Several Malware detected

Fernando Spitaliere · Dec 11, 2006

Hi, everyone!
This is my first post so I don't really know what to really report. When I activated the teatimer, I realized there were resident programs tring to constantly modify the registry, among other things.
I am attaching the logs and if you require any other information, please let me know.
Thank you in advance!

:

Logfile of HijackThis v1.99.1
Scan saved at 5:40:56 PM, on 12/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Util\AntiVirus\Hijacthis1.99.0.1\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ounjd.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,yqunncv.exe
O2 - BHO: (no name) - {20729D3A-EBEF-465B-8AD7-C78D7B1F661B} - (no file)
O2 - BHO: (no name) - {B0A49443-E7F1-479F-94DB-CA88DA09FE68} - (no file)
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O20 - Winlogon Notify: App Management - C:\WINDOWS\
O20 - Winlogon Notify: Applets - C:\WINDOWS\
O20 - Winlogon Notify: Extensions - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\
O20 - Winlogon Notify: IntelWireless - C:\WINDOWS\
O20 - Winlogon Notify: MCD - C:\WINDOWS\
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: Reliability - C:\WINDOWS\
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\
O20 - Winlogon Notify: sstts - C:\WINDOWS\
O20 - Winlogon Notify: StillImage - C:\WINDOWS\
O20 - Winlogon Notify: Themes - C:\WINDOWS\
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

************************************************
************************************************

Incident Status Location

Adware:Adware/Qoologic Not disinfected C:\WINDOWS\system32\esvfteh.dll
Adware:adware/look2me Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/searchexe Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\nsc5.tmp
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Fernando Spitaliere\Local Settings\Temp\nsm5.tmp
Potentially unwanted tool:Application/Processor Not disinfected C:\Util\AntiVirus\Trojan Vundo Removers\VirtumundoBeGone.exe[²ƒÇ]
Possible Virus. Not disinfected C:\VundoFix Backups\sstts.dll.bad
Adware:Adware/Qoologic Not disinfected C:\WINDOWS\system32\djlio.dat

Shaba · Dec 12, 2006

Hi Fernando Spitaliere

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Send:

- a fresh HijackThis log
- combofix report

Fernando Spitaliere · Dec 13, 2006

Follow up 1. Thank you!

COMBOFIX LOG:
============

Fernando Spitaliere - 06-12-13 1:57:41.53 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Program Files\Mozilla Firefox"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{78D87030-BF47-412D-94D4-6FB8CE3AA13F}]
@=""

[HKEY_CLASSES_ROOT\clsid\{78D87030-BF47-412D-94D4-6FB8CE3AA13F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{78D87030-BF47-412D-94D4-6FB8CE3AA13F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{78D87030-BF47-412D-94D4-6FB8CE3AA13F}\InprocServer32]
@="C:\\WINDOWS\\system32\\EXFBCBACA.DLL"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{C04391E8-8645-4F0E-AEDF-3015EE86FE20}]
@=""

[HKEY_CLASSES_ROOT\clsid\{C04391E8-8645-4F0E-AEDF-3015EE86FE20}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{C04391E8-8645-4F0E-AEDF-3015EE86FE20}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{C04391E8-8645-4F0E-AEDF-3015EE86FE20}\InprocServer32]
@="C:\\WINDOWS\\system32\\mydtcprx.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{F3B0651C-4732-4CC7-85A3-BECD0405EB18}]
@=""

[HKEY_CLASSES_ROOT\clsid\{F3B0651C-4732-4CC7-85A3-BECD0405EB18}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{F3B0651C-4732-4CC7-85A3-BECD0405EB18}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{F3B0651C-4732-4CC7-85A3-BECD0405EB18}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{390863E0-938F-4F72-96C8-791EB765DC89}]
@=""

[HKEY_CLASSES_ROOT\clsid\{390863E0-938F-4F72-96C8-791EB765DC89}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{390863E0-938F-4F72-96C8-791EB765DC89}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{390863E0-938F-4F72-96C8-791EB765DC89}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Granting sedebugprivilege to Administrators ... successful

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *

O4 - HKCU\...\Run C:\WINDOWS\system32\xlwfdv.exe
O4 - HKLM\...\Run C:\WINDOWS\system32\xlwfdv.exe
F2 -REG:system.ini: Shell C:\WINDOWS\system32\ounjd.exe
F2 -REG:system.ini: UserInit C:\WINDOWS\system32\yqunncv.exe

* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *

C:\WINDOWS\system32\xlwfdv.exe
C:\WINDOWS\system32\esvfteh.dll
C:\WINDOWS\system32\yqunncv.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\qsigj.exe
C:\WINDOWS\whdmt.dll
C:\WINDOWS\system32\djlio.dat
C:\WINDOWS\system32\ounjd.exe

* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *

06-11-02 08:53 127488 qsigj.exe.qoo
06-12-11 17:33 127488 djlio.dat.qoo
06-12-04 14:03 297 whdmt.dll.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Safety Bar
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{34BDA73C-06C1-1033-0930-050802200001}
C:\Program Files\Common Files\{B4BDA73C-06C1-1033-0930-050802200001}

((((((((((((((((((((((((((((((( Files Created from 2006-11-13 to 2006-12-13 ))))))))))))))))))))))))))))))))))

2006-12-13 02:02 24 --a------ C:\WINDOWS\whdmt.dll
2006-12-09 16:22 178,408 --a------ C:\WINDOWS\system32\muweb.dll
2006-12-08 15:54 1,492 --a------ C:\WINDOWSvundofix.reg
2006-12-08 15:03 <DIR> d-------- C:\VundoFix Backups
2006-12-04 13:28 <DIR> d-------- C:\Documents and Settings\Fernando Spitaliere\.housecall6.6
2006-12-01 13:22 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-01 01:34 <DIR> d-------- C:\Program Files\Debugging Tools for Windows
2006-11-30 04:06 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-11-29 02:04 <DIR> d-------- C:\Documents and Settings\Fernando Spitaliere\Application Data\SlySoft
2006-11-28 13:40 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2006-11-28 13:39 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2006-11-28 13:39 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2006-11-18 05:30 <DIR> d-------- C:\8733e51c853ea829724a81a19e8d61bb

