Suddenly winantivirus pro and other popups, spybot found Smitfraud-C.toolbar888

V

villager

New member
Hi, hope I can get some help here! The computer is glacially slow, almost too slow to use. Yesterday I began getting popups from Winantivirus pro, ErrorSafe, Movietickets.com, Jack9-unTV and others. I ran Spybot and Adaware several times with no improvement.

Today I read the "Before you Post" thread and have followed instructions as best I could. (For instance, I could not boot into "safe mode" to run Spybot ... the computer sat with a black screen for over 15 minutes before I re-booted it). Running Spybot in "regular mode" repeatedly found Smitfraud-C.toolbar888 and said it had cleaned it but it always reappeared in the next scan.

Here is my HJT file and online virus scan log file. (The virus scan program could not "cure" any of the infected files.)

Logfile of HijackThis v1.99.1
Scan saved at 2:42:25 PM, on 5/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINNT\smanager.7.exe
C:\WINNT\system32\avp.exe
C:\SABRE\Apps\ATS\SSSClnt.EXE
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\FNTS~1\mshta.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\system32\ssoftsrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SvcManager] servicess0.exe
O4 - HKLM\..\Run: [runner1] C:\WINNT\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINNT\system32\ehwttttw.dll",realset
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [avp] C:\WINNT\system32\avp.exe
O4 - HKCU\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\COMMON~1\FNTS~1\mshta.exe" -vt yazb
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: TweakIE 3.1 - {79F436C2-3CA2-45A4-A52E-694B23DFFA88} - C:\Program Files\TweakIE 3.1\TweakIE.exe
O9 - Extra 'Tools' menuitem: TweakIE 3.1 - {79F436C2-3CA2-45A4-A52E-694B23DFFA88} - C:\Program Files\TweakIE 3.1\TweakIE.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.agentnet.com
O15 - Trusted Zone: *.amadeuscruise.com
O15 - Trusted Zone: http://*.amadeusproweb.com
O15 - Trusted Zone: *.amadeusvista.com
O15 - Trusted Zone: http://*.amadeusvista.com
O15 - Trusted Zone: *.amaseusproweb.com
O15 - Trusted Zone: http://*.amadeus.com (HKLM)
O15 - Trusted Zone: http://*.amadeuscruise.com (HKLM)
O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BE203D9-A743-4D79-8C97-D358D3B93812}: NameServer = 192.168.0.1
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Config Service Helper (CfgSrvc) - Unknown owner - C:\WINNT\System32\CfgSrvc.exe (file missing)
O23 - Service: HSSP Configuration Module (HsspConfig) - Unknown owner - C:\WINNT\System32\CfgSrvc.exe (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINNT\SYSTEM32\ssoftsrv.exe

Scan Results: 51910 files scanned. 26 viruses were detected.

File Infection Status Path
VerifierBug.class-3cfa0102-44b71cfd.class Java/ByteVerify!exploit infected C:\Documents and Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
count.jar-1e3b1005-62ba0a26.zip Java/Shinwow.AT!ZIP infected C:\Documents and Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
count.jar-1e3b1005-62ba0a26.zip>BlackBox.class Java/ByteVerify!exploit infected C:\Documents and Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
count.jar-1e3b1005-62ba0a26.zip>VerifierBug.class Java/ByteVerify!exploit infected C:\Documents and Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
count.jar-1e3b1005-62ba0a26.zip>Dummy.class Java/ByteVerify!exploit infected C:\Documents and Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
count.jar-1e3b1005-62ba0a26.zip>Beyond.class Java/Shinwow.AT infected C:\Documents and Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
java.jar-1109b54b-299eaf3d.zip>GetAccess.class Java/ByteVerify!exploit infected C:\Documents and Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
java.jar-1109b54b-299eaf3d.zip>Installer.class Java/Shinwow.AZ infected C:\Documents and Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
java.jar-1109b54b-299eaf3d.zip>NewSecurityClassLoader.class Java/ByteVerify!exploit infected C:\Documents and Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
java.jar-1109b54b-299eaf3d.zip>NewURLClassLoader.class Java/ByteVerify!exploit infected C:\Documents and Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
loaderadv433.jar-1f248ffd-13af06f4.zip>Matrix.class Java/Shinwow.W infected C:\Documents and Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
loaderadv433.jar-1f248ffd-13af06f4.zip>Counter.class Java/ByteVerify!exploit infected C:\Documents and Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
loaderadv433.jar-1f248ffd-13af06f4.zip>Dummy.class Java/ByteVerify!exploit infected C:\Documents and Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
loaderadv433.jar-1f248ffd-13af06f4.zip>Parser.class Java/ByteVerify!exploit infected C:\Documents and Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
inlw.exe Win32/Vaxkat.C infected C:\
A0014950.dll Win32/Darksma.X infected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\
A0014996.dll Win32/Aflac.D infected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\
A0015018.exe Win32/Clspring!generic infected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\
A0015024.exe Win32/Clspring.GQ infected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\
A0015068.dll Win32/Aflac.D infected C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP107\
ddcbxyv.dll Win32/Chisyne!generic infected C:\WINNT\system32\
ddcdbxv.dll Win32/Chisyne!generic infected C:\WINNT\system32\
drvnac.dll Win32/Aflac.D infected C:\WINNT\system32\
efcawww.dll Win32/Chisyne!generic infected C:\WINNT\system32\
mst56.tmp Win32/Aflac.D infected C:\WINNT\Temp\
mstC7.tmp Win32/Aflac.D infