Virtumonde in memory

DamionW · Aug 25, 2007

Hello all. First-time poster. I have a Virtumonde problem (like half of the people here, seems). I attempted to remove it with both Spybot and VundoFix, and neither can remove it because it says the file is currently in the active memory, and even on reboot they still can't remove it.

I have run a Kapersky scan and saved the log. I attempted to run in safe mode and use Spybot and VundoFix and neither could remove it in safe mode. I downloaded HijackThis, but have not run it yet.

Standing by request for logs or any other required action.

Thanks everyone for this valuable service and advice. It's nice to know there are knowledgable people out there that care.

Shaba · Aug 25, 2007

Hi DamionW

Please post HijackThis log and kaspersky report here

DamionW · Aug 25, 2007

Kapersky log

C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08400000.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A180000.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B480000.VBN Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B480001.VBN Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B480002.VBN Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B480004.VBN Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B480006.VBN Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B480008.VBN Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C3C0000.VBN/data0002 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C3C0000.VBN NSIS: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C3C0000.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C3C0002.VBN Infected: Virus.Win32.Virut.f skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C3C0004.VBN Infected: Email-Worm.Win32.Zhelatin.gb skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C3C0006.VBN Infected: Trojan-Clicker.Win32.Agent.jp skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C3C0008.VBN Infected: Trojan-Downloader.Win32.Small.dxm skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C3C000A.VBN Infected: Trojan.Win32.Agent.qt skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C3C000C.VBN Infected: Trojan.Win32.Agent.qt skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C3C000E.VBN Infected: Virus.Win32.Virut.f skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C3C0010.VBN Infected: Email-Worm.Win32.Zhelatin.gb skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C3C0012.VBN Infected: Virus.Win32.Virut.f skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C3C0014.VBN Infected: Email-Worm.Win32.Zhelatin.gb skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C3C0016.VBN Infected: Trojan-Clicker.Win32.Agent.jp skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C3C0018.VBN/data0002 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C3C0018.VBN NSIS: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C3C0018.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C3C001A.VBN/data0002 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C3C001A.VBN NSIS: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C3C001A.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C3C001C.VBN Infected: Trojan-Clicker.Win32.Agent.jp skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E200000.VBN Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E200002.VBN Infected: Trojan-Downloader.Win32.Zlob.bqw skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E200004.VBN Infected: Trojan-Downloader.Win32.Small.dxm skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E200008.VBN Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E200009.VBN Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E20000B.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E20000D.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E20000F.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E200011.VBN/data0002 Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E200011.VBN NSIS: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E200011.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E200013.VBN Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E200015.VBN Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E200017.VBN Infected: Trojan-Spy.Win32.BZub.hx skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E200018.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E20001A.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E20001C.VBN Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E800000.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E800002.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E800004.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E800006.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E900000.VBN/data0005 Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E900000.VBN NSIS: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E900000.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E900001.VBN/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E900001.VBN NSIS: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E900001.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E900002.VBN Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E900003.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E900005.VBN/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E900005.VBN NSIS: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E900005.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E900007.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E900008.VBN Infected: Trojan-Spy.Win32.BZub.hx skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E900009.VBN/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E900009.VBN NSIS: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E900009.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E90000B.VBN/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E90000B.VBN NSIS: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E90000B.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E90000D.VBN Infected: Exploit.Multi.Qtp.b skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F600002.VBN/data0005 Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F600002.VBN NSIS: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F600002.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F600004.VBN Infected: Trojan-Clicker.Win32.Small.cf skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F600008.VBN/data0005 Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F600008.VBN NSIS: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F600008.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F60000A.VBN Infected: Trojan-Clicker.Win32.Small.cf skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F60000C.VBN/data0005 Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F60000C.VBN NSIS: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F60000C.VBN CryptZ: infected - 1 skipped