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-12-13 01:58 -------- d-------- C:\Program Files\Common Files
2006-12-13 01:57 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-11 15:42 -------- d-------- C:\Program Files\Internet Explorer
2006-12-11 12:35 -------- d-------- C:\Documents and Settings\Fernando Spitaliere\Application Data\1ClickDVDCopy
2006-12-10 14:22 -------- d-------- C:\Documents and Settings\Fernando Spitaliere\Application Data\CopyToDvd
2006-12-04 03:46 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-01 16:42 -------- d-------- C:\Program Files\MSN Messenger
2006-12-01 14:33 -------- d-------- C:\Program Files\Windows NT
2006-12-01 13:56 -------- d-------- C:\Program Files\WinZip
2006-12-01 13:56 -------- d-------- C:\Program Files\WinRAR
2006-11-30 15:07 67584 --a------ C:\Documents and Settings\Fernando Spitaliere\Application Data\000003B8_VTS_1.IFO
2006-11-30 15:07 18432 --a------ C:\Documents and Settings\Fernando Spitaliere\Application Data\000003B8_VTS_2.IFO
2006-11-30 15:07 16384 --a------ C:\Documents and Settings\Fernando Spitaliere\Application Data\000003B8_VTS_0.IFO
2006-11-30 14:17 67584 --a------ C:\Documents and Settings\Fernando Spitaliere\Application Data\0000029C_VTS_1.IFO
2006-11-30 14:17 14336 --a------ C:\Documents and Settings\Fernando Spitaliere\Application Data\0000029C_VTS_0.IFO
2006-11-29 03:10 -------- d-------- C:\Program Files\SlySoft
2006-11-29 03:01 -------- d-------- C:\Program Files\Elaborate Bytes
2006-11-28 14:18 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-02 16:07 -------- d-------- C:\Documents and Settings\Fernando Spitaliere\Application Data\Macromedia
2006-10-31 12:28 18816 --a------ C:\WINDOWS\system32\drivers\dvd43llh.sys
2006-10-31 12:28 -------- d-------- C:\Program Files\dvd43
2006-10-25 10:56 325632 --a------ C:\Documents and Settings\Fernando Spitaliere\Application Data\00001C8C_VTS_1.IFO
2006-10-20 20:09 88064 --a------ C:\Documents and Settings\Fernando Spitaliere\Application Data\00000840_VTS_1.IFO
2006-10-20 20:09 20480 --a------ C:\Documents and Settings\Fernando Spitaliere\Application Data\00000840_VTS_0.IFO
2006-10-16 23:26 63488 --a------ C:\Documents and Settings\Fernando Spitaliere\Application Data\0000149C_VTS_1.IFO
2006-10-16 23:26 12288 --a------ C:\Documents and Settings\Fernando Spitaliere\Application Data\0000149C_VTS_0.IFO
2006-10-14 16:31 -------- d-------- C:\Program Files\MSXML 4.0
2006-10-13 07:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-07 13:34 57344 --a------ C:\Documents and Settings\Fernando Spitaliere\Application Data\00000744_VTS_1.IFO
2006-10-07 13:34 12288 --a------ C:\Documents and Settings\Fernando Spitaliere\Application Data\00000744_VTS_0.IFO
2006-10-05 15:28 38912 --a------ C:\Documents and Settings\Fernando Spitaliere\Application Data\0000626C_VTS_1.IFO
2006-10-05 15:28 12288 --a------ C:\Documents and Settings\Fernando Spitaliere\Application Data\0000626C_VTS_0.IFO
2006-10-04 15:43 12288 --a------ C:\Documents and Settings\Fernando Spitaliere\Application Data\00005BDC_VTS_0.IFO
2006-09-20 14:35 55296 --a------ C:\Documents and Settings\Fernando Spitaliere\Application Data\00000AD0_VTS_1.IFO
2006-09-20 14:35 12288 --a------ C:\Documents and Settings\Fernando Spitaliere\Application Data\00000AD0_VTS_0.IFO
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 20:30 79872 --a------ C:\Documents and Settings\Fernando Spitaliere\Application Data\0000123C_VTS_1.IFO
2006-09-12 20:30 18432 --a------ C:\Documents and Settings\Fernando Spitaliere\Application Data\0000123C_VTS_5.IFO
2006-09-12 20:30 18432 --a------ C:\Documents and Settings\Fernando Spitaliere\Application Data\0000123C_VTS_4.IFO
2006-09-12 20:30 18432 --a------ C:\Documents and Settings\Fernando Spitaliere\Application Data\0000123C_VTS_3.IFO
2006-09-12 20:30 18432 --a------ C:\Documents and Settings\Fernando Spitaliere\Application Data\0000123C_VTS_2.IFO
2006-09-12 20:30 18432 --a------ C:\Documents and Settings\Fernando Spitaliere\Application Data\0000123C_VTS_0.IFO

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"tahye"="C:\\WINDOWS\\system32\\xlwfdv.exe reg_run"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"wdbwdt"="C:\\WINDOWS\\system32\\xlwfdv.exe reg_run"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\Setup]
"Registrando Panda ActiveX"="C:\\WINDOWS\\system32\\regsvr32.exe /s C:\\WINDOWS\\system32\\ActiveScan\\as.dll"
"Registrando Panda Almacen"="C:\\WINDOWS\\system32\\regsvr32.exe /s C:\\WINDOWS\\system32\\ActiveScan\\pavpz.dll"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,62,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,62,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,62,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"tahye"="C:\\WINDOWS\\system32\\xlwfdv.exe reg_run"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"tahye"="C:\\WINDOWS\\system32\\xlwfdv.exe reg_run"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{27321538-5739-4aa1-b84c-7d18e4383f1f}"="ferrateen"
"{1a01a98c-4f25-42e1-971a-185cf63569b2}"="expatriates"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"TOSCDSPD"="C:\\Program Files\\TOSHIBA\\TOSCDSPD\\toscdspd.exe"
"VoipBuster"="\"C:\\program files\\voipbuster.com\\voipbuster\\voipbuster.exe\" -nosplash -minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"CeEKEY"="C:\\Program Files\\TOSHIBA\\E-KEY\\CeEKey.exe"
"dvd43"="C:\\Program Files\\dvd43\\dvd43_tray.exe"
"EPSON Stylus CX3800 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIACA.EXE /P26 \"EPSON Stylus CX3800 Series\" /O6 \"USB001\" /M \"Stylus CX3800\""
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"HWSetup"="C:\\Program Files\\TOSHIBA\\TOSHIBA Applet\\HWSetup.exe hwSetUP"
"IntelWireless"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"mouseElf"="C:\\PROGRA~1\\SCROLL~1\\MouseElf.EXE"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Notebook Maximizer"="C:\\Program Files\\Notebook Maximizer\\maximizer_startup.exe"
"PadTouch"="C:\\Program Files\\TOSHIBA\\Touch and Launch\\PadExe.exe"
"Pinger"="c:\\toshiba\\ivp\\ism\\pinger.exe /run"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SmoothView"="C:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"
"SVPWUTIL"="C:\\Program Files\\Toshiba\\Windows Utilities\\SVPWUTIL.exe SVPwUTIL"
"TCtryIOHook"="TCtrlIOHook.exe"
"TOSHIBA Accessibility"="C:\\Program Files\\TOSHIBA\\Accessibility\\FnKeyHook.exe"
"TPNF"="C:\\Program Files\\TOSHIBA\\TouchPad\\TPTray.exe"
"TPSMain"="TPSMain.exe"
"Tvs"="C:\\Program Files\\Toshiba\\Tvs\\TvsTray.exe"
"vptray"="C:\\Program Files\\Symantec_Client_Security\\Symantec AntiVirus\\vptray.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"ZoomingHook"="ZoomingHook.exe"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstts

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis entries set to ignore ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

O4 - HKLM\..\Run: [HotKeysCmds] C:\WIND
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PR
O4 - HKLM\..\Run: [TPNF] C:\Program Files\T
O4 - HKLM\..\Run: [T
O4 - HKLM\..\Run: [TCtryI
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\T
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\T
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\T
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\T
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WIND
O4 - HKLM\..\Run: [EPS
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKCU\..\Run: [T
O4 - HKCU\..\Run: [VoipBuster] "C:\program files\voipbuster.com\voipbuster\voipbuster.exe" -nosplash -minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Spy Sweeper Fix.lnk = C:\Program Files\Webroot\Spy Sweeper\SpySweeperFix.bat
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O23 - Service: ConfigFree Service (CFSvcs) - T
O23 - Service: DefWatch - Symantec Corporation - C:\PR
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WIND
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PR
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

=====
continues...
=====

Fernando Spitaliere · Dec 13, 2006

Follow up 2. Continuation

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061209-162017-206
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ounjd.exe
backup-20061209-162017-875
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,yqunncv.exe
backup-20061209-162009-548
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,yqunncv.exe
backup-20061209-162009-281
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ounjd.exe
backup-20061209-161939-159
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,yqunncv.exe
backup-20061209-161939-345
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ounjd.exe
backup-20061209-161911-679
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ounjd.exe
backup-20061209-161911-534
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,yqunncv.exe
backup-20061209-161911-314
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20061209-145207-766
O20 - Winlogon Notify: sstts - C:\WINDOWS\
backup-20061209-145206-444
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
backup-20061209-145206-115
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20061209-145206-612
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,yqunncv.exe
backup-20061209-145206-478
O2 - BHO: (no name) - {20729D3A-EBEF-465B-8AD7-C78D7B1F661B} - (no file)
backup-20061209-145206-293
O2 - BHO: (no name) - {B0A49443-E7F1-479F-94DB-CA88DA09FE68} - (no file)
backup-20061209-145206-695
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ounjd.exe
backup-20061208-124254-755
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
backup-20061208-124254-975
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,yqunncv.exe
backup-20061208-124254-996
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ounjd.exe
backup-20061204-034215-254
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,yqunncv.exe
backup-20061204-034215-239
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ounjd.exe
backup-20061204-034029-728
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
backup-20061204-034029-409
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,yqunncv.exe
backup-20061204-034029-234
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ounjd.exe
Completion time: 06-12-13 2:02:38.62
C:\ComboFix.txt ... 06-12-13 02:02

**********************************************************
**********************************************************

HJT LOG:
=======

Logfile of HijackThis v1.99.1
Scan saved at 2:09:47 AM, on 12/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Util\AntiVirus\Hijacthis1.99.0.1\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ounjd.exe
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,yqunncv.exe
O2 - BHO: (no name) - {20729D3A-EBEF-465B-8AD7-C78D7B1F661B} - (no file)
O2 - BHO: (no name) - {B0A49443-E7F1-479F-94DB-CA88DA09FE68} - (no file)
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\
O20 - Winlogon Notify: IntelWireless - C:\WINDOWS\
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: sstts - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

I hope this helps! Regards!

Shaba · Dec 13, 2006

Hi

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*) on Desktop

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"tahye"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"wdbwdt"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"tahye"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"tahye"=-

Doubleclick fix.reg, press Yes and ok.

Open HijackThis, click do a system scan only and checkmark these:

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ounjd.exe
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,yqunncv.exe
O2 - BHO: (no name) - {20729D3A-EBEF-465B-8AD7-C78D7B1F661B} - (no file)
O2 - BHO: (no name) - {B0A49443-E7F1-479F-94DB-CA88DA09FE68} - (no file)
O20 - Winlogon Notify: sstts - C:\WINDOWS\

Close all windows including browser and press fix checked

Reboot

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Send:

- a fresh HijackThis log
- smitfraudfix log

Fernando Spitaliere · Dec 13, 2006

Follow up 3

I've run the SmitfraudFix.exe file (which I've moved to the root) and gave me the following report. The weird thing is that the program seemed to halt scanning "winlogon:Sytem".

SmitFraudFix v2.130

Scan done at 18:00:11.39, Wed 12/13/2006
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Fernando Spitaliere

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Fernando Spitaliere\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\FERNAN~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{27321538-5739-4aa1-b84c-7d18e4383f1f}"="ferrateen"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{1a01a98c-4f25-42e1-971a-185cf63569b2}"="expatriates"

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

*********************************
*********************************

Logfile of HijackThis v1.99.1
Scan saved at 6:12:51 PM, on 12/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Util\AntiVirus\Hijacthis1.99.0.1\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ounjd.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,yqunncv.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\
O20 - Winlogon Notify: IntelWireless - C:\WINDOWS\
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

Thanks!

Shaba · Dec 14, 2006

Hi

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

______________________________

Open HijackThis, click do a system scan only and checkmark these:

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ounjd.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,yqunncv.exe

Close all windows including browser and press fix checked.

Double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7

Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete... under Browsing History.
Next to Temporary Internet Files, click Delete files, and then click OK.
Next to Cookies, click Delete cookies, and then click OK.
Next to History, click Delete history, and then click OK.
Click the Close button.
Click OK.

For Internet Explorer 4.x - 6.x

Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.

For Netscape 4.x and Up

Click Edit from the Netscape menubar.
Click Preferences... from the Edit menu.
Expand the Advanced menu by clicking the triangle sign.
Click Cache.
Click both the Clear Memory Cache and the Clear Disk Cache buttons.

For Mozilla 1.x and Up

Click Edit from the Mozilla menubar.
Click Preferences... from the Edit menu.
Expand the Advanced menu by clicking the plus sign.
Click Cache.
Click the Clear Cache button.

For Opera

Click File from the Opera menubar.
Click Preferences... from the File menu.
Click the History and Cache menu.
Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
Click Ok to close the Preferences menu.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.
______________________________

Please post:

c:\rapport.txt
Ewido log
A new HijackThis log

Your may need several replies to post the requested logs, otherwise they might get cut off.

Fernando Spitaliere · Dec 16, 2006

Follow up 4

Sorry for the delay. I needed to take the time to ensure to follow your directions to the word.

:laugh:
OK, here are the logs:

SmitFraudFix v2.130

Scan done at 2:44:10.12, Sat 12/16/2006
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{27321538-5739-4aa1-b84c-7d18e4383f1f}"="ferrateen"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{1a01a98c-4f25-42e1-971a-185cf63569b2}"="expatriates"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

************************************************
(cont)
************************************************

Fernando Spitaliere · Dec 16, 2006

Follow up 5

(Cont)

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:11:43 AM 12/16/2006

+ Scan result:

C:\WINDOWS\system32\jwzpk.dll -> Adware.Adstart : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ophou.dll -> Adware.Adstart : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022432.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP253\A0022019.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022434.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022435.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022436.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022437.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022438.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022439.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022440.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022441.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022442.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022443.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022447.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022448.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022449.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022450.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022451.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022452.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022453.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022454.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022455.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022456.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022457.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022458.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022459.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022460.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022461.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022462.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022463.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022464.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022465.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022466.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022467.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022468.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022469.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022471.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022472.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022474.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022475.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022503.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022504.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022505.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022506.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022507.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022508.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022509.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022510.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP214\A0020538.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022416.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022418.EXE -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP253\A0021962.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP253\A0021968.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP266\A0023039.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022415.dll -> Adware.TargetServer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022470.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP250\A0021419.exe -> Adware.VirusBurst : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP210\A0018472.exe -> Adware.VirusBursters : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP216\A0020619.exe -> Adware.VirusBursters : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP187\A0014912.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP187\A0014913.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP187\A0014914.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP187\A0014916.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022421.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022422.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP251\A0021443.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP260\A0022641.exe -> Downloader.PurityScan.dt : Cleaned with backup (quarantined).
C:\QooBox\djlio.dat.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\qsigj.exe.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP212\A0020519.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP215\A0020606.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP266\A0023151.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\djlio.dat -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
[804] C:\WINDOWS\system32\esvfteh.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\s_install_ID8.exe -> Downloader.Small.aav : Cleaned with backup (quarantined).

***********************
(Cont)
***********************

Fernando Spitaliere · Dec 16, 2006

Follow up 6

(Cont)

C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022394.exe -> Downloader.Small.cpu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP253\A0021967.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP231\A0021063.exe -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022417.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022413.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022407.exe -> Downloader.TSUpdate.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022411.exe -> Downloader.TSUpdate.n : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022409.exe -> Downloader.TSUpdate.p : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022403.exe -> Downloader.VB.vr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022419.exe -> Downloader.VB.zg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP253\A0021975.dll -> Downloader.Zlob : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP210\A0018462.dll -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP210\A0018463.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP210\A0018464.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP210\A0018483.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP210\A0018484.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP210\A0018485.dll -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP210\A0018486.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP210\A0019462.dll -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP210\A0019463.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP210\A0019481.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP210\A0019482.dll -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP210\A0019483.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP212\A0019508.dll -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP212\A0019509.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP212\A0019510.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP212\A0020508.dll -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP212\A0020509.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP212\A0020510.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP212\A0020524.dll -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP212\A0020525.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP212\A0020526.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP215\A0020542.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP215\A0020595.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP215\A0020596.dll -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP215\A0020597.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP215\A0020598.dll -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP215\A0020599.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP215\A0020600.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP215\A0020603.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP215\A0020604.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP215\A0020607.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP215\A0020608.exe -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022424.dll -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022425.dll -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022426.dll -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022427.dll -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022428.dll -> Downloader.Zlob.atg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP251\A0021434.exe -> Downloader.Zlob.bbe : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP251\A0021432.exe -> Downloader.Zlob.bbf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP251\A0021499.exe -> Downloader.Zlob.bbi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP253\A0021976.dll -> Downloader.Zlob.hv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP187\A0014910.exe -> Dropper.Small.qn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022473.dll -> Not-A-Virus.Hoax.Win32.Renos.ap : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP253\A0021961.dll -> Not-A-Virus.Hoax.Win32.Renos.NAH : Cleaned with backup (quarantined).
C:\Program Files\LG Software Innovations\1Click DVD Copy 4.1\Vso\crack.exe -> Trojan.Delf.li : Cleaned with backup (quarantined).
C:\Program Files\LG Software Innovations\1Click DVD Copy 4.1\crack.exe -> Trojan.Delf.li : Cleaned with backup (quarantined).
C:\Util\Burn\1click\1click.dvd.copy.4.1.0.5 plus .cracked-tsrh.zip/crack.exe -> Trojan.Delf.li : Cleaned with backup (quarantined).
C:\Util\Burn\1click\crack.exe -> Trojan.Delf.li : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP253\A0021958.dll -> Trojan.Mezzia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022444.vxd -> Trojan.Painwin.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022445.sys -> Trojan.Painwin.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP251\A0021436.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP251\A0021437.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP251\A0021438.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP251\A0021439.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP251\A0021440.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP253\A0021960.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022433.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022431.exe -> Trojan.VB.ali : Cleaned with backup (quarantined).

::Report end

*******************************************
*******************************************

Logfile of HijackThis v1.99.1
Scan saved at 5:23:13 AM, on 12/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Util\AntiVirus\Hijacthis1.99.0.1\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ounjd.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,yqunncv.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\
O20 - Winlogon Notify: IntelWireless - C:\WINDOWS\
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

Thanks!

