC.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped
C:\Documents and Settings\Madnezz\Desktop\music\Stuff from Tys machine\EblessV8.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Madnezz\Desktop\yahoo stuff\revelation.zip/Revelation.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.11 skipped
C:\Documents and Settings\Madnezz\Desktop\yahoo stuff\revelation.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Madnezz\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Madnezz\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Madnezz\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Madnezz\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Madnezz\Local Settings\History\History.IE5\MSHist012008060720080608\index.dat Object is locked skipped
C:\Documents and Settings\Madnezz\Local Settings\temp\~DF2914.tmp Object is locked skipped
C:\Documents and Settings\Madnezz\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Madnezz\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Madnezz\My Documents\Azureus Downloads\Nero 8 Ultra Edition 8.2.8.0+Keymaker\Nero-8.2.8.0_eng_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\Madnezz\My Documents\Azureus Downloads\Nero 8 Ultra Edition 8.2.8.0+Keymaker\Nero-8.2.8.0_eng_trial.exe 7-Zip: infected - 1 skipped
C:\Documents and Settings\Madnezz\ntuser.dat Object is locked skipped
C:\Documents and Settings\Madnezz\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Motorola\RSD Lite\RSDLUpdater.exe Infected: Backdoor.Win32.Nuclear.by skipped
C:\Program Files\Nero\Nero8\Nero BackItUp\BIU1.txt Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cg skipped
C:\QooBox\Quarantine\C\WINDOWS\egao.exe.vir Infected: Trojan.Win32.Vapsup.gfv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bg skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gwkeqctq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.voi skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jhbeugxl.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.xmw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wrjujwnu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.xmw skipped
C:\QooBox\Quarantine\C\WINDOWS\vregfwlx.dll.vir Infected: Trojan.Win32.Vapsup.gfv skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP10\A0000072.exe Infected: not-a-virus:RiskTool.Win32.Reboot.e skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP131\A0032453.exe Infected: Backdoor.Win32.Nuclear.by skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP135\A0033536.sys Infected: Backdoor.Win32.Nuclear.by skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP135\A0033562.sys Infected: Backdoor.Win32.Nuclear.by skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP139\A0033709.sys Infected: Backdoor.Win32.Nuclear.by skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP140\A0033730.sys Infected: Backdoor.Win32.Nuclear.by skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034156.dll Infected: Trojan.Win32.Vapsup.gfv skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034157.exe Infected: Trojan.Win32.Vapsup.gfv skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034158.dll Infected: Trojan.Win32.Vapsup.gfv skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034159.dll Infected: Trojan.Win32.Vapsup.gfv skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034160.exe Infected: Trojan.Win32.Vapsup.gfv skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034161.dll Infected: Trojan.Win32.Vapsup.gfv skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034163.exe Infected: Trojan-Downloader.Win32.Zlob.nzi skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034190.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034195.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.cg skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034196.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ch skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034197.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch.bg skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034199.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.cj skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034201.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ck skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034204.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034207.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.cm skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034211.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034213.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.cl skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034232.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.cn skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034233.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.cj skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034235.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.cc skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034237.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ci skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034238.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.db skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034239.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ca skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP150\A0034247.sys Infected: Backdoor.Win32.Nuclear.by skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP153\A0034795.sys Infected: Backdoor.Win32.Nuclear.by skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP155\A0036391.sys Infected: Backdoor.Win32.Nuclear.by skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP155\A0036441.exe Infected: not-a-virus:FraudTool.Win32.WinSpywareProtect.i skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP155\A0036444.dll Infected: Trojan.Win32.Vapsup.gfv skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP156\A0036473.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.cg skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP156\A0036474.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch.bg skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP156\A0036475.exe Infected: Trojan.Win32.Vapsup.gfv skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP156\A0036476.dll Infected: Trojan.Win32.Vapsup.gfv skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP156\A0036495.exe/mwsSetup.CommonCodebase.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP156\A0036495.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP156\A0036982.exe Infected: Backdoor.Win32.Nuclear.by skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP156\A0036983.sys Infected: Backdoor.Win32.Nuclear.by skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP158\A0039486.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.voi skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP161\A0040582.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vya skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP163\A0041582.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.xmw skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP165\A0042640.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.voi skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP165\A0042641.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.xmw skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP165\A0042642.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.xmw skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP165\A0042663.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yag skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP168\A0043664.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yag skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP169\change.log Object is locked skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP27\A0000694.exe/data.rar/torrentsearch.exe/data0004/stream/data0004 Infected: Trojan.Win32.StartPage.rr skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP27\A0000694.exe/data.rar/torrentsearch.exe/data0004/stream Infected: Trojan.Win32.StartPage.rr skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP27\A0000694.exe/data.rar/torrentsearch.exe/data0004 Infected: Trojan.Win32.StartPage.rr skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP27\A0000694.exe/data.rar/torrentsearch.exe Infected: Trojan.Win32.StartPage.rr skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP27\A0000694.exe/data.rar Infected: Trojan.Win32.StartPage.rr skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP27\A0000694.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP27\A0000697.exe/data0004/stream/data0004 Infected: Trojan.Win32.StartPage.rr skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP27\A0000697.exe/data0004/stream Infected: Trojan.Win32.StartPage.rr skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP27\A0000697.exe/data0004 Infected: Trojan.Win32.StartPage.rr skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP27\A0000697.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP55\A0006777.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mwq skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP55\A0006781.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mwq skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP56\A0006816.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP56\A0006816.exe/WISE0020.BIN Infected: not-a-virus:AdWare.Win32.EZula.z skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP56\A0006816.exe/WISE0021.BIN Infected: Trojan-Downloader.Win32.Agent.er skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP56\A0006816.exe WiseSFX: infected - 3 skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP56\A0006817.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP56\A0006817.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP56\A0006818.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.EZula.z skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP56\A0006818.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP56\A0006819.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP56\A0006819.exe/WISE0020.BIN Infected: not-a-virus:AdWare.Win32.EZula.z skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP56\A0006819.exe/WISE0021.BIN Infected: Trojan-Downloader.Win32.Agent.er skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP56\A0006819.exe WiseSFX: infected - 3 skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP56\A0006820.exe/WISE0023.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP56\A0006820.exe/WISE0023.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP56\A0006820.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP56\A0006820.exe/WISE0027.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP56\A0006820.exe WiseSFX: infected - 4 skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP56\A0006820.exe WiseSFXDropper: infected - 4 skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP57\A0006893.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mwq skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP57\A0006894.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.msm skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP57\A0006895.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.msm skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP57\A0006896.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.msm skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP57\A0006897.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mxi skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP58\A0006908.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP58\A0006908.exe/WISE0020.BIN Infected: not-a-virus:AdWare.Win32.EZula.z skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP58\A0006908.exe/WISE0021.BIN Infected: Trojan-Downloader.Win32.Agent.er skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP58\A0006908.exe WiseSFX: infected - 3 skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP58\A0006909.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP58\A0006909.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP58\A0006910.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP58\A0006910.exe/WISE0020.BIN Infected: not-a-virus:AdWare.Win32.EZula.z skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP58\A0006910.exe/WISE0021.BIN Infected: Trojan-Downloader.Win32.Agent.er skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP58\A0006910.exe WiseSFX: infected - 3 skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP63\A0007125.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP63\A0007149.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP63\A0007151.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.nve skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP63\A0007152.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP63\A0007153.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP63\A0007154.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP63\A0007155.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP64\A0007201.dll Infected: Trojan-Spy.Win32.Delf.ex skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP64\A0008188.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP64\A0008193.exe/data0002 Infected: Trojan-Spy.Win32.Delf.ex skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP64\A0008193.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP64\A0008194.exe/data.rar/torrentsearch.exe/data0004/stream/data0004 Infected: Trojan.Win32.StartPage.rr skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP64\A0008194.exe/data.rar/torrentsearch.exe/data0004/stream Infected: Trojan.Win32.StartPage.rr skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP64\A0008194.exe/data.rar/torrentsearch.exe/data0004 Infected: Trojan.Win32.StartPage.rr skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP64\A0008194.exe/data.rar/torrentsearch.exe Infected: Trojan.Win32.StartPage.rr skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP64\A0008194.exe/data.rar Infected: Trojan.Win32.StartPage.rr skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP64\A0008194.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP64\A0008195.exe/data0004/stream/data0004 Infected: Trojan.Win32.StartPage.rr skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP64\A0008195.exe/data0004/stream Infected: Trojan.Win32.StartPage.rr skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP64\A0008195.exe/data0004 Infected: Trojan.Win32.StartPage.rr skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP64\A0008195.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP64\A0008196.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP64\A0008197.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP64\A0008198.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP64\A0008199.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP64\A0008200.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP64\A0008201.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP65\A0008288.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dyt skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP65\A0009203.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP66\A0010325.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dys skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP66\A0010326.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dyu skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP66\A0010327.exe Infected: not-a-virus:AdWare.Win32.Vapsup.dyo skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP66\A0010328.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dyq skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP66\A0010329.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP66\A0010330.exe Infected: Trojan-Downloader.Win32.Obfuscated.se skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP66\A0010394.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP66\A0010395.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP66\A0010446.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP66\A0011965.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.quy skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP66\A0011967.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP66\A0011968.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP66\A0011969.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP66\A0011970.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.nve skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP66\A0011971.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP66\A0011972.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.nve skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP66\A0011974.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP66\A0016025.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.npx skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP66\A0016026.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.nvf skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP67\A0016029.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP67\A0016030.exe Infected: Trojan-Downloader.Win32.Zlob.lck skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP68\A0016034.exe Infected: not-a-virus:AdWare.Win32.Vapsup.dyo skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP68\A0016043.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dyu skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP68\A0016044.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dys skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP68\A0016045.exe Infected: Trojan-Downloader.Win32.Obfuscated.se skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP68\A0016046.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dyq skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP68\A0017063.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dyu skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP68\A0017064.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dys skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP68\A0018058.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pjx skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP68\A0018070.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dyu skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP68\A0018071.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dys skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP76\A0020254.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.plw skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP76\A0020255.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmw skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP76\A0020256.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP76\A0020257.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qov skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP82\A0020596.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP82\A0020597.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qpx skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP82\A0020600.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{E21CEF99-B4BA-4F31-AC66-EBC36BFDE925}\RP82\A0021596.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\bthnqcgl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yag skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wctvklmq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ydx skipped
C:\WINDOWS\system32\yhbsxymk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yag skipped
C:\WINDOWS\TEMP\Cookies\index.dat Object is locked skipped
C:\WINDOWS\TEMP\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.