DamionW · Aug 25, 2007

Kapersky log 2

C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F60000E.VBN Infected: Trojan-Clicker.Win32.Small.cf skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F600010.VBN Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F600011.VBN Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FA00000.VBN Infected: Trojan-Downloader.Win32.Tiny.fl skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FE80000.VBN Infected: Trojan-Spy.Win32.BZub.gr skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FE80002.VBN Infected: Trojan-Spy.Win32.BZub.hx skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\37E80000.VBN Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\37E80002.VBN Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\37E80004.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.kx skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\37E80007.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\37E80009.VBN Infected: Trojan.Win32.Agent.aoy skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\37E8000B.VBN Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\37E8000D.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\37E8000F.VBN Infected: Trojan.Win32.BHO.bd skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\37E80011.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\37E80013.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\37E80015.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\37E80017.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\37E80018.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\37E8001A.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\37E8001C.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\37E8001E.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\37E80020.VBN Infected: Trojan.Win32.BHO.bd skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\7E440000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.kx skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\7E440001.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3vjk93ic.default\Cache(2)\004982A7d01 Infected: not-a-virus

ownloader.Win32.WinFixer.o skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3vjk93ic.default\Cache(2)\A23E4567d01 Infected: not-a-virus

ownloader.Win32.WinFixer.o skipped
C:\Documents and Settings\Owner\Application Data\tmpA.tmp.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007082420070825\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\hsperfdata_Owner\1816 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFE030.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\JZNPO4YR\papamisha[1] Infected: Trojan.Win32.Agent.aoy skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\URXDZHLT\dedamisha[1] Infected: Trojan.Win32.Agent.aoy skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\Catalog\EasyShare.me Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\Catalog\EasyShare.mm Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\BWKDLogs\BWTargetInf.log Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\L0000011.FCS Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.idx Object is locked skipped
C:\Program Files\Motive\FirmwareUpdater\firmwareUpdater.log Object is locked skipped
C:\Program Files\Sprint DSL virtual assistant\log\mpbtn.log Object is locked skipped
C:\Program Files\WinBudget\bin\crap.1169508667.old/EXE-file Infected: not-a-virus:AdWare.Win32.BHO.by skipped
C:\Program Files\WinBudget\bin\crap.1169508667.old Embedded EXE: infected - 1 skipped
C:\Program Files\WinBudget\bin\matrix.dll.1187135407.old Infected: not-a-virus:AdWare.Win32.BHO.by skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir NSIS: infected - 3 skipped
C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir/stream/data0002 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir NSIS: infected - 3 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gcwsvbf.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnlihe.dll.vir Infected: Trojan-Downloader.Win32.ConHook.bg skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

DamionW · Aug 25, 2007

Kapersky log 3

C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156276.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156291.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156292.exe Infected: Trojan-Downloader.Win32.Zlob.bqw skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156293.exe Infected: Trojan-Downloader.Win32.Small.dxm skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156295.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156296.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156297.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156298.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156299.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156299.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156300.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156301.exe Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156302.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156303.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156305.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156308.dll Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156310.dll Infected: Trojan-Spy.Win32.BZub.hx skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP642\A0158276.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP642\A0158293.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP643\A0162325.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP643\A0162326.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP643\A0162327.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP643\A0163310.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP643\A0166321.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP643\A0166330.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP643\A0167348.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP643\A0170362.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0170372.exe Infected: Trojan.Win32.Small.oa skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0170373.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0172362.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0174399.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0174423.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0174424.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0174426.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175426.exe/stream/data0002/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175426.exe/stream/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175426.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175426.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175426.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175427.dll Infected: Trojan-Downloader.Win32.Small.dxm skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175429.dll Infected: not-a-virus:FraudTool.Win32.SpySheriff.a skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175430.dll Infected: not-a-virus:FraudTool.Win32.SpySheriff.a skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175431.dll Infected: not-a-virus:FraudTool.Win32.SpySheriff.a skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175432.dll Infected: not-a-virus:FraudTool.Win32.SpySheriff.a skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175434.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175435.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175436.exe Infected: Trojan.Win32.Small.oa skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175437.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175440.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175441.exe Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175754.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175755.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175757.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175781.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175783.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175784.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175785.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175786.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175787.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175788.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175789.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175790.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175791.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175792.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175793.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175794.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175795.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175854.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175862.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kx skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175878.sys Infected: Rootkit.Win32.Agent.eq skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP651\A0179086.sys Infected: Packed.Win32.Tibs.ap skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP651\A0179087.exe Infected: Email-Worm.Win32.Zhelatin.he skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182124.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182124.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182124.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182124.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182125.exe/stream/data0002 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182125.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182125.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182125.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182128.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182130.dll Infected: Trojan-Downloader.Win32.ConHook.bg skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182134.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182134.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182134.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\change.log Object is locked skipped
C:\VundoFix Backups\pmnlihe.dll.bad Infected: Trojan-Downloader.Win32.ConHook.bg skipped
C:\WINDOWS\awturs.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\qpxdahfA.exe Infected: Trojan-Downloader.Win32.VB.ang skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\caps32.dll Infected: Trojan-Downloader.Win32.ConHook.bg skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\qwerty12.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Umlja3kgUGVybmlh\asappsrv.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\Umlja3kgUGVybmlh\command.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