Shaba · Dec 16, 2006

Hi

Please download Qoofix by Rubber Ducky to your desktop.

Right click on the Qoofix folder, and choose "Extract All". Extract Qoofix to your C: drive
Close all windows and programs, including internet windows.
Go to C:\Qoofix and open the folder, then double click on Qoofix.exe
Click Begin Removal and wait for the scan to finish
If Qoofix finds an infection, select yes to restart your computer
You will now find a log from this tool, located at C:\Qoofix\Qoofix Logfile.txt Copy and paste the contents of that report into your next reply here.

Fernando Spitaliere · Dec 20, 2006

Follow up 7

Thanks a lot, Shaba for your assistance!
Sorry for the delay, but I've just noticed there was a second page with your reply

Now, here is the Qoofix logfile:

Qoofix v1.04 by http://www.malwarebytes.org
Scan started on [12/20/2006] at [10:54:44 AM]
-------------------------------------------------------------
Terminated module: esvfteh.dll found in Qoofix.exe (3764)
Terminated module: esvfteh.dll found in xlwfdv.exe (1592)
Terminated module: esvfteh.dll found in ounjd.exe (1648)
Terminated module: esvfteh.dll found in ounjd.exe (1824)
Terminated module: esvfteh.dll found in ounjd.exe (1832)
Terminated module: esvfteh.dll found in wscntfy.exe (2664)
Terminated module: esvfteh.dll found in SpySweeper.exe (2804)
Terminated module: esvfteh.dll found in RoboType.exe (3020)
Terminated module: esvfteh.dll found in ctfmon.exe (3340)
Terminated module: esvfteh.dll found in explorer.exe (3912)
Terminated module: esvfteh.dll found in DVD43_Tray.exe (2496)
Terminated module: esvfteh.dll found in firefox.exe (4644)
-------------------------------------------------------------
C:\WINDOWS\system32\djlio.dat will be deleted on reboot!
C:\WINDOWS\system32\esvfteh.dll will be deleted on reboot!
C:\WINDOWS\system32\ounjd.exe will be deleted on reboot!
C:\WINDOWS\system32\xlwfdv.exe will be deleted on reboot!
C:\WINDOWS\system32\yqunncv.exe will be deleted on reboot!
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\qsigj.exe will be deleted on reboot!

User prompted YES to reboot, system now rebooting...
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [12/20/2006] at [10:58:16 AM]

Note: Some registry keys may have been removed.

Happy Christmas to all the staff!

resent: :angel:

Shaba · Dec 20, 2006

Hi

Please send also a fresh HijackThis log

Fernando Spitaliere · Dec 21, 2006

Follow up 8

Here is the HJT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 2:22:31 AM, on 12/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Util\AntiVirus\Hijacthis1.99.0.1\HijackThis.exe

O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\
O20 - Winlogon Notify: IntelWireless - C:\WINDOWS\
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

I also noticed two or, sometimes more, Windows Security Alerts tray icons, which I had disabled.

THANKS!

:

Shaba · Dec 21, 2006

Hi

Now it looks good

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Send:

- a fresh HijackThis log
- kaspersky report

Fernando Spitaliere · Dec 22, 2006

Follow up 10

HJT and Kaspersky logfiles:

Logfile of HijackThis v1.99.1
Scan saved at 2:33:34 AM, on 12/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Util\AntiVirus\Hijacthis1.99.0.1\HijackThis.exe

O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\
O20 - Winlogon Notify: IntelWireless - C:\WINDOWS\
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

*************

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, December 22, 2006 2:27:55 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 21/12/2006
Kaspersky Anti-Virus database records: 253376
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 67859
Number of viruses found: 19
Number of infected objects: 55 / 0
Number of suspicious objects: 8
Duration of the scan process: 01:17:56

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd002.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC18.zip/ishost.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC18.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip/MTE3NDI6ODoxNg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC6.zip/drsmartload46a.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC6.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC7.zip/drsmartload45a.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC7.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\093C0000.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\096C0000.VBN Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\098C0000.VBN/data0007 Infected: Trojan-Downloader.Win32.Zlob.ate skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\098C0000.VBN NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\098C0000.VBN UPX: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\098C0000.VBN PE_Patch.UPX: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\098C0000.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\098C0002.VBN/data0007 Infected: Trojan-Downloader.Win32.Zlob.ate skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\098C0002.VBN NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\098C0002.VBN UPX: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\098C0002.VBN PE_Patch.UPX: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\098C0002.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BD80000.VBN/Setup.exe Infected: P2P-Worm.Win32.VB.dw skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BD80000.VBN ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BD80000.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BD80002.VBN/setup.exe Infected: Trojan.Win32.Crypt.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BD80002.VBN ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BD80002.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BF00000.VBN/Setup.exe Infected: Worm.Win32.VB.an skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BF00000.VBN ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BF00000.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D440000.VBN/Setup.exe Infected: Worm.Win32.VB.an skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D440000.VBN ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D440000.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\1DB80000.VBN/Setup.exe Infected: P2P-Worm.Win32.VB.dw skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\1DB80000.VBN ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\1DB80000.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\Fernando Spitaliere\Application Data\Mozilla\Firefox\Profiles\xnvx5qxu.default\cert8.db Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Application Data\Mozilla\Firefox\Profiles\xnvx5qxu.default\history.dat Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Application Data\Mozilla\Firefox\Profiles\xnvx5qxu.default\key3.db Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Application Data\Mozilla\Firefox\Profiles\xnvx5qxu.default\parent.lock Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Local Settings\Application Data\Mozilla\Firefox\Profiles\xnvx5qxu.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Local Settings\Application Data\Mozilla\Firefox\Profiles\xnvx5qxu.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Local Settings\Application Data\Mozilla\Firefox\Profiles\xnvx5qxu.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Local Settings\Application Data\Mozilla\Firefox\Profiles\xnvx5qxu.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS013B24DA-F7CB-4F32-A483-2D58E4A88FAB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS048EC737-3FFB-4692-993E-AB0CF6B4A6BF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS079CD9CD-A28B-4974-B504-28115BA72EEE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS07A20EFE-C2FB-4E4C-9D4B-B250B29BA088.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0C0C57D7-A7C6-48F0-ABC0-F2D70B99865C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0F14BE8E-A093-48FA-A201-C6A2B9DC3897.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS123C36A4-6F91-4EF0-8A28-F0E122FD0A56.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS14FB2C2B-D50E-47EF-B86D-7300BD92A28F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1944DEB4-08EF-4F14-B1B6-0AA8B76CE2B3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS195A93C3-256B-4602-AA3A-9D4108EB9C07.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1A534933-56FA-42F0-AACA-D4244E8B1FAF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1A744AFF-E1A3-4979-9E0F-10A570BB095D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1EBF070D-C82F-4A02-841B-2F4D6CBA5B6F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS20891B76-4E5C-40D4-B757-C0BA5AF52694.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS23581280-17CA-4326-84CA-0790DAFA6D3E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS240E12F9-0BC2-40BD-983C-34F2FE92D223.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS255CB5E4-FD0F-40DA-AC76-5B0E617BDDB0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS26690186-C956-4661-BA38-FC8FA2855965.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS272E23D8-39DB-4384-80FF-4C5617B41CEA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2B4D8A25-87A4-420E-98F6-9FFA061F4427.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2B571248-2B2B-46E1-A169-B2D32C987E09.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2CF8845E-6358-4C91-8DB8-F806729FBB2A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2DA06F60-B46C-41E2-967A-E8EDDCD9019B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS31D00A3A-1300-406A-BFA0-7BA994CDB000.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS35BAE0D9-EF79-4392-92BF-8DE0CB69F069.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS35FC9B9A-069B-41C8-9512-638EF4C1A5D9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3A024105-0CA7-494E-87F3-0F4C23347829.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3E844155-87C8-458F-B385-8F6A775E7547.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3EED3B3A-6290-4263-AABD-3DE5AB0F26B0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3FE78E11-82AC-43DB-945B-9979AE16A31D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS43C71857-F738-4ECC-8759-A0C746A4066A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4486A2F5-B3EB-4048-A875-490E4C02900A.tmp Object is locked skipped

