Nasty Virues that I can't get rid of

[Shaba]

Hi

No it did not work 100 %

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {6626808A-E950-4454-83E0-0CCCDB345568} - C:\WINDOWS\system32\efeby.dll (file missing)
O2 - BHO: (no name) - {8ed3f490-855b-49a7-81b7-738974cd820d} - C:\WINDOWS\system32\pwgohru.dll (file missing)
O2 - BHO: (no name) - {C66EC8C2-BB81-4E76-A909-EF78019F6DE7} - C:\Program Files\Windows NT\vihypi83122.dll (file missing)
O4 - HKCU\..\Run: [Uayoxo] "C:\Program Files\Common Files\??mantec\n?tepad.exe"
O4 - HKCU\..\Run: [Wtai] "C:\DOCUME~1\User1\APPLIC~1\YSTEM~1\wucrtupd.exe" -vt ndrv

Close all windows incluiding browser and press fix checked.

Reboot.

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code:

  C:\WINDOWS\system32\sdjpnexs.ini
  C:\WINDOWS\system32\cgegodpr.ini
  C:\WINDOWS\system32\uyliaknu.ini
  C:\Program Files\Dot1XCfg
  C:\WINDOWS\system32\xmderotv.ini
  C:\WINDOWS\system32\egflybum.ini
  C:\WINDOWS\system32\rfsfjpeg.ini
  C:\WINDOWS\system32\jafvxeaw.ini
  C:\WINDOWS\system32\bvrmahxy.ini
  C:\WINDOWS\system32\winzs6
  C:\WINDOWS\system32\nui4
  C:\WINDOWS\system32\extz1
  C:\WINDOWS\system32\comm7
  C:\WINDOWS\system32\nGpxx01

• Return to OTMoveIt2, right click in the "Paste Custom List Of Files/Patterns To Move" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Re-run combofix

Post:

- a fresh HijackThis log
- combofix report
- otmoveit2 report

[MsBhelp]

Here you go!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:27 PM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\msbhelp.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tool...bar/lexico.cab
O20 - Winlogon Notify: gluwawih - gluwawih.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6394 bytes

ComboFix 08-02.05.3 - User1 2008-02-12 14:21:08.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.136 [GMT -6:00]
Running from: C:\Documents and Settings\User1\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-12 to 2008-02-12 )))))))))))))))))))))))))))))))
.

2008-02-12 14:19 . 2008-02-12 14:19 <DIR> d-------- C:\_OTMoveIt
2008-02-11 12:58 . 2004-08-04 02:56 388,608 --a------ C:\kmd.exe
2008-02-06 18:09 . 2008-02-06 18:09 <DIR> d--hs---- C:\FOUND.036
2008-02-05 22:38 . 2008-02-05 22:38 <DIR> d--hs---- C:\FOUND.035
2008-02-04 17:46 . 2008-02-04 17:46 <DIR> d--hs---- C:\FOUND.034
2008-02-02 02:15 . 2008-02-02 02:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 12:10 . 2008-02-01 12:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-01 01:35 . 2008-02-11 13:06 14,368 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-01 01:35 . 2008-02-11 13:06 1,220 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-01 01:35 . 2008-02-11 13:06 1,100 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-01 01:35 . 2008-02-11 13:06 288 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-01 01:29 . 2008-02-01 01:29 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-01 01:28 . 2008-02-01 01:28 <DIR> d-------- C:\KAV
2008-01-31 12:57 . 2008-01-31 12:57 <DIR> d-------- C:\VundoFix Backups
2008-01-31 12:05 . 2008-01-31 12:05 <DIR> d--hs---- C:\FOUND.033
2008-01-29 11:27 . 2008-01-29 11:27 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-01-29 11:27 . 2008-01-29 11:27 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-01-29 02:05 . 2008-01-29 02:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-29 02:05 . 2008-01-29 02:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-29 02:02 . 2008-01-29 02:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-24 02:24 . 2008-01-24 02:24 <DIR> d--hs---- C:\FOUND.032
2008-01-23 12:22 . 2008-01-23 12:22 <DIR> d--hs---- C:\FOUND.031
2008-01-21 19:26 . 2008-02-11 13:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-21 19:26 . 2008-01-21 19:26 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-21 19:24 . 2008-01-21 19:24 <DIR> d-------- C:\Program Files\iPod
2008-01-21 19:23 . 2008-01-21 19:23 <DIR> d-------- C:\Program Files\iTunes
2008-01-21 19:18 . 2008-01-21 19:18 <DIR> d-------- C:\Program Files\QuickTime
2008-01-17 13:04 . 2008-01-17 13:04 <DIR> d--hs---- C:\FOUND.030
2008-01-16 13:31 . 2008-01-16 13:31 <DIR> d--hs---- C:\FOUND.029