DamionW · Aug 25, 2007

HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:15 AM, on 8/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\ActivCard\acachsrv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\acautoup.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NavNT\vpc32.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - ~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5566770F-1FC5-4BE1-8B5A-ED22C63BB6A9} - (no file)
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\tmpB.tmp.dll
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O2 - BHO: (no name) - {FBCA2AC6-19A6-4AD6-90C0-4EA93EE6E459} - (no file)
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "C:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [acEventServ] "C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA985] command /c del "C:\WINDOWS\system32\caps32.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1908] cmd /c del "C:\WINDOWS\system32\caps32.dll_tobedeleted"
O4 - HKCU\..\Run: [Mtod] "C:\DOCUME~1\Owner\APPLIC~1\PPPATC~1\logonui.exe" -vt yazb
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ActivCard Gold Smart Card Agent.lnk = C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Sprint virtual assistant.lnk = C:\Program Files\Sprint DSL virtual assistant\bin\matcli.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
O20 - Winlogon Notify: acAuth - C:\WINDOWS\SYSTEM32\acauth.dll
O20 - Winlogon Notify: caps32 - C:\WINDOWS\SYSTEM32\caps32.dll
O23 - Service: ActivCard Authentication Service (ACachSrv) - ActivCard - C:\Program Files\Common Files\ActivCard\acachsrv.exe
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Auto-Update Service (acautoupdate) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoup.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Online Services\profsydyra.html
O24 - Desktop Component 1: (no name) - http://static.flickr.com/87/253786558_48dc617eae.jpg?v=0

--
End of file - 10360 bytes

Shaba · Aug 25, 2007

Hi

I see that you have ran combofix, too.

Please post its log.

It's here -> C:\ComboFix.txt

DamionW · Aug 25, 2007

Combofix log

ComboFix 07-08-17.2 - "Owner" 2007-08-23 19:31:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.146 [GMT -5:00]
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Owner.\svchost.exe
C:\DOCUME~1\Owner\APPLIC~1.\pppatc~1
C:\DOCUME~1\Owner\APPLIC~1.\pppatc~1\?ppPatch\
C:\DOCUME~1\Owner\APPLIC~1.\pppatc~1\logonui.exe
C:\DOCUME~1\Owner\APPLIC~1\install.dat
C:\DOCUME~1\Owner\MYDOCU~1.\fnts~1
C:\DOCUME~1\Owner\MYDOCU~1.\fnts~1\r?gsvr32.exe
C:\DOCUME~1\Owner\STARTM~1\Programs.\Outerinfo
C:\DOCUME~1\Owner\STARTM~1\Programs.\Outerinfo\Terms.lnk
C:\DOCUME~1\Owner\STARTM~1\Programs.\Outerinfo\Uninstall.lnk
C:\DOCUME~1\Owner\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\Program Files\Online Services\profsydyra.html
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\sks~1
C:\Program Files\sks~1\w?wexec.exe
C:\temp\0c2
C:\temp\0c2\tmpFF.log
C:\temp\brr
C:\temp\brr\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\180ax.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\b104.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\bi.dll
C:\WINDOWS\biprep.exe
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\flt.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\pbar.dll
C:\WINDOWS\rau001978.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\susp.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\blrow.dll
C:\WINDOWS\system32\crosof~1
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\G1
C:\WINDOWS\system32\G11
C:\WINDOWS\system32\G3
C:\WINDOWS\system32\G5
C:\WINDOWS\system32\G7
C:\WINDOWS\system32\gcwsvbf.dll
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\jutulfzc.dll
C:\WINDOWS\system32\l3acdb.dll
C:\WINDOWS\system32\msbind32.exe
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\msscds32.dll
C:\WINDOWS\system32\pmnlihe.dll
C:\WINDOWS\system32\version69ie7fix.dll
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\win
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\wnstsicomsv32.exe
C:\WINDOWS\temp\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\wr.txt