Again thank you.

pskelley
2008-06-07, 19:21
The news is not good, this is a new infection the hackers have come up with and I have never removed it before. Read about it here:
http://miekiemoes.blogspot.com/2008/05/virus-alert-in-clock-and-how-to-restore.html
You will need those instruction at some point to repair the damage. I am watching a couple of these infections, but I have not seen it cleaned yet. I can make no promise other that I will do my best. You always have the option to reformat:

http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm

Do you have any idea where you got this infection?

System Restore is very infected do not use System Restore of the junk will get back on your computer.
I can see by the C:\Qoobox\Quarantine\ folder that you have run combofix.

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

Madnezz
2008-06-08, 04:22
Unfortunatly I am running service pack 3 and there isnt a Windows Recovery Console download on the site sugested by the combofix howto.

So I ran combofix without it. And yes I have run it before, without WRC installed aparently. this time i let it run for about 4 hours to wich it halted while deleting files. I am about to run it again to see how far it gets but since its a hard core bugger I figured you would be eager to see a reply. I was quite stunned when I read yours. U guys are the real deal. If U are stumpped I am afraid. lol I'll post as soon as I see a change.

Madnezz
2008-06-09, 03:10
btw I am probably going to reformat. but here are the logs.

ComboFix 08-06-07.1 - Madnezz 2008-06-07 21:20:00.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.497 [GMT -5:00]
Running from: C:\Documents and Settings\Madnezz\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\cookies.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-08 to 2008-06-08 )))))))))))))))))))))))))))))))
.

