Infected with alot of stuff + poss. Virtumonde

**g0ldo** · 2007-09-23, 05:32

Hello, I've been having many problems with Spybot, Winrar, Ad-Aware and many other applications since like 3-4 days.

So here is my HJT logfile and the kaspersky logfile will follow:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:11 PM, on 09/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\ywkidaog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\oyulphqn.dll",sitypnow
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Royal Card Club Poker - {05350556-827A-43d6-9E0B-65B247AF4818} - C:\Microgaming\Poker\royalcardclubMPP\MPPoker.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Poker\Menu Démarrer\Programmes\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Poker\Menu Démarrer\Programmes\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {051D0E35-F4E3-4C8D-B411-AB0875F4C683} (Anark Client 4.0 ActiveX Control) - http://install.anark.com/client/vers...n/AMClient.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1176621568156
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/32...CX/FlashAX.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\ywkidaog.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9782 bytes

**g0ldo** · 2007-09-23, 06:37

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, September 23, 2007 12:34:06 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 23/09/2007
Kaspersky Anti-Virus database records: 422406
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 108300
Number of viruses found: 6
Number of infected objects: 51
Number of suspicious objects: 0
Duration of the scan process: 01:09:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log Object is locked skipped
C:\Documents and Settings\Les autres idiots\Local Settings\Temp\ebveksnp.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Les autres idiots\Local Settings\Temp\qgyjbyyu.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Les autres idiots\Local Settings\Temp\sobxaoka.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Les autres idiots\Local Settings\Temp\sqsjgxid.dll Object is locked skipped
C:\Documents and Settings\Les autres idiots\Local Settings\Temp\wqdyixgm.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Les autres idiots\Local Settings\Temporary Internet Files\Content.IE5\QRSR00ZW\jaun_20070726[1] Object is locked skipped
C:\Documents and Settings\Les autres idiots\Local Settings\Temporary Internet Files\Content.IE5\QRSR00ZW\lkjh[1] Object is locked skipped
C:\Documents and Settings\Les autres idiots\Local Settings\Temporary Internet Files\Content.IE5\QRSR00ZW\valera[1] Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Propriétaire\Bureau\Ordi Fred\Utilitaires\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Documents and Settings\Propriétaire\Bureau\Ordi Fred\Utilitaires\mirc616.exe mIRC: infected - 1 skipped
C:\Documents and Settings\Propriétaire\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Application Data\Microsoft\Messenger\adio_fred@hotmail.com\SharingMetadata\Logs\Dfsr00004.log Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Application Data\Microsoft\Messenger\adio_fred@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Application Data\Microsoft\Messenger\adio_fred@hotmail.com\SharingMetadata\Working\database_DA8C_389C_8C38_755B\dfsr.db Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Application Data\Microsoft\Messenger\adio_fred@hotmail.com\SharingMetadata\Working\database_DA8C_389C_8C38_755B\fsr.log Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Application Data\Microsoft\Messenger\adio_fred@hotmail.com\SharingMetadata\Working\database_DA8C_389C_8C38_755B\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Application Data\Microsoft\Messenger\adio_fred@hotmail.com\SharingMetadata\Working\database_DA8C_389C_8C38_755B\tmp.edb Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Application Data\Microsoft\Windows Live Contacts\adio_fred@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Application Data\Microsoft\Windows Live Contacts\adio_fred@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Historique\History.IE5\MSHist012007092220070923\index.dat Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temp\doyumtjp.dll Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temp\gsyspbcq.dll Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temp\hwyxyjmr.dll Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temp\nahmfnmn.dll Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temp\~DF3879.tmp Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temp\~DF3BEB.tmp Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temp\~DFD38A.tmp Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temp\~DFD8DE.tmp Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\3C3O6TEH\css4[2] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\3C3O6TEH\css4[3] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\3C3O6TEH\css4[4] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\3C3O6TEH\css4[5] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\6CSIFR9D\link[1].htm Infected: Trojan-Clicker.HTML.IFrame.ab skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\6CSIFR9D\link[2].htm Infected: Trojan-Clicker.HTML.IFrame.ab skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\DAL2L4OL\jaun_20070726[1] Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\DAL2L4OL\link[1].htm Infected: Trojan-Clicker.HTML.IFrame.ab skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\DAL2L4OL\lkjh[1] Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\IR32L2OF\css4[3] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\IR32L2OF\css4[4] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\IR32L2OF\css4[5] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\IR32L2OF\css4[6] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\IR32L2OF\css4[7] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\IR32L2OF\css4[8] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\SN0TU125\jaun_20070726[1] Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\T29CDUN8\css4[3] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\T29CDUN8\css4[4] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\T29CDUN8\css4[5] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\T29CDUN8\css4[6] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\T29CDUN8\css4[7] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\T29CDUN8\css4[8] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\T29CDUN8\css4[9] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\UE61WYS0\jaun_20070726[1] Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\VFOUOM9Q\css4[2] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\VFOUOM9Q\css4[3] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\VFOUOM9Q\css4[4] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\VFOUOM9Q\css4[5] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\VFOUOM9Q\css4[6] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\VFOUOM9Q\css4[7] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\VFOUOM9Q\css4[8] Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\YAD4HATM\jaun_20070726[2] Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\YAD4HATM\lkjh[1] Object is locked skipped
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\YAD4HATM\valera[1] Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Propriétaire\Mes documents\Utilitaires\mirc621.exe/stream/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\Documents and Settings\Propriétaire\Mes documents\Utilitaires\mirc621.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\Documents and Settings\Propriétaire\Mes documents\Utilitaires\mirc621.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Propriétaire\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Propriétaire\ntuser.dat.LOG Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\access_log Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error.log Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error_log Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\ssl_request_log Object is locked skipped
C:\Program Files\Steam\Steam.log Object is locked skipped
C:\Program Files\Steam\steamapps\winui.gcf Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