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_DRIVER
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\Driver
-------\Net Agent

((((((((((((((((((((((((( Files Created from 2007-07-24 to 2007-08-24 )))))))))))))))))))))))))))))))

2007-08-23 19:30 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-23 19:00 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-08-23 01:17 1,572,864 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-23 00:34 1,203,548 --a------ C:\WINDOWS\system32\dn94804ef2.dat
2007-08-23 00:14 94,713 --------- C:\WINDOWS\system32\caps32.dll
2007-08-23 00:14 3,638 --a------ C:\WINDOWS\mpxti5s8.exe
2007-08-16 18:27 <DIR> d-------- C:\VundoFix Backups
2007-08-16 17:18 <DIR> d-------- C:\Program Files\CCleaner
2007-08-14 18:40 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-07-27 18:26 <DIR> d--hs---- C:\WINDOWS\Umlja3kgUGVybmlh
2007-07-25 18:11 1,076,352 -r-hs---- C:\WINDOWS\qpxdahfA.exe
2007-07-24 13:26 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Walgreens

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-23 19:32 --------- d-------- C:\Program Files\Online Services
2007-07-21 17:35 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-21 17:35 --------- d-------- C:\Program Files\CASIO
2007-07-14 13:00 --------- d-------- C:\Program Files\Untitled
2007-07-14 13:00 --------- d-------- C:\Program Files\SCM Microsystems
2007-07-14 12:55 --------- d-------- C:\Program Files\Common Files\ActivCard
2007-07-14 12:55 --------- d-------- C:\Program Files\ActivCard
2007-07-07 20:36 --------- d-------- C:\Program Files\NPC Designer
2005-08-02 21:46:54 187,904 --sha-r C:\WINDOWS\Umlja3kgUGVybmlh\asappsrv.dll
2005-08-02 21:58:38 293,888 --sha-r C:\WINDOWS\Umlja3kgUGVybmlh\command.exe
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\Umlja3kgUGVybmlh\oA53ua40o3pVvA51.vbs

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5566770F-1FC5-4BE1-8B5A-ED22C63BB6A9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FBCA2AC6-19A6-4AD6-90C0-4EA93EE6E459}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 02:47 C:\WINDOWS\SOUNDMAN.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-01-18 21:45]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2007-01-18 21:45]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-18 21:45]
"SprintModemUpdate"="javaw.exe" [2004-06-03 22:09 C:\WINDOWS\system32\javaw.exe]
"Motive SmartBridge"="C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe" [2007-01-18 21:45]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2007-01-18 21:45]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-01-18 21:45]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-01-18 21:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-18 21:45]
"acEventServ"="C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe" [2003-07-01 06:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="" []
"Mtod"="C:\DOCUME~1\Owner\APPLIC~1\PPPATC~1\logonui.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
ActivCard Gold Smart Card Agent.lnk - C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe [2003-03-19 09:27:00]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 02:22:40]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 18:01:04]
PC Alert 4.lnk - C:\Program Files\MSI\PC Alert 4\PCAlert4.exe [2005-01-07 08:42:17]
Photo Loader supervisory.lnk - C:\Program Files\CASIO\Photo Loader\Plauto.exe [2007-07-21 17:35:31]
Sprint virtual assistant.lnk - C:\Program Files\Sprint DSL virtual assistant\bin\matcli.exe [2005-11-01 21:56:59]
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2005-01-07 08:40:19]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Online Services\profsydyra.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acAuth]
acauth.dll 2002-12-17 10:11 65536 C:\WINDOWS\system32\acauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\caps32]
caps32.dll 2007-08-23 00:14 94713 C:\WINDOWS\system32\caps32.dll