2008-06-07 21:29 . 2008-06-07 21:29 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-07 20:15 . 2008-06-07 20:15 294 ---hs---- C:\WINDOWS\system32\cfaqjaue.ini
2008-06-07 15:31 . 2008-06-07 15:31 92,544 --a------ C:\WINDOWS\system32\euajqafc.dll
2008-06-07 01:51 . 2008-06-07 01:51 <DIR> d-------- C:\Program Files\Innovative Solutions
2008-06-07 01:51 . 2008-06-07 01:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Innovative Solutions
2008-06-07 01:51 . 2006-11-22 11:35 42,496 --a------ C:\WINDOWS\system32\AdvUninstCPL.cpl
2008-06-06 22:51 . 2008-06-06 22:51 <DIR> d-------- C:\Documents and Settings\Madnezz\Application Data\dvdcss
2008-06-06 05:01 . 2008-06-06 23:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-06 05:01 . 2008-06-06 05:01 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-06 04:01 . 2008-06-06 04:01 97,152 --a------ C:\WINDOWS\system32\tjttduit.dll
2008-06-04 16:35 . 2008-06-04 16:35 324,352 --a------ C:\WINDOWS\system32\geBqQIXp.dll_old
2008-06-03 00:52 . 2008-06-03 00:52 <DIR> d-------- C:\Documents and Settings\Madnezz\Application Data\vlc
2008-06-03 00:50 . 2008-06-03 00:50 <DIR> d-------- C:\Program Files\VideoLAN
2008-06-02 23:18 . 2008-06-06 21:20 <DIR> d-------- C:\Program Files\Trillian
2008-06-02 15:36 . 2008-06-02 15:36 <DIR> dr-h----- C:\Documents and Settings\Madnezz\Application Data\SecuROM
2008-06-02 00:43 . 2008-06-03 18:59 <DIR> d-------- C:\Program Files\OpenAL
2008-06-02 00:43 . 2007-05-11 04:07 782,336 -ra------ C:\WINDOWS\system32\tmp7E.tmp
2008-06-02 00:43 . 2007-05-11 04:07 782,336 -ra------ C:\WINDOWS\system32\tmp7D.tmp
2008-06-02 00:43 . 2008-06-03 18:59 413,696 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-06-02 00:43 . 2008-06-03 18:59 110,592 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-06-02 00:36 . 2008-06-02 00:36 <DIR> d-------- C:\Program Files\Atari
2008-06-01 12:02 . 2008-06-01 12:02 <DIR> d-------- C:\Documents and Settings\Zodith\G-Force
2008-06-01 11:44 . 2008-06-01 11:44 <DIR> d-------- C:\Documents and Settings\Zodith\Application Data\Yahoo!
2008-06-01 10:52 . 2008-06-01 10:52 <DIR> d-------- C:\Documents and Settings\Zodith\Application Data\MySpace
2008-05-30 07:07 . 2008-05-30 07:07 <DIR> d-------- C:\Program Files\MySpace
2008-05-30 07:07 . 2008-05-30 07:07 <DIR> d-------- C:\Documents and Settings\Madnezz\Application Data\MySpace
2008-05-28 16:29 . 2008-05-28 16:29 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-28 15:25 . 2008-05-28 15:28 <DIR> d-------- C:\Documents and Settings\Madnezz\.housecall6.6
2008-05-28 08:28 . 2008-05-28 08:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-05-28 08:12 . 2008-05-12 10:49 593,920 --a------ C:\WINDOWS\system32\ati2sgag.exe
2008-05-28 02:08 . 2008-05-28 02:08 96 --a------ C:\ioSpecial.ini
2008-05-27 21:53 . 2008-05-27 21:53 <DIR> d-------- C:\Program Files\Sierra On-Line
2008-05-27 21:53 . 2008-05-27 21:53 <DIR> d-------- C:\Dynamix
2008-05-27 21:52 . 2008-05-27 21:53 302 --a------ C:\WINDOWS\Sierra.ini
2008-05-20 21:10 . 2008-05-20 21:10 <DIR> d-------- C:\Documents and Settings\Bootz\Application Data\Yahoo!
2008-05-20 21:09 . 2008-05-20 21:09 <DIR> d-------- C:\Documents and Settings\Bootz\Application Data\Nero
2008-05-20 18:44 . 2008-05-20 18:44 8 --a------ C:\WINDOWS\system32\PdSACKey.sys
2008-05-20 16:14 . 2008-05-20 16:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Creative
2008-05-20 16:06 . 2008-05-20 16:06 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-05-20 16:06 . 2008-05-20 16:06 <DIR> d-------- C:\WINDOWS\Profiles
2008-05-20 16:06 . 2008-05-20 16:06 <DIR> d-------- C:\Documents and Settings\Madnezz\Application Data\InterTrust
2008-05-20 16:06 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-05-20 16:04 . 2008-05-20 16:04 <DIR> d-------- C:\Program Files\Dell
2008-05-20 16:03 . 2008-05-20 16:03 <DIR> d-------- C:\dell
2008-05-17 12:59 . 2008-05-17 12:59 <DIR> d-------- C:\Program Files\Data Doctor Recovery - SIM Card
2008-05-17 12:09 . 2008-05-17 12:09 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-05-17 12:09 . 2008-05-17 12:09 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-05-17 12:01 . 2008-05-17 12:05 <DIR> d-------- C:\Program Files\Avanquest update
2008-05-17 12:00 . 2008-05-17 12:00 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-05-17 12:00 . 2006-11-13 14:45 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-05-17 12:00 . 2006-12-14 10:27 40,832 --a------ C:\WINDOWS\system32\drivers\motodrv.sys