**g0ldo** · 2007-09-23, 06:39

C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP297\A0028515.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP297\A0028516.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP300\A0028564.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP300\A0028565.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP300\A0028566.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP300\A0028567.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP301\A0028585.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP304\A0029179.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP304\A0029180.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP304\A0029181.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP305\A0029184.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP305\A0029196.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP305\A0029197.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP305\A0029198.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP305\A0029199.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP305\A0029202.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029203.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029204.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029205.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029215.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029216.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029217.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029218.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029219.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029220.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029221.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029222.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029223.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029224.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029225.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029226.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029227.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029228.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029229.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029230.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029231.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029232.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029233.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029234.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029235.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029236.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029237.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029238.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029239.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029240.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029241.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029242.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029243.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029244.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029245.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029246.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029247.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029248.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029249.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029250.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029251.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029252.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029253.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029254.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029255.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029256.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029257.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029258.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029259.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029260.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029261.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029262.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029263.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029264.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029265.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029266.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029267.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029268.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029269.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029270.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029271.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029272.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP306\A0029273.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP308\A0029288.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP308\A0029291.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP308\A0029292.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP308\A0029293.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP308\A0029294.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP308\A0029295.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP308\A0029296.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP308\A0029297.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP309\A0029311.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP309\A0029312.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP309\A0029313.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP311\A0029343.dll Object is locked skipped
C:\System Volume Information\_restore{98B5932A-6C81-4F0F-B0C3-3AFDA7CCA495}\RP319\change.log Object is locked skipped

**g0ldo** · 2007-09-23, 06:40

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\fxhkrrrm.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\gwkhutpb.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\heqkalfk.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\hqjdljwn.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\iruhdfcv.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\mljghfc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\pgnxhntk.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\pxfsupil.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\qiikddfy.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\ycqskire.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\yefoxlcc.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\ywkidaog.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