*** CONT ***

Fernando Spitaliere · Dec 22, 2006

Follow up 10 (cont)

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS48A70887-B008-410F-9048-3DC13ED1FA79.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4C0C5852-6E64-48CB-A45C-65A059DE66FE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4CC71F43-F883-472A-BC61-6C280A54E9BC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4F9F2F15-09BC-463E-A37A-DE5B6385EE80.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS571AD3A3-A648-4C2B-AF44-EEBFEF859000.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5B8A5530-EEB6-404C-9D90-85ADF183CB18.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5E92732C-597B-450C-8A0B-8A01EF02B9D0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6081D59C-28F2-4B9C-9172-06AB3EA67514.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS64120F19-5431-49E3-AA1E-A9561C3D36D0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS64C0A275-3F0C-441A-A7CE-AFB229E1A3EB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS680979D1-2F72-4749-A762-79F39F637CA9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS68C60850-F48F-4109-95E6-48799043F9A3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6A2CA885-E57D-46C6-93A5-8F381C2EC9DF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6B8CE213-470F-4110-89BF-DA80204444D8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6C0C0C12-FE4D-4246-AECB-F7658A22271E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6CC624CD-AAAB-4EDB-A079-666D768C3368.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6ECD27D2-FB91-4EB3-907E-D1B6810E7C20.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6EDAD8BD-394F-4C59-9416-FA4ED48626A8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS702D3537-A433-4BB1-9C6E-27D28F12E80D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS70A8ACDD-F2DE-4507-8AC3-C23EE7742178.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS71175D9B-8AE7-48B3-BF26-8F91DD80A35D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS71F08F13-8C56-40B5-A6E2-A78378BD0B2E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS74689982-0108-4F1C-8B46-E0F6B56B9821.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS76530CBA-EDDE-414E-BCF6-7E8A11CC7562.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS76E20260-29AC-4FF3-AB03-0C04E282F7DD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7A836B8D-A6D7-48AF-81B2-77B94C0CA50D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7C1C8981-C7A6-43B3-842F-A584265F3CCD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7E545242-2429-46E2-A434-510A81C70D1E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7FB3E98B-797C-470B-8269-25FA0E4C3671.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS824292A5-E505-4067-8ED7-1309479B5F35.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8380D497-1123-4095-B65A-A834BC15E7D6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS841A3D36-F18D-434A-99AC-53FE09A452B2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS856A42D8-CC8A-443F-B8A8-85735FFC151B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS99DED67B-1E85-4664-A30D-88D8F6C39794.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9B1B65F5-E03C-4581-AC4F-5B9D9349033F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9CED400D-C883-4149-9C1C-1C33473F0D6E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9ED23EE2-44A4-4945-BEC5-C4FDBA2354BE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9FD116B1-9A2F-4520-80F1-51DAE048FDF9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA499B996-7243-4DD1-A708-7757EF60BE88.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA9BC8C5D-ADAA-4800-B9F7-00E25A87AEF9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA9F3F275-3A23-4921-8768-90DD11377051.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAC28DCFD-2162-4223-B089-A8E0710571D4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAC7D6453-FDAB-4828-9F57-8D3011B80A30.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAE7DD2F2-3E01-4E7C-B870-59254AFE7F1F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAFD70647-7011-42C5-BCF7-19947B29EC53.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB0FFA824-68FE-40F6-929F-16E0649F29BD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB39113AF-672F-451D-87D5-556EE18F6ABC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB3AF385F-B98C-4864-89B1-1B52682FF4C3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB839478D-5334-49C0-98DC-05E5826B692A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB88CCC02-CFB7-4DE8-8AD0-52A79D2DA0EC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBB7A8EAB-F1BF-45F6-A092-8609A6BCE16C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBD41971D-0C06-4A24-9BE2-46957FA47CF0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBF6DD07A-88F9-487F-AEF3-BFC235D63A70.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC3313A72-621B-4D55-8E74-236D848E82A7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC3C1CF29-41D7-4608-BEAB-0E3A253E698B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC9EC89E1-820F-47D8-8022-32381C612B05.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD2010D85-8C69-4295-9C62-2694CA988D7C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD3792466-CC54-4CC3-A159-4D2C1D3F344E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD5BE726D-F20C-40F8-8B96-11E50D752AF1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD77997E7-13CE-4648-8801-AD011A325AF7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDA66BFCF-2418-4D89-8AF9-188DA2B8FB4F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDDBAB0D0-897C-4826-AC29-4E28C3314107.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDECBB0AD-3691-4BBB-B83F-ED4045939215.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE09A44CF-0C55-4698-A79B-6011D4994283.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE283FEA0-CCC9-46B5-BA3F-435C6E4AF1DD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE3CC4C8B-4BE4-4EC3-A4B3-965065C1020D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE46AF31E-6D63-4FF0-97F5-B481567D72B1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEA05C66C-8237-47AF-A7E6-FCCBDDE2C6DD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF551B704-DFC8-4CF0-B3A1-46D2D1CCA32E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF700CC9A-9F7E-41FD-AE18-185FB59621B7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF892C3CD-74C9-4672-AD1E-571A13E16B9C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFE91D933-DFC9-4D63-9EBC-DD464113720D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Games\Londinium\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Games\Londinium\mirc616.exe mIRC: infected - 1 skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP253\A0021973.dll Infected: not-virus:Hoax.Win32.Renos.gh skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022446.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Adstart.i skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022446.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Adstart.h skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022446.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.Adstart.d skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022446.exe/stream/data0008 Infected: not-a-virus:AdWare.Win32.Adstart.b skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022446.exe/stream Infected: not-a-virus:AdWare.Win32.Adstart.b skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022446.exe NSIS: infected - 5 skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP266\A0023037.dll Infected: Trojan-Downloader.Win32.Zlob.bem skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP267\A0023319.exe Infected: Backdoor.Win32.Hupigon.cj skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP270\A0023492.dll Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP270\A0023496.exe Infected: Trojan-Downloader.Win32.Small.aav skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP270\A0023497.dll Infected: not-a-virus:AdWare.Win32.Adstart.i skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP270\A0023498.dll Infected: not-a-virus:AdWare.Win32.Adstart.i skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP274\A0023599.dll Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP274\A0023600.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP274\A0023601.exe Infected: Backdoor.Win32.Hupigon.cj skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP274\A0023602.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP274\A0023603.exe Infected: Backdoor.Win32.Hupigon.cj skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP275\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\DHU.exe/data0001 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\WINDOWS\DHU.exe NSIS: infected - 1 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{F6809FEC-3397-4175-AC3B-955347B3A223}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Shaba · Dec 22, 2006