2008-05-17 12:00 . 2007-02-27 14:31 21,504 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-05-17 11:59 . 2008-05-17 12:07 <DIR> d-------- C:\Program Files\Motorola Phone Tools
2008-05-17 11:59 . 2008-05-17 11:59 <DIR> d-------- C:\Documents and Settings\Madnezz\Application Data\InstallShield
2008-05-17 11:59 . 2008-05-17 12:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-05-17 11:53 . 2007-11-30 17:31 26,112 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2008-05-17 11:53 . 2007-11-30 17:31 26,112 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys
2008-05-17 11:34 . 2001-06-12 14:04 244,024 --a------ C:\WINDOWS\system32\msflxgrd.ocx
2008-05-17 11:34 . 2004-03-08 10:18 77,895 --a------ C:\WINDOWS\system32\unibus_tcutil.dll
2008-05-17 11:34 . 2004-03-01 18:53 37,760 --a------ C:\WINDOWS\system32\drivers\P2k.sys
2008-05-17 11:08 . 2008-05-17 11:34 <DIR> d-------- C:\Program Files\Motorola
2008-05-12 20:53 . 2008-05-12 20:53 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-12 20:53 . 2008-05-12 20:53 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-05-12 20:53 . 2008-05-12 20:53 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-05-12 20:51 . 2008-05-12 20:51 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-05-12 20:51 . 2008-05-12 20:51 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-05-12 20:49 . 2008-05-12 20:49 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-12 20:49 . 2008-05-12 20:49 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-12 17:39 . 2008-05-12 17:47 <DIR> d-------- C:\Program Files\VOCALOID
2008-05-12 17:39 . 2008-05-12 17:39 <DIR> d-------- C:\Program Files\Steinberg
2008-05-12 10:56 . 2008-05-12 10:56 397,312 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2008-05-12 10:53 . 2008-05-12 10:53 307,200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2008-05-12 10:45 . 2008-05-12 10:45 180,224 --a------ C:\WINDOWS\system32\atipdlxx.dll
2008-05-12 10:45 . 2008-05-12 10:45 139,264 --a------ C:\WINDOWS\system32\Oemdspif.dll
2008-05-12 10:45 . 2008-05-12 10:45 43,520 --a------ C:\WINDOWS\system32\ati2edxx.dll
2008-05-12 10:45 . 2008-05-12 10:45 26,112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2008-05-12 10:44 . 2008-05-12 10:44 139,264 --a------ C:\WINDOWS\system32\ati2evxx.dll
2008-05-12 10:43 . 2008-05-12 10:43 10,153,984 --a------ C:\WINDOWS\system32\atioglx2.dll
2008-05-12 10:43 . 2008-05-12 10:43 540,672 --a------ C:\WINDOWS\system32\ati2evxx.exe
2008-05-12 10:41 . 2008-05-12 10:41 53,248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2008-05-12 10:22 . 2008-05-12 10:22 3,107,788 --a------ C:\WINDOWS\system32\ativvaxx.dat
2008-05-12 10:22 . 2008-05-12 10:22 3,107,788 --a------ C:\WINDOWS\system32\ativva5x.dat
2008-05-12 10:22 . 2008-05-12 10:22 887,724 --a------ C:\WINDOWS\system32\ativva6x.dat
2008-05-12 10:09 . 2008-05-12 10:09 47,104 --a------ C:\WINDOWS\system32\amdpcom32.dll
2008-05-12 10:05 . 2008-05-12 10:05 5,439,488 --a------ C:\WINDOWS\system32\atioglxx.dll
2008-05-12 10:05 . 2008-05-12 10:05 327,680 --a------ C:\WINDOWS\system32\atikvmag.dll
2008-05-12 10:03 . 2008-05-12 10:03 19,968 --a------ C:\WINDOWS\system32\atiadlxx.dll
2008-05-12 10:03 . 2008-05-12 10:03 17,408 --a------ C:\WINDOWS\system32\atitvo32.dll
2008-05-12 10:02 . 2008-05-12 10:02 241,664 --a------ C:\WINDOWS\system32\atiok3x2.dll
2008-05-12 10:02 . 2008-05-12 10:02 49,152 --a------ C:\WINDOWS\system32\drivers\ati2erec.dll
2008-05-10 09:05 . 2008-05-10 09:05 <DIR> d-------- C:\Documents and Settings\Madnezz\Application Data\Apple Computer
2008-05-10 07:51 . 2008-05-10 07:51 <DIR> d-------- C:\Program Files\Fisher
2008-05-10 07:51 . 2008-05-10 07:51 <DIR> d-------- C:\Documents and Settings\Madnezz\WINDOWS
2008-05-10 07:51 . 1998-02-06 21:37 299,520 --a------ C:\WINDOWS\uninst.exe
2008-05-09 17:33 . 2008-05-16 11:03 <DIR> dr------- C:\Documents and Settings\Madnezz\My Private Folder
2008-05-09 05:58 . 2008-05-09 05:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-09 03:00 . 2008-05-09 03:52 <DIR> d-------- C:\WINDOWS\vnDrvBas
2008-05-09 02:55 . 2008-05-09 04:01 <DIR> d-------- C:\VundoFix Backups
2008-05-09 02:41 . 2008-05-09 02:41 <DIR> d-------- C:\Documents and Settings\Zodith\Application Data\Jasc Software Inc
2008-05-09 02:11 . 2008-05-09 02:11 <DIR> d-------- C:\Documents and Settings\Zodith\Application Data\Nero