**g0ldo** · 2007-09-23, 06:44

Here is a new logfile after I renamed hijackthis.exe to scanner.exe

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:24 AM, on 09/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\ywkidaog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {223DC7E1-6275-4AB3-90D0-DF28C586230D} - C:\WINDOWS\system32\vtsts.dll (file missing)
O2 - BHO: (no name) - {34B2D046-BBE8-430B-A531-E10CE0A97333} - C:\WINDOWS\system32\gebcc.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - C:\WINDOWS\system32\mljghfc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7CC52EBB-0568-4B52-8B7E-045D272E4E1D} - C:\WINDOWS\system32\mllmm.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\oyulphqn.dll",sitypnow
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Royal Card Club Poker - {05350556-827A-43d6-9E0B-65B247AF4818} - C:\Microgaming\Poker\royalcardclubMPP\MPPoker.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Poker\Menu Démarrer\Programmes\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Poker\Menu Démarrer\Programmes\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {051D0E35-F4E3-4C8D-B411-AB0875F4C683} (Anark Client 4.0 ActiveX Control) - http://install.anark.com/client/vers...n/AMClient.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1176621568156
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/32...CX/FlashAX.cab
O20 - Winlogon Notify: mljghfc - C:\WINDOWS\SYSTEM32\mljghfc.dll
O20 - Winlogon Notify: mllmm - C:\WINDOWS\system32\mllmm.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\ywkidaog.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10753 bytes

**g0ldo** · 2007-09-24, 14:44

Thanks alot

**Mr_JAk3** · 2007-09-26, 21:03

Hello and welcome to the Forums

Sorry for the long delay, we've been busy.

At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...

Disable Spybot S&D Teatimer.

Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

**g0ldo** · 2007-09-26, 22:02

Well since 3-4 days passed, I already ran the vundofix.exe program earlier today along with Virtumondebegone.exe
It solved some problems from what I can see in the HJT log but there is still some stuff to be fixed I believe! So here is a fresh HJT log !

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:00:58 PM, on 09/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {223DC7E1-6275-4AB3-90D0-DF28C586230D} - C:\WINDOWS\system32\vtsts.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {882302CB-CF51-49FD-8D67-5576E1A600F4} - C:\WINDOWS\system32\gebcc.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Royal Card Club Poker - {05350556-827A-43d6-9E0B-65B247AF4818} - C:\Microgaming\Poker\royalcardclubMPP\MPPoker.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Poker\Menu Démarrer\Programmes\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Poker\Menu Démarrer\Programmes\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {051D0E35-F4E3-4C8D-B411-AB0875F4C683} (Anark Client 4.0 ActiveX Control) - http://install.anark.com/client/vers...n/AMClient.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1176621568156
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/32...CX/FlashAX.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9988 bytes

**Mr_JAk3** · 2007-09-27, 19:10

OK you're still infected.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

**g0ldo** · 2007-09-28, 04:13

ComboFix 07-09-21.2 - "Propri‚taire" 2007-09-27 22:06:49.1 - NTFSx86 NETWORK
Microsoft Windows XP dition familiale 5.1.2600.2.1252.2.1036.18.1783 [GMT -4:00]
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\DOCUME~1\LESAUT~1\Bureau\internet.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ccbeg.bak1
C:\WINDOWS\system32\ccbeg.bak2
C:\WINDOWS\system32\ccbeg.ini
C:\WINDOWS\system32\fxhkrrrm.exe
C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\gwkhutpb.exe
C:\WINDOWS\system32\gyycmtgn.exe
C:\WINDOWS\system32\heqkalfk.exe
C:\WINDOWS\system32\hqjdljwn.exe
C:\WINDOWS\system32\iruhdfcv.exe
C:\WINDOWS\system32\jgvbyaqo.exe
C:\WINDOWS\system32\lhmxapew.exe
C:\WINDOWS\system32\nxdwapkk.exe
C:\WINDOWS\system32\pgnxhntk.exe
C:\WINDOWS\system32\pxfsupil.exe
C:\WINDOWS\system32\qiikddfy.exe
C:\WINDOWS\system32\ststv.bak1
C:\WINDOWS\system32\ststv.bak2
C:\WINDOWS\system32\ststv.ini
C:\WINDOWS\system32\ttrcbcir.exe
C:\WINDOWS\system32\ycqskire.exe
C:\WINDOWS\system32\yefoxlcc.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((((((( Fichiers créés 2007-08-28 to 2007-09-28 ))))))))))))))))))))))))))))))))))))
.