Hi

Empty these folders:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\

Delete this:

C:\WINDOWS\DHU.exe

Empty Recycle Bin

Re-scan with kaspersky

Send:

- a fresh HijackThis log
- kaspersky report

Fernando Spitaliere · Dec 23, 2006

Follow up 11

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, December 23, 2006 2:22:15 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 22/12/2006
Kaspersky Anti-Virus database records: 253795
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 67460
Number of viruses found: 12
Number of infected objects: 28 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:17:53

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd002.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Application Data\Mozilla\Firefox\Profiles\xnvx5qxu.default\cert8.db Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Application Data\Mozilla\Firefox\Profiles\xnvx5qxu.default\history.dat Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Application Data\Mozilla\Firefox\Profiles\xnvx5qxu.default\key3.db Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Application Data\Mozilla\Firefox\Profiles\xnvx5qxu.default\parent.lock Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Local Settings\Application Data\Mozilla\Firefox\Profiles\xnvx5qxu.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Local Settings\Application Data\Mozilla\Firefox\Profiles\xnvx5qxu.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Local Settings\Application Data\Mozilla\Firefox\Profiles\xnvx5qxu.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Local Settings\Application Data\Mozilla\Firefox\Profiles\xnvx5qxu.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Local Settings\History\History.IE5\MSHist012006122220061223\index.dat Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Fernando Spitaliere\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS013B24DA-F7CB-4F32-A483-2D58E4A88FAB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS048EC737-3FFB-4692-993E-AB0CF6B4A6BF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS079CD9CD-A28B-4974-B504-28115BA72EEE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS07A20EFE-C2FB-4E4C-9D4B-B250B29BA088.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0C0C57D7-A7C6-48F0-ABC0-F2D70B99865C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0F14BE8E-A093-48FA-A201-C6A2B9DC3897.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS123C36A4-6F91-4EF0-8A28-F0E122FD0A56.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS14FB2C2B-D50E-47EF-B86D-7300BD92A28F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1944DEB4-08EF-4F14-B1B6-0AA8B76CE2B3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS195A93C3-256B-4602-AA3A-9D4108EB9C07.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1A534933-56FA-42F0-AACA-D4244E8B1FAF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1A744AFF-E1A3-4979-9E0F-10A570BB095D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1EBF070D-C82F-4A02-841B-2F4D6CBA5B6F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS20891B76-4E5C-40D4-B757-C0BA5AF52694.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS23581280-17CA-4326-84CA-0790DAFA6D3E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS240E12F9-0BC2-40BD-983C-34F2FE92D223.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS255CB5E4-FD0F-40DA-AC76-5B0E617BDDB0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS26690186-C956-4661-BA38-FC8FA2855965.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS272E23D8-39DB-4384-80FF-4C5617B41CEA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2B4D8A25-87A4-420E-98F6-9FFA061F4427.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2B571248-2B2B-46E1-A169-B2D32C987E09.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2CF8845E-6358-4C91-8DB8-F806729FBB2A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2DA06F60-B46C-41E2-967A-E8EDDCD9019B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS31D00A3A-1300-406A-BFA0-7BA994CDB000.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS35BAE0D9-EF79-4392-92BF-8DE0CB69F069.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS35FC9B9A-069B-41C8-9512-638EF4C1A5D9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3A024105-0CA7-494E-87F3-0F4C23347829.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3E844155-87C8-458F-B385-8F6A775E7547.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3EED3B3A-6290-4263-AABD-3DE5AB0F26B0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3FE78E11-82AC-43DB-945B-9979AE16A31D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS43C71857-F738-4ECC-8759-A0C746A4066A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4486A2F5-B3EB-4048-A875-490E4C02900A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS48A70887-B008-410F-9048-3DC13ED1FA79.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4C0C5852-6E64-48CB-A45C-65A059DE66FE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4CC71F43-F883-472A-BC61-6C280A54E9BC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4F9F2F15-09BC-463E-A37A-DE5B6385EE80.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS571AD3A3-A648-4C2B-AF44-EEBFEF859000.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5B8A5530-EEB6-404C-9D90-85ADF183CB18.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5E92732C-597B-450C-8A0B-8A01EF02B9D0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6081D59C-28F2-4B9C-9172-06AB3EA67514.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS64120F19-5431-49E3-AA1E-A9561C3D36D0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS64C0A275-3F0C-441A-A7CE-AFB229E1A3EB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS680979D1-2F72-4749-A762-79F39F637CA9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS68C60850-F48F-4109-95E6-48799043F9A3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6A2CA885-E57D-46C6-93A5-8F381C2EC9DF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6B8CE213-470F-4110-89BF-DA80204444D8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6C0C0C12-FE4D-4246-AECB-F7658A22271E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6CC624CD-AAAB-4EDB-A079-666D768C3368.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6ECD27D2-FB91-4EB3-907E-D1B6810E7C20.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6EDAD8BD-394F-4C59-9416-FA4ED48626A8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS702D3537-A433-4BB1-9C6E-27D28F12E80D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS70A8ACDD-F2DE-4507-8AC3-C23EE7742178.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS71175D9B-8AE7-48B3-BF26-8F91DD80A35D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS71F08F13-8C56-40B5-A6E2-A78378BD0B2E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS74689982-0108-4F1C-8B46-E0F6B56B9821.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS76530CBA-EDDE-414E-BCF6-7E8A11CC7562.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS76E20260-29AC-4FF3-AB03-0C04E282F7DD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7A836B8D-A6D7-48AF-81B2-77B94C0CA50D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7C1C8981-C7A6-43B3-842F-A584265F3CCD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7E545242-2429-46E2-A434-510A81C70D1E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7FB3E98B-797C-470B-8269-25FA0E4C3671.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS824292A5-E505-4067-8ED7-1309479B5F35.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8380D497-1123-4095-B65A-A834BC15E7D6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS841A3D36-F18D-434A-99AC-53FE09A452B2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS856A42D8-CC8A-443F-B8A8-85735FFC151B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS99DED67B-1E85-4664-A30D-88D8F6C39794.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9B1B65F5-E03C-4581-AC4F-5B9D9349033F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9CED400D-C883-4149-9C1C-1C33473F0D6E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9ED23EE2-44A4-4945-BEC5-C4FDBA2354BE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9FD116B1-9A2F-4520-80F1-51DAE048FDF9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA499B996-7243-4DD1-A708-7757EF60BE88.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA9BC8C5D-ADAA-4800-B9F7-00E25A87AEF9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA9F3F275-3A23-4921-8768-90DD11377051.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAC28DCFD-2162-4223-B089-A8E0710571D4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAC7D6453-FDAB-4828-9F57-8D3011B80A30.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAE7DD2F2-3E01-4E7C-B870-59254AFE7F1F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAFD70647-7011-42C5-BCF7-19947B29EC53.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB0FFA824-68FE-40F6-929F-16E0649F29BD.tmp Object is locked skipped