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R0 viasraid;viasraid;C:\WINDOWS\system32\drivers\viasraid.sys
R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\system32\DRIVERS\DcCam.sys
R2 ACachSrv;ActivCard Authentication Service;C:\Program Files\Common Files\ActivCard\acachsrv.exe
R2 acautoreg;ActivCard Gold Autoregister;C:\Program Files\Common Files\ActivCard\acautoreg.exe
R2 acautoupdate;ActivCard Auto-Update Service;C:\Program Files\Common Files\ActivCard\acautoup.exe
R2 Accoca;ActivCard Gold service;C:\Program Files\Common Files\ActivCard\accoca.exe
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\system32\drivers\dcfs2k.sys
R3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\fetnd5.sys
R3 P17;Sound Blaster Audigy;C:\WINDOWS\system32\drivers\P17.sys
R3 SCR3xx USB Smart Card Reader;SCR3xx USB Smart Card Reader;C:\WINDOWS\system32\DRIVERS\SCR3XX2K.sys
S1 Exportit;Exportit;C:\WINDOWS\system32\DRIVERS\exportit.sys
S3 DcFpoint;DcFpoint;C:\WINDOWS\system32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINDOWS\system32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINDOWS\system32\DRIVERS\DcPTP.sys
S3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5b.sys
S3 GMSIPCI;GMSIPCI;\??\D:\INSTALL\GMSIPCI.SYS
S3 SCRx31 USB Reader;SCRx31 USB Reader;C:\WINDOWS\system32\DRIVERS\stc2.sys

Contents of the 'Scheduled Tasks' folder
2007-08-24 00:19:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-23 19:36:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-23 19:37:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-23 19:37

--- E O F ---

Shaba · Aug 25, 2007

Hi

# Run Spybot-S&D in Advanced Mode.
# If it is not already set to do this Go to the Mode menu select "Advanced Mode"
# On the left hand side, Click on Tools
# Then click on the Resident Icon in the List
# Uncheck "Resident TeaTimer" and OK any prompts.
# Restart your computer.

Open HijackThis, click do a system scan only and checkmark these:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - ~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKCU\..\Run: [Mtod] "C:\DOCUME~1\Owner\APPLIC~1\PPPATC~1\logonui.exe" -vt yazb
O20 - Winlogon Notify: caps32 - C:\WINDOWS\SYSTEM32\caps32.dll
O24 - Desktop Component 0: (no name) - C:\Program Files\Online Services\profsydyra.html

Close all windows including browser and press fix checked.

Reboot.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINDOWS\system32\dn94804ef2.dat
C:\WINDOWS\system32\caps32.dll
C:\WINDOWS\qpxdahfA.exe

Folder::
C:\WINDOWS\Umlja3kgUGVybmlh
C:\Program Files\WinBudget

Save this as "CFScript"

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

DamionW · Aug 25, 2007

2nd HiJackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:54 AM, on 8/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\ActivCard\acachsrv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\acautoup.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\javaw.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Sprint DSL virtual assistant\bin\mpbtn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wscntfy.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5566770F-1FC5-4BE1-8B5A-ED22C63BB6A9} - (no file)
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O2 - BHO: (no name) - {FBCA2AC6-19A6-4AD6-90C0-4EA93EE6E459} - (no file)
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "C:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [acEventServ] "C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ActivCard Gold Smart Card Agent.lnk = C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Sprint virtual assistant.lnk = C:\Program Files\Sprint DSL virtual assistant\bin\matcli.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
O20 - Winlogon Notify: acAuth - C:\WINDOWS\SYSTEM32\acauth.dll
O20 - Winlogon Notify: caps32 - caps32.dll (file missing)
O23 - Service: ActivCard Authentication Service (ACachSrv) - ActivCard - C:\Program Files\Common Files\ActivCard\acachsrv.exe
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Auto-Update Service (acautoupdate) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoup.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O24 - Desktop Component 1: (no name) - http://static.flickr.com/87/253786558_48dc617eae.jpg?v=0

--
End of file - 10195 bytes

DamionW · Aug 25, 2007

2nd ComboFix log

ComboFix 07-08-17.2 - "Owner" 2007-08-25 8:25:45.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.164 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\dn94804ef2.dat
C:\WINDOWS\system32\caps32.dll
C:\WINDOWS\qpxdahfA.exe