2007-09-27 22:02 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-27 04:08 84,544 --a------ C:\WINDOWS\system32\kouchbqj.dll
2007-09-26 13:58 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-09-26 13:49 <REP> d-------- C:\VundoFix Backups
2007-09-24 16:55 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2007-09-24 16:55 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2007-09-24 16:55 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2007-09-24 16:55 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-09-24 16:55 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-09-24 16:55 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-09-24 16:55 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-09-24 16:55 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2007-09-23 23:13 85,568 --a------ C:\WINDOWS\system32\gkygbbiv.dll
2007-09-22 23:26 <REP> d-------- C:\Program Files\Trend Micro
2007-09-22 23:05 <REP> d-------- C:\Program Files\Lavasoft
2007-09-22 23:05 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-22 21:08 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-22 20:35 <REP> d-------- C:\DOCUME~1\PROPRI~1\Contacts
2007-09-22 20:34 <REP> d-------- C:\Program Files\MSN Messenger
2007-09-22 10:44 <REP> d-------- C:\DOCUME~1\PROPRI~1\.housecall6.6
2007-09-22 00:35 <REP> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-22 00:35 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-12 22:56 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-09-12 22:51 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll
2007-09-12 22:51 118,832 --a------ C:\WINDOWS\system32\SHW32.DLL
2007-09-12 22:51 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-09-12 22:46 <REP> d-------- C:\Program Files\EA SPORTS
2007-09-12 22:45 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-09-12 22:45 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-09-12 22:45 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-09-12 22:45 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-09-12 22:45 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-09-12 22:45 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-09-12 22:45 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-09-11 22:02 44,054 --a------ C:\WINDOWS\system32\mljghfc.dll.vir
2007-09-01 18:04 <REP> d-------- C:\Program Files\PartyGaming

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-27 22:10 --------- d-------- C:\Program Files\Steam
2007-09-26 12:20 --------- d-------- C:\Program Files\Everest Poker
2007-09-26 12:18 --------- d-------- C:\Program Files\PokerStars
2007-09-24 20:32 --------- d-------- C:\Program Files\LimeWire
2007-09-22 23:05 --------- d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2007-09-20 00:05 --------- d-------- C:\Program Files\Poker Tracker V2
2007-09-18 20:58 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-11 23:38 --------- d-------- C:\Program Files\Azureus
2007-09-11 21:54 --------- d-------- C:\Program Files\mIRC
2007-08-23 11:05 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-05 21:27 --------- d-------- C:\Program Files\Google
2007-07-30 00:59 --------- d-------- C:\Program Files\Absolute Poker
2007-04-16 02:06 22845992 --a------ C:\Program Files\AdbeRdr80_fr_FR.exe
2004-10-01 15:00 40960 --a------ C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{223DC7E1-6275-4AB3-90D0-DF28C586230D}]
C:\WINDOWS\system32\vtsts.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-02-13 14:29]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 10:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2006-10-23 01:48]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-14 08:54]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"SearchIndexer"="C:\WINDOWS\system32\kouchbqj.dll" [2007-09-27 04:08]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55]
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-06-27 21:57]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 19:09]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Lancement rapide d'Adobe Reader.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Lancement rapide d'Adobe Reader.lnk
backup=C:\WINDOWS\pss\Lancement rapide d'Adobe Reader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ai Gear Help]
"C:\Program Files\ASUS\AI Gear\GearHelp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp]
C:\Program Files\ASUS\AASP\1.00.15\AsRunHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative MediaSource Go]
"C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTXFIREG]
CTxfiReg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
"C:\Program Files\ASUS\AI Booster\OverClk.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch PC Probe II]
"C:\Program Files\ASUS\PC Probe II\Probe2.exe" 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
"C:\Program Files\lg_fwupdate\fwupdate.exe" blrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetLimiter]
C:\Program Files\NetLimiter\NetLimiter.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RunDLL32.exe NvMCTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
Rundll32 P17.dll,P17Helper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys
R3 P17;Sound Blaster Audigy;C:\WINDOWS\system32\drivers\P17.sys
R3 p17filt;p17filt;C:\WINDOWS\system32\drivers\p17filt.sys
S3 SenFiltService;SenFilt Service;C:\WINDOWS\system32\drivers\Senfilt.sys

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-27 22:10:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-27 22:10:57 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-27 22:10
.
--- E O F ---

Thread: Infected with alot of stuff + poss. Virtumonde

Thread Tools

Display

Infected with alot of stuff + poss. Virtumonde

Kaspersky results!

Kaspersky results part 2

Kaspersky results part 3

HJT scan with the program renamed!

Here is the combofix log!

Posting Permissions