**** Continues *****

Fernando Spitaliere · Dec 23, 2006

Follow up 11 (cont)

(cont)

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB39113AF-672F-451D-87D5-556EE18F6ABC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB3AF385F-B98C-4864-89B1-1B52682FF4C3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB839478D-5334-49C0-98DC-05E5826B692A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB88CCC02-CFB7-4DE8-8AD0-52A79D2DA0EC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBB7A8EAB-F1BF-45F6-A092-8609A6BCE16C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBD41971D-0C06-4A24-9BE2-46957FA47CF0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBF6DD07A-88F9-487F-AEF3-BFC235D63A70.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC3313A72-621B-4D55-8E74-236D848E82A7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC3C1CF29-41D7-4608-BEAB-0E3A253E698B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC9EC89E1-820F-47D8-8022-32381C612B05.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD2010D85-8C69-4295-9C62-2694CA988D7C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD3792466-CC54-4CC3-A159-4D2C1D3F344E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD5BE726D-F20C-40F8-8B96-11E50D752AF1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD77997E7-13CE-4648-8801-AD011A325AF7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDA66BFCF-2418-4D89-8AF9-188DA2B8FB4F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDDBAB0D0-897C-4826-AC29-4E28C3314107.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDECBB0AD-3691-4BBB-B83F-ED4045939215.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE09A44CF-0C55-4698-A79B-6011D4994283.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE283FEA0-CCC9-46B5-BA3F-435C6E4AF1DD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE3CC4C8B-4BE4-4EC3-A4B3-965065C1020D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE46AF31E-6D63-4FF0-97F5-B481567D72B1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEA05C66C-8237-47AF-A7E6-FCCBDDE2C6DD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF551B704-DFC8-4CF0-B3A1-46D2D1CCA32E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF700CC9A-9F7E-41FD-AE18-185FB59621B7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF892C3CD-74C9-4672-AD1E-571A13E16B9C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFE91D933-DFC9-4D63-9EBC-DD464113720D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Games\Londinium\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Games\Londinium\mirc616.exe mIRC: infected - 1 skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP253\A0021973.dll Infected: not-virus:Hoax.Win32.Renos.gh skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022446.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Adstart.i skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022446.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Adstart.h skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022446.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.Adstart.d skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022446.exe/stream/data0008 Infected: not-a-virus:AdWare.Win32.Adstart.b skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022446.exe/stream Infected: not-a-virus:AdWare.Win32.Adstart.b skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP258\A0022446.exe NSIS: infected - 5 skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP266\A0023037.dll Infected: Trojan-Downloader.Win32.Zlob.bem skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP267\A0023319.exe Infected: Backdoor.Win32.Hupigon.cj skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP270\A0023492.dll Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP270\A0023496.exe Infected: Trojan-Downloader.Win32.Small.aav skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP270\A0023497.dll Infected: not-a-virus:AdWare.Win32.Adstart.i skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP270\A0023498.dll Infected: not-a-virus:AdWare.Win32.Adstart.i skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP274\A0023599.dll Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP274\A0023600.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP274\A0023601.exe Infected: Backdoor.Win32.Hupigon.cj skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP274\A0023602.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP274\A0023603.exe Infected: Backdoor.Win32.Hupigon.cj skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP276\A0023660.exe/data0001 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP276\A0023660.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{E97E932B-9CD7-44A1-9C9B-49033CF1F702}\RP276\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{F6809FEC-3397-4175-AC3B-955347B3A223}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

******************

Logfile of HijackThis v1.99.1
Scan saved at 2:23:54 AM, on 12/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Util\robotype\Robo3\RoboType.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Util\AntiVirus\Hijacthis1.99.0.1\HijackThis.exe

O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\
O20 - Winlogon Notify: IntelWireless - C:\WINDOWS\
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

Thanks again, Shaba!

Several Malware detected

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

New member