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-08 01:30 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-06-07 07:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-07 07:09 --------- d-----w C:\Documents and Settings\Madnezz\Application Data\Azureus
2008-06-06 03:47 --------- d-----w C:\Documents and Settings\Madnezz\Application Data\FrostWire
2008-05-31 16:42 22,584 ----a-w C:\Documents and Settings\Madnezz\Application Data\PnkBstrK.sys
2008-05-30 03:35 --------- d-----w C:\Program Files\ATI Technologies
2008-05-30 00:33 --------- d-----w C:\Documents and Settings\Madnezz\Application Data\IGN_DLM
2008-05-28 21:46 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-28 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-23 16:42 --------- d-----w C:\Program Files\DivX
2008-05-20 21:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-17 16:39 --------- d-----w C:\Documents and Settings\Madnezz\Application Data\AdobeUM
2008-05-12 16:30 3,007,488 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-05-09 08:20 --------- d-----w C:\Program Files\Logitech
2008-05-09 08:03 --------- d-----w C:\Program Files\PowerISO
2008-04-29 10:25 --------- d-----w C:\Documents and Settings\Zodith\Application Data\ATI
2008-04-25 23:17 --------- d-----w C:\Documents and Settings\Bootz\Application Data\ATI
2008-04-25 21:35 --------- d-----w C:\Documents and Settings\Madnezz\Application Data\Propellerhead Software
2008-04-25 21:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Propellerhead Software
2008-04-25 21:34 --------- d-----w C:\Program Files\Propellerhead
2008-04-25 17:37 --------- d-----w C:\Program Files\Electronic Arts
2008-04-24 23:49 --------- d-----w C:\Program Files\Azureus
2008-04-24 20:34 --------- d-----w C:\Program Files\EA GAMES
2008-04-20 23:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-04-20 22:20 --------- d-----w C:\Program Files\VirtualDJ
2008-04-19 19:41 --------- d-----w C:\Program Files\Microsoft Games
2008-04-13 17:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-13 17:29 --------- d-----w C:\Program Files\Trojan Remover
2008-04-13 17:29 --------- d-----w C:\Documents and Settings\Madnezz\Application Data\Jasc
2008-04-13 17:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\udizglwb
2008-04-13 06:07 --------- d-----w C:\Program Files\CAM Development
2008-04-08 18:14 --------- d-----w C:\Program Files\id Software
2008-04-08 15:50 --------- d-----w C:\Program Files\Red Storm Entertainment
2008-04-08 15:49 --------- d-----w C:\Program Files\ubi.com
2008-04-08 15:49 --------- d-----w C:\Program Files\Common Files\PocketSoft
2008-04-08 15:49 --------- d-----w C:\Documents and Settings\Madnezz\Application Data\ubi.com
2008-04-08 11:50 --------- d-----w C:\Documents and Settings\Madnezz\Application Data\uTorrent
2008-04-08 07:19 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-08 01:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-08 01:32 --------- d-----w C:\Program Files\Lavasoft
2008-04-08 01:32 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-01 08:39 113,664 ----a-w C:\WINDOWS\inf\hdaudio.sys
.