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-10 08:08 --------- d-----w C:\Documents and Settings\User1\Application Data\Move Networks
2007-12-23 07:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-23 07:33 --------- d-----w C:\Documents and Settings\User1\Application Data\LimeWire
2007-12-18 05:59 --------- d-----w C:\Program Files\eMusic Download Manager
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-11 22:34 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-12-11 22:34 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-01-17 22:23 19,000 ----a-w C:\Documents and Settings\User1\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 10:49 307200]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-21 18:52 68856]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]

C:\Documents and Settings\User1\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE [2002-09-11 13:30:58 299008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-11-25 13:31:04 118784]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gluwawih]
gluwawih.dll


.
Contents of the 'Scheduled Tasks' folder
"2008-02-11 23:42:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-12 14:23:18
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-12 14:24:16
ComboFix-quarantined-files.txt 2008-02-12 20:24:10
ComboFix4.txt 2008-02-01 01:00:20
ComboFix3.txt 2008-02-09 20:43:36
ComboFix2.txt 2008-02-11 19:31:24
.
2008-02-02 01:10:07 --- E O F ---
[Custom Input]
< C:\WINDOWS\system32\sdjpnexs.ini >
C:\WINDOWS\system32\sdjpnexs.ini moved successfully.
< C:\WINDOWS\system32\cgegodpr.ini >
C:\WINDOWS\system32\cgegodpr.ini moved successfully.
< C:\WINDOWS\system32\uyliaknu.ini >
C:\WINDOWS\system32\uyliaknu.ini moved successfully.
< C:\Program Files\Dot1XCfg >
C:\Program Files\Dot1XCfg moved successfully.
< C:\WINDOWS\system32\xmderotv.ini >
C:\WINDOWS\system32\xmderotv.ini moved successfully.
< C:\WINDOWS\system32\egflybum.ini >
C:\WINDOWS\system32\egflybum.ini moved successfully.
< C:\WINDOWS\system32\rfsfjpeg.ini >
C:\WINDOWS\system32\rfsfjpeg.ini moved successfully.
< C:\WINDOWS\system32\jafvxeaw.ini >
C:\WINDOWS\system32\jafvxeaw.ini moved successfully.
< C:\WINDOWS\system32\bvrmahxy.ini >
C:\WINDOWS\system32\bvrmahxy.ini moved successfully.
< C:\WINDOWS\system32\winzs6 >
C:\WINDOWS\system32\winzs6 moved successfully.
< C:\WINDOWS\system32\nui4 >
C:\WINDOWS\system32\nui4 moved successfully.
< C:\WINDOWS\system32\extz1 >
C:\WINDOWS\system32\extz1 moved successfully.
< C:\WINDOWS\system32\comm7 >
C:\WINDOWS\system32\comm7 moved successfully.
< C:\WINDOWS\system32\nGpxx01 >
C:\WINDOWS\system32\nGpxx01 moved successfully.

OTMoveIt2 v1.0.19 log created on 02122008_141923

[Shaba]

Hi

Open HijackThis, click do a system scan only and checkmark this:

O20 - Winlogon Notify: gluwawih - gluwawih.dll (file missing)

Close all windows including browser and press fix checked.

Reboot.

Please download ATF Cleaner by Atribune and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Re-scan with kaspersky.

Post:

- a fresh HijackThis log
- kaspersky report

[MsBhelp]

sorry for the delay

------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 14, 2008 11:06:54 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/02/2008
Kaspersky Anti-Virus database records: 565273
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 36832
Number of viruses found: 23
Number of infected objects: 96
Number of suspicious objects: 2
Duration of the scan process: 01:56:27