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Owner\APPLIC~1\tmp30D.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp30E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp9.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpB.tmp.exe
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1169508667.old
C:\Program Files\WinBudget\bin\crap.1187135408.old
C:\Program Files\WinBudget\bin\matrix.dll
C:\Program Files\WinBudget\bin\matrix.dll.1187135407.old
C:\WINDOWS\qpxdahfA.exe
C:\WINDOWS\system32\caps32.dll
C:\WINDOWS\system32\dn94804ef2.dat
C:\WINDOWS\system32\tmpB.tmp.dll
C:\WINDOWS\Umlja3kgUGVybmlh
C:\WINDOWS\Umlja3kgUGVybmlh\asappsrv.dll
C:\WINDOWS\Umlja3kgUGVybmlh\command.exe
C:\WINDOWS\Umlja3kgUGVybmlh\oA53ua40o3pVvA51.vbs

((((((((((((((((((((((((( Files Created from 2007-07-25 to 2007-08-25 )))))))))))))))))))))))))))))))

2007-08-25 07:55 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-25 00:03 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-08-23 20:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-23 19:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-23 19:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Kaspersky Lab
2007-08-23 19:30 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-23 19:00 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-08-23 01:17 1,572,864 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-23 00:14 3,638 --a------ C:\WINDOWS\mpxti5s8.exe
2007-08-16 18:27 <DIR> d-------- C:\VundoFix Backups
2007-08-16 17:18 <DIR> d-------- C:\Program Files\CCleaner
2007-08-14 18:40 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-23 19:32 --------- d-------- C:\Program Files\Online Services
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-24 13:26 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Walgreens
2007-07-21 17:35 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-21 17:35 --------- d-------- C:\Program Files\CASIO
2007-07-14 13:00 --------- d-------- C:\Program Files\Untitled
2007-07-14 13:00 --------- d-------- C:\Program Files\SCM Microsystems
2007-07-14 12:55 --------- d-------- C:\Program Files\Common Files\ActivCard
2007-07-14 12:55 --------- d-------- C:\Program Files\ActivCard
2007-07-07 20:36 --------- d-------- C:\Program Files\NPC Designer
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5566770F-1FC5-4BE1-8B5A-ED22C63BB6A9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FBCA2AC6-19A6-4AD6-90C0-4EA93EE6E459}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 02:47 C:\WINDOWS\SOUNDMAN.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-01-18 21:45]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2007-01-18 21:45]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-18 21:45]
"SprintModemUpdate"="javaw.exe" [2004-06-03 22:09 C:\WINDOWS\system32\javaw.exe]
"Motive SmartBridge"="C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe" [2007-01-18 21:45]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2007-01-18 21:45]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-01-18 21:45]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-01-18 21:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-18 21:45]
"acEventServ"="C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe" [2003-07-01 06:42]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2007-01-18 21:45]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
ActivCard Gold Smart Card Agent.lnk - C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe [2003-03-19 09:27:00]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 02:22:40]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 18:01:04]
PC Alert 4.lnk - C:\Program Files\MSI\PC Alert 4\PCAlert4.exe [2005-01-07 08:42:17]
Photo Loader supervisory.lnk - C:\Program Files\CASIO\Photo Loader\Plauto.exe [2007-07-21 17:35:31]
Sprint virtual assistant.lnk - C:\Program Files\Sprint DSL virtual assistant\bin\matcli.exe [2005-11-01 21:56:59]
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2005-01-07 08:40:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acAuth]
acauth.dll 2002-12-17 10:11 65536 C:\WINDOWS\system32\acauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\caps32]
caps32.dll

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R0 viasraid;viasraid;C:\WINDOWS\system32\drivers\viasraid.sys
R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\system32\DRIVERS\DcCam.sys
R2 ACachSrv;ActivCard Authentication Service;C:\Program Files\Common Files\ActivCard\acachsrv.exe
R2 acautoreg;ActivCard Gold Autoregister;C:\Program Files\Common Files\ActivCard\acautoreg.exe
R2 acautoupdate;ActivCard Auto-Update Service;C:\Program Files\Common Files\ActivCard\acautoup.exe
R2 Accoca;ActivCard Gold service;C:\Program Files\Common Files\ActivCard\accoca.exe
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\system32\drivers\dcfs2k.sys
R3 P17;Sound Blaster Audigy;C:\WINDOWS\system32\drivers\P17.sys
R3 PCAlertDriver;PCAlertDriver;\??\C:\Program Files\MSI\PC Alert 4\NTGLM7X.sys
R3 SCR3xx USB Smart Card Reader;SCR3xx USB Smart Card Reader;C:\WINDOWS\system32\DRIVERS\SCR3XX2K.sys
S1 Exportit;Exportit;C:\WINDOWS\system32\DRIVERS\exportit.sys
S3 DcFpoint;DcFpoint;C:\WINDOWS\system32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINDOWS\system32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINDOWS\system32\DRIVERS\DcPTP.sys
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\fetnd5.sys
S3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5b.sys
S3 GMSIPCI;GMSIPCI;\??\D:\INSTALL\GMSIPCI.SYS
S3 SCRx31 USB Reader;SCRx31 USB Reader;C:\WINDOWS\system32\DRIVERS\stc2.sys