((((((((((((((((((((((((((((( snapshot_2008-06-05_ 2.02.07.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-05 05:39:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-08 02:27:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-05 01:33:45 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
+ 2008-06-08 01:30:01 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11635C4A-ECC7-4ED7-A172-FA5D54D3E3EE}]
C:\WINDOWS\system32\rqRHaXQh.dll__BHODemonDisabled

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{524B3524-DC50-4550-8D8D-BCB03C13AA91}]
C:\WINDOWS\system32\hgGvtUNf.dll__BHODemonDisabled

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70546826-8467-4099-B465-62A320CC3025}]
C:\WINDOWS\system32\opnnoonM.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95F1AE09-15E9-4D9F-84F9-3ADF02A21CE8}]
C:\WINDOWS\system32\geBqQIXp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E179AAD-18CD-4EA2-81B8-EAF021292969}]
C:\WINDOWS\system32\wvUoNgHB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A06EE1D2-3E4C-42E4-B8EA-B19E8C5A82CE}]
C:\WINDOWS\system32\pmnnLCrs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B23BA466-DAED-44B7-B2BF-4BA3101C1517}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1B9D7F9-6B21-44B2-BE34-DDB11C5C75D9}]
C:\WINDOWS\system32\iiffCTlL.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1B88270-F79D-45EF-A34B-99BA72C8CEC0}]
C:\WINDOWS\system32\rqRJaxWp.dll__BHODemonDisabled

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA4C63D4-87F0-4F6F-BC12-FF3D530B25CF}]
C:\WINDOWS\system32\yayyaWNF.dll__BHODemonDisabled

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA8DC75A-3505-4126-B126-4D967EC5A9A0}]
C:\WINDOWS\system32\nnnkKebB.dll__BHODemonDisabled

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"EA Core"="C:\Program Files\Electronic Arts\EADM\Core.exe" [2007-12-04 05:57 2494464]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-11-30 08:26 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 16:57 1103480]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 18:27 9117696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch LCDMon"="C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 17:43 2051096]
"Launch LGDCore"="C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 17:57 2095640]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 19:05 200704]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"60d94983"="C:\WINDOWS\system32\efwxmajb.dll" [ ]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"muBlinder"="C:\Documents and Settings\Madnezz\Desktop\muBlinder\muBlinder.exe" [2008-03-27 19:29 1406464]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 18:27 9117696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{11635C4A-ECC7-4ED7-A172-FA5D54D3E3EE}"= C:\WINDOWS\system32\rqRHaXQh.dll__BHODemonDisabled [ ]
"{C1B9D7F9-6B21-44B2-BE34-DDB11C5C75D9}"= C:\WINDOWS\system32\iiffCTlL.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcCRHBU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffCTlL]
iiffCTlL.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRHaXQh]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"igndlm.exe"=C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DelayLoad"=C:\DOCUME~1\Madnezz\LOCALS~1\Temp\msprint.exe
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
"60d94983"=rundll32.exe "C:\WINDOWS\system32\fgoslqmk.dll",b
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
"MyWebSearch Plugin"=rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SoundMan"=SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\Ascaron Entertainment\\Sacred Underworld\\sacred.exe"=
"C:\\Program Files\\Nero\\Nero8\\Nero ShowTime\\ShowTime.exe"=
"C:\\kav\\kav7\\setup.exe"=
"C:\\Program Files\\Ascaron Entertainment\\Sacred Underworld\\gameserver.exe"=
"C:\\Program Files\\Lavasoft\\Ad-Aware 2007\\lsupdatemanager.exe"=
"C:\\Program Files\\Lavasoft\\Ad-Aware 2007\\Ad-Aware2007.exe"=
"C:\\Program Files\\VUGames\\Tribes Vengeance\\Program\\Bin\\TV.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.EXE"=
"C:\WINDOWS\system32\sessmgr.exe"= C:\WINDOWS\system32\sessmgr.exe:1.1.1.1/255.255.255.255:Disabled:@xpsp2res.dll,-22019
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Red Storm Entertainment\\RavenShield\\system\\RavenShield.exe"=
"C:\\Documents and Settings\\Madnezz\\Desktop\\music\\Stuff from Tys machine\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Atari\\ArmA\\arma.exe"=
"C:\\Program Files\\Atari\\ArmA\\arma_server.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:192.168.2.1/255.255.255.255:Disabled:@xpsp2res.dll,-22009

R0 xmasbus;xmasbus;C:\WINDOWS\system32\DRIVERS\xmasbus.sys [2003-12-21 17:24]
R0 xmasscsi;xmasscsi;C:\WINDOWS\system32\Drivers\xmasscsi.sys [2003-12-23 02:15]
R1 SSHDRV65;SSHDRV65;C:\WINDOWS\system32\drivers\SSHDRV65.sys [2008-03-28 08:34]
R1 SSHDRV79;SSHDRV79;C:\WINDOWS\system32\drivers\SSHDRV79.sys [2008-03-31 10:17]
R1 SSHDRV85;SSHDRV85;C:\WINDOWS\system32\drivers\SSHDRV85.sys [2008-03-26 13:49]
R2 Prvflder;Prvflder;C:\WINDOWS\system32\DRIVERS\prvflder.sys [2006-04-21 08:22]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-02-26 05:54]
S2 MyWebSearchService;My Web Search Service;C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe []
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 10:27]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-08 06:54:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-06-08 01:17:17 C:\WINDOWS\Tasks\User_Feed_Synchronization-{31135B0B-451E-4D59-9692-1444503EA678}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-08 18:56:53
Windows 5.1.2600 Service Pack 3, v.3264 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-06-08 19:05:58 - machine was rebooted [Madnezz]
ComboFix-quarantined-files.txt 2008-06-09 00:05:53
ComboFix2.txt 2008-06-05 07:04:32
ComboFix3.txt 2008-05-28 17:38:01
ComboFix4.txt 2008-05-09 10:53:53