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{D28281B4-6F1D-4BBA-83BE-A5A0DF564AF3}.bin Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.8.6/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User1\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\User1\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User1\Local Settings\History\History.IE5\MSHist012008021420080215\index.dat Object is locked skipped
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User1\Local Settings\Temp\Perflib_Perfdata_280.dat Object is locked skipped
C:\Documents and Settings\User1\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User1\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_User1.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_User1.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_User1.log Object is locked skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP610\A0353038.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP610\A0353061.DLL Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP610\A0353062.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP613\A0356073.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP613\A0358073.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358127.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358128.exe Infected: not-a-virus:AdWare.Win32.Insider.a skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358130.exe Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358131.exe Infected: Trojan-Downloader.Win32.Agent.hvj skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358132.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358133.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358134.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358135.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358136.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358137.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358138.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358139.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gip skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358140.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358141.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358142.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358143.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.auj skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358144.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358145.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358151.EXE Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358155.SYS Infected: Rootkit.Win32.Agent.to skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358228.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0359228.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP620\change.log Object is locked skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP609\A0353011.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\_OTMoveIt\MovedFiles\02122008_141923\WINDOWS\system32\nGpxx01\nGpxx011065.exe Infected: Trojan-Downloader.Win32.VB.cge skipped
C:\FOUND.032\FILE0002.CHK Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\FOUND.032\FILE0009.CHK Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\FOUND.032\FILE0010.CHK Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\FOUND.032\FILE0041.CHK Infected: not-a-virus:AdWare.Win32.Virtumonde.edz skipped
C:\FOUND.032\FILE0042.CHK Infected: not-a-virus:AdWare.Win32.Virtumonde.edz skipped
C:\FOUND.033\FILE0003.CHK Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\VundoFix Backups\avifnipw.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\axwsihiy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\bhhnilxo.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\dderjopx.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\dsammlol.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\efeby.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.edx skipped
C:\VundoFix Backups\fnbrgrgg.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\ftqrhmbn.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\fynlilnq.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\fytqhchs.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\ghtwtdpr.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.eby skipped
C:\VundoFix Backups\ivybysbg.exe.bad Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\VundoFix Backups\jukwksej.exe.bad Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\VundoFix Backups\khfcyvv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped
C:\VundoFix Backups\kmlxdojw.exe.bad Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\VundoFix Backups\nqselevc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\ogdviytl.exe.bad Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\VundoFix Backups\omyrgoma.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.edw skipped
C:\VundoFix Backups\pmnkhge.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped
C:\VundoFix Backups\pqcwyyns.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\qjfpfghq.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\sjrakldj.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\uxjlgebs.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\xivpvcai.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\yxhamrvb.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu572.exe.vir Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\sfloppyy.sys.vir Infected: Rootkit.Win32.Agent.to skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ivybysbg.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fcyyy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnkhge.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yrevbmql.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.kp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\aihapehh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bpcnpcem.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\doxoovgr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\grcfbdif.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gwokbyof.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hcbnjlxe.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hdoxrvyf.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\inifpsav.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\khiclxnc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gip skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kiolqdni.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\quttuurw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ssqqaslm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xufwifou.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.auj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xwnvcnpx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ymdfkwaa.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\windows.vir Infected: Trojan.Win32.Zapchast.dt skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pagyihbo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\b147.exe.vir Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir Infected: Trojan-Downloader.Win32.Agent.hvj skipped
C:\QooBox\Quarantine\C\Program Files\Temporary\kernInst.exe.vir Infected: Trojan.Win32.Agent.edq skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\MANTEC~1\nоtepad.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\QooBox\Quarantine\C\Program Files\Insider\Insider.exe.vir Infected: not-a-virus:AdWare.Win32.Insider.a skipped
C:\QooBox\Quarantine\C\Documents and Settings\User1\Application Data\YSTEM~1\wucrtupd.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\QooBox\Quarantine\catchme2008-02-09_143836.72.zip/mljgfdd.dll Infected: Trojan.Win32.BHO.auf skipped
C:\QooBox\Quarantine\catchme2008-02-09_143836.72.zip/pagyihbo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-09_143836.72.zip/pmkif.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-09_143836.72.zip ZIP: infected - 3 skipped
C:\QooBox\Quarantine\catchme2008-02-11_132651.15.zip/pagyihbo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-11_132651.15.zip ZIP: infected - 1 skipped

Scan process completed.

[MsBhelp]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:00 AM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\msbhelp.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tool...bar/lexico.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6448 bytes

[Shaba]

Hi

Empty these folders:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery
C:\_OTMoveIt\MovedFiles\
C:\VundoFix Backups\
C:\QooBox\Quarantine

Delete these:

C:\FOUND.032\FILE0002.CHK
C:\FOUND.032\FILE0009.CHK
C:\FOUND.032\FILE0010.CHK
C:\FOUND.032\FILE0041.CHK
C:\FOUND.032\FILE0042.CHK
C:\FOUND.033\FILE0003.CHK

Empty Recycle Bin.

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?

[MsBhelp]

There doesn't seem to be anymore problems. THANK YOU!!

However, I cannot find the c:\found.32 files.

[MsBhelp]

Ok, I found the files you mentioned. There are other files like that. Should I be concerenced?

[Shaba]

Hi

No, those are created due to scandisk run.

Any other concerns?

[MsBhelp]

The only thing I notice is that my folder icon for the C drive has an animated cross/x on it.