*Newly Created Service* - PCALERTDRIVER

Contents of the 'Scheduled Tasks' folder
2007-08-25 13:19:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-25 08:28:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-25 8:29:15 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-25 08:29
C:\ComboFix2.txt ... 2007-08-23 19:37

--- E O F ---

DamionW · Aug 25, 2007

Appears to be all clear

Ran spybot and vundofix again and the file that was stuck in memory (caps32.dll) is no longer there. For future reference, what step removed it from active memory so that it could be cleaned out? Was it the HiJackThis fix? Just trying to understand what causes some files to be out of the reach of SpyBot or other virus fixes, but other programs can sweep them out. That's just out of curiousity, but I don't want to waste your time if you have other people to help. Thanks again for the outstanding advice!

Shaba · Aug 25, 2007

Hi

"For future reference, what step removed it from active memory so that it could be cleaned out? Was it the HiJackThis fix?"

Combofix deleted it according to CFScript I made:

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\caps32.dll

You're not clean yet

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {FBCA2AC6-19A6-4AD6-90C0-4EA93EE6E459} - (no file)
O20 - Winlogon Notify: caps32 - caps32.dll (file missing)

Close all windows including browser and press fix checked.

Reboot

Please download ATF Cleaner by Atribune and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Empty these folders:

C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine
C:\QooBox\Quarantine
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3vjk93ic.default\Cache(2)
C:\VundoFix Backups
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5

Delete this:

C:\WINDOWS\mpxti5s8.exe

Empty Recycle Bin

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report

DamionW · Aug 25, 2007

3rd Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:16 AM, on 8/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Sprint DSL virtual assistant\bin\mpbtn.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\ActivCard\acachsrv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\acautoup.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\javaw.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O2 - BHO: (no name) - {FBCA2AC6-19A6-4AD6-90C0-4EA93EE6E459} - (no file)
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "C:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [acEventServ] "C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ActivCard Gold Smart Card Agent.lnk = C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Sprint virtual assistant.lnk = C:\Program Files\Sprint DSL virtual assistant\bin\matcli.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
O20 - Winlogon Notify: acAuth - C:\WINDOWS\SYSTEM32\acauth.dll
O23 - Service: ActivCard Authentication Service (ACachSrv) - ActivCard - C:\Program Files\Common Files\ActivCard\acachsrv.exe
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Auto-Update Service (acautoupdate) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoup.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O24 - Desktop Component 1: (no name) - http://static.flickr.com/87/253786558_48dc617eae.jpg?v=0

--
End of file - 10596 bytes

DamionW · Aug 25, 2007

2nd Kapersky log 1

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, August 25, 2007 11:47:03 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 25/08/2007
Kaspersky Anti-Virus database records: 389807
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 50165
Number of viruses found: 42
Number of infected objects: 99
Number of suspicious objects: 2
Duration of the scan process: 00:26:00