Pre-Run: 76,850,704,384 bytes free
Post-Run: 77,007,941,632 bytes free

316 --- E O F --- 2008-06-08 08:00:20















now hjt:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:10, on 6/8/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {B0EA550B-0C3B-4B56-95BE-A90F5362D6A9} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {11635C4A-ECC7-4ED7-A172-FA5D54D3E3EE} - C:\WINDOWS\system32\rqRHaXQh.dll (disabled by BHODemon)
O2 - BHO: (no name) - {524B3524-DC50-4550-8D8D-BCB03C13AA91} - C:\WINDOWS\system32\hgGvtUNf.dll (disabled by BHODemon)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {70546826-8467-4099-B465-62A320CC3025} - C:\WINDOWS\system32\opnnoonM.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (disabled by BHODemon)
O2 - BHO: (no name) - {95F1AE09-15E9-4D9F-84F9-3ADF02A21CE8} - C:\WINDOWS\system32\geBqQIXp.dll (file missing)
O2 - BHO: (no name) - {9E179AAD-18CD-4EA2-81B8-EAF021292969} - C:\WINDOWS\system32\wvUoNgHB.dll (file missing)
O2 - BHO: (no name) - {A06EE1D2-3E4C-42E4-B8EA-B19E8C5A82CE} - C:\WINDOWS\system32\pmnnLCrs.dll (file missing)
O2 - BHO: (no name) - {B23BA466-DAED-44B7-B2BF-4BA3101C1517} - (no file)
O2 - BHO: (no name) - {C1B9D7F9-6B21-44B2-BE34-DDB11C5C75D9} - C:\WINDOWS\system32\iiffCTlL.dll (file missing)
O2 - BHO: (no name) - {E1B88270-F79D-45EF-A34B-99BA72C8CEC0} - C:\WINDOWS\system32\rqRJaxWp.dll (disabled by BHODemon)
O2 - BHO: (no name) - {EA4C63D4-87F0-4F6F-BC12-FF3D530B25CF} - C:\WINDOWS\system32\yayyaWNF.dll (disabled by BHODemon)
O2 - BHO: (no name) - {EA8DC75A-3505-4126-B126-4D967EC5A9A0} - C:\WINDOWS\system32\nnnkKebB.dll (disabled by BHODemon)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [60d94983] rundll32.exe "C:\WINDOWS\system32\efwxmajb.dll",b
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [muBlinder] C:\Documents and Settings\Madnezz\Desktop\muBlinder\muBlinder.exe -startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZKfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1206489383437
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206486870125
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206486863578
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: ddcCRHBU - C:\WINDOWS\
O20 - Winlogon Notify: iiffCTlL - iiffCTlL.dll (file missing)
O20 - Winlogon Notify: rqRHaXQh - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

--
End of file - 9659 bytes

pskelley
2008-06-09, 03:31
btw I am probably going to reformat. but here are the logs.No reason for me to look at this information if you are reformatting. combofix does not even appear to see the junk unless you ran combofix before and I did not see the first log, see this:
---- Previous Run -------
C:\WINDOWS\cookies.ini

because it appears you are using BHODemon to disable the junk.
O2 - BHO: (no name) - {11635C4A-ECC7-4ED7-A172-FA5D54D3E3EE} - C:\WINDOWS\system32\rqRHaXQh.dll (disabled by BHODemon)

from the combofix log:
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11635C4A-ECC7-4ED7-A172-FA5D54D3E3EE}]
C:\WINDOWS\system32\rqRHaXQh.dll__BHODemonDisabled

I was under the impression BHO Deamon was no longer available, how is it you are running it.
http://www.definitivesolutions.com/bhodemon.htm

Thanks

Madnezz
2008-06-09, 04:47
I see the lines you are talking about but I am not intentionaly running this nore have I heard of it.. Reformating is a pain in the as$, I have ALOT of data stored on my machine and alot of it is original content. I had hoped not to do that if you guys could save that pain from my as$. . Alas, my as$ is doomed. :lip:

btw I had run combofix before on my own like an idiot before I saw all the warnings on here not to. :oops:

pskelley
2008-06-09, 14:08
btw I am probably going to reformat. but here are the logs.
That is what you said, if you want to try to clean the computer, I will do all I can.

I need to know why you have this item running on your computer:
C:\Documents and Settings\Madnezz\Desktop\muBlinder\muBlinder.exe
http://www.bleepingcomputer.com/startups/muBlinder.exe-16771.html

Let's start like this:

1) System Restore has a load of infected files, if you use SR the infections will be returned to your computer. DO NOT use SR.

2) (Delete these files in red, they are infected)

C:\Documents and Settings\All Users\Documents\My Music\01 Track 1.wma
C:\Documents and Settings\All Users\Documents\My Music\06 Track 6.wma
C:\Documents and Settings\All Users\Documents\My Music\hood nigar.mp3
C:\Documents and Settings\All Users\Documents\My Music\my dick mickey avalon.mp3
C:\Documents and Settings\All Users\Documents\My Music\TOTALLY HIP TRACK.wma
C:\Documents and Settings\Madnezz\Desktop\music\Stuff from Tys machine\Desktop Clean-up\EblessV8\mIRC.exe
C:\Documents and Settings\Madnezz\Desktop\music\Stuff from Tys machine\Desktop Clean-up\EblessV8.zip
C:\Documents and Settings\Madnezz\Desktop\music\Stuff from Tys machine\EblessV8\mIRC.exe
C:\Documents and Settings\Madnezz\Desktop\music\Stuff from Tys machine\EblessV8.zip
C:\Documents and Settings\Madnezz\Desktop\yahoo stuff\revelation.zipC:\Documents and Settings\Madnezz\My Documents\Azureus Downloads\Nero 8 Ultra Edition 8.2.8.0+Keymaker\Nero-8.2.8.0_eng_trial.exe
C:\Program Files\Motorola\RSD Lite\RSDLUpdater.exe

3) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

4) Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

5) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
64) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

5) Windows Defender: Click on "Tools"
Click on "General Settings"
Scroll down to "Real-time protection options"
Uncheck "Turn on Real-time protection (recommended)"
Click "Save"
Make sure to turn your protection back on when you finish.

(Follow these directions for the CFScript VERY carefully)

7) Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\system32\efwxmajb.dll
C:\WINDOWS\system32\cfaqjaue.ini
C:\WINDOWS\system32\euajqafc.dll
C:\WINDOWS\system32\tjttduit.dll
C:\WINDOWS\system32\geBqQIXp.dll_old
C:\WINDOWS\system32\tmp7E.tmp
C:\WINDOWS\system32\tmp7D.tmp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11635C4A-ECC7-4ED7-A172-FA5D54D3E3EE}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{524B3524-DC50-4550-8D8D-BCB03C13AA91}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70546826-8467-4099-B465-62A320CC3025}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95F1AE09-15E9-4D9F-84F9-3ADF02A21CE8}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E179AAD-18CD-4EA2-81B8-EAF021292969}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A06EE1D2-3E4C-42E4-B8EA-B19E8C5A82CE}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B23BA466-DAED-44B7-B2BF-4BA3101C1517}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1B9D7F9-6B21-44B2-BE34-DDB11C5C75D9}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1B88270-F79D-45EF-A34B-99BA72C8CEC0}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA4C63D4-87F0-4F6F-BC12-FF3D530B25CF}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA8DC75A-3505-4126-B126-4D967EC5A9A0}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcCRHBU]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffCTlL]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRHaXQh]

Folder::
C:\VundoFix Backups
C:\Documents and Settings\All Users\Application Data\udizglwb

Save this as CFScript

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

8) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(some items may be gone, removed by the script)

R3 - URLSearchHook: (no name) - {B0EA550B-0C3B-4B56-95BE-A90F5362D6A9} - (no file)
O2 - BHO: (no name) - {11635C4A-ECC7-4ED7-A172-FA5D54D3E3EE} - C:\WINDOWS\system32\rqRHaXQh.dll (disabled by BHODemon)
O2 - BHO: (no name) - {524B3524-DC50-4550-8D8D-BCB03C13AA91} - C:\WINDOWS\system32\hgGvtUNf.dll (disabled by BHODemon)
O2 - BHO: (no name) - {70546826-8467-4099-B465-62A320CC3025} - C:\WINDOWS\system32\opnnoonM.dll (file missing)
O2 - BHO: (no name) - {95F1AE09-15E9-4D9F-84F9-3ADF02A21CE8} - C:\WINDOWS\system32\geBqQIXp.dll (file missing)
O2 - BHO: (no name) - {9E179AAD-18CD-4EA2-81B8-EAF021292969} - C:\WINDOWS\system32\wvUoNgHB.dll (file missing)
O2 - BHO: (no name) - {A06EE1D2-3E4C-42E4-B8EA-B19E8C5A82CE} - C:\WINDOWS\system32\pmnnLCrs.dll (file missing)
O2 - BHO: (no name) - {B23BA466-DAED-44B7-B2BF-4BA3101C1517} - (no file)
O2 - BHO: (no name) - {C1B9D7F9-6B21-44B2-BE34-DDB11C5C75D9} - C:\WINDOWS\system32\iiffCTlL.dll (file missing)
O2 - BHO: (no name) - {E1B88270-F79D-45EF-A34B-99BA72C8CEC0} - C:\WINDOWS\system32\rqRJaxWp.dll (disabled by BHODemon)
O2 - BHO: (no name) - {EA4C63D4-87F0-4F6F-BC12-FF3D530B25CF} - C:\WINDOWS\system32\yayyaWNF.dll (disabled by BHODemon)
O2 - BHO: (no name) - {EA8DC75A-3505-4126-B126-4D967EC5A9A0} - C:\WINDOWS\system32\nnnkKebB.dll (disabled by BHODemon)
O4 - HKLM\..\Run: [60d94983] rundll32.exe "C:\WINDOWS\system32\efwxmajb.dll",b
O4 - HKLM\..\Run: [muBlinder] C:\Documents and Settings\Madnezz\Desktop\muBlinder\muBlinder.exe -startup
O20 - Winlogon Notify: ddcCRHBU - C:\WINDOWS\
O20 - Winlogon Notify: iiffCTlL - iiffCTlL.dll (file missing)
O20 - Winlogon Notify: rqRHaXQh - C:\WINDOWS\
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

9) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

10) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

Restart and post the information I requested about muBlinder, the uninstall list and a new HJT log.

Thanks

pskelley
2008-06-15, 13:46
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.