Infected Object Name / Virus Name / Last Action
C:\17018515 Infected: Trojan-Downloader.Win32.ConHook.bg skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1281OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007082520070826\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\hsperfdata_Owner\944 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF2274.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF29DA.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF2A95.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\Catalog\EasyShare.me Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\Catalog\EasyShare.mm Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\BWKDLogs\BWTargetInf.log Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\L0000011.FCS Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.idx Object is locked skipped
C:\Program Files\Motive\FirmwareUpdater\firmwareUpdater.log Object is locked skipped
C:\Program Files\Sprint DSL virtual assistant\log\mpbtn.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156276.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156291.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156292.exe Infected: Trojan-Downloader.Win32.Zlob.bqw skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156293.exe Infected: Trojan-Downloader.Win32.Small.dxm skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156295.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156296.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156297.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156298.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156299.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156299.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156300.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156301.exe Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156302.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156303.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156305.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156308.dll Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP641\A0156310.dll Infected: Trojan-Spy.Win32.BZub.hx skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP642\A0158276.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP642\A0158293.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP643\A0162325.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP643\A0162326.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP643\A0162327.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP643\A0163310.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP643\A0166321.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP643\A0166330.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP643\A0167348.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP643\A0170362.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0170372.exe Infected: Trojan.Win32.Small.oa skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0170373.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0172362.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0174399.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0174423.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0174424.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0174426.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175426.exe/stream/data0002/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175426.exe/stream/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175426.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175426.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175426.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175427.dll Infected: Trojan-Downloader.Win32.Small.dxm skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175429.dll Infected: not-a-virus:FraudTool.Win32.SpySheriff.a skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175430.dll Infected: not-a-virus:FraudTool.Win32.SpySheriff.a skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175431.dll Infected: not-a-virus:FraudTool.Win32.SpySheriff.a skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175432.dll Infected: not-a-virus:FraudTool.Win32.SpySheriff.a skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175434.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175435.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175436.exe Infected: Trojan.Win32.Small.oa skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175437.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175440.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP644\A0175441.exe Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175754.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175755.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175757.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175781.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175783.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175784.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175785.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175786.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175787.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175788.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175789.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175790.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175791.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175792.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175793.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175794.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175795.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175853.dll Infected: Trojan.Win32.BHO.bw skipped

DamionW · Aug 25, 2007

2nd Kapersky log 2

C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175854.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175855.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lq skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175862.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kx skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP646\A0175878.sys Infected: Rootkit.Win32.Agent.eq skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP651\A0179086.sys Infected: Packed.Win32.Tibs.ap skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP651\A0179087.exe Infected: Email-Worm.Win32.Zhelatin.he skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182124.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182124.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182124.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182124.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182125.exe/stream/data0002 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182125.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182125.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182125.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182128.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182130.dll Infected: Trojan-Downloader.Win32.ConHook.bg skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182134.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182134.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0182134.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP652\A0184190.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP654\A0184273.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP654\A0184274.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP657\A0184894.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP657\A0184895.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP657\A0184899.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP657\A0184900.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP657\A0184902.old/EXE-file Infected: not-a-virus:AdWare.Win32.BHO.by skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP657\A0184902.old Embedded EXE: infected - 1 skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP657\A0184905.old Infected: not-a-virus:AdWare.Win32.BHO.by skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP657\A0184906.exe Infected: Trojan-Downloader.Win32.VB.ang skipped
C:\System Volume Information\_restore{56BF4A10-447E-41D0-8406-D2DC31F155DA}\RP662\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{AD7CB0FD-8145-4C67-ADA4-E635AC2C5CE1}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Shaba · Aug 25, 2007

Hi

Empty this folder:

C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\

Delete this:

C:\17018515

Empty Recycle Bin

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?

DamionW · Aug 25, 2007

Shaba said:
Other than that, any problems left?

Well, I thought I was clear when SpyBot didn't show anything (these hackers are tricky SOBs). So, as far as I can tell I'm fine. I've started installing the extra security features mentioned in the sticky in this forum. I emptied the items you recommended, so let me know if I have any other steps left.

Shaba · Aug 25, 2007

Hi

Then you're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo
2) Sunbelt/Kerio
3) Agnitum
4) ZoneAlarm

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Update Adobe Reader
It looks like your version of Adobe Reader is out of date and you're vulnerable for infections.
Please download the newest version here:
http://www.adobe.com/products/acrob...used=0&esdcanhandle=0&hasjavascript=1&dlm=nos

Install it, then go to Add/Remove Programs and remove any older versions that may remain.

You can remove all tools we used.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!

DamionW · Aug 25, 2007

Thanks for everything!

I really appreciate it. I've already donated to the community and am installing a bunch of the recommendations from the forum. Take care!

Virtumonde in memory

New member

Security Expert: Emeritus

New member

New member

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

New member

Security Expert: Emeritus

New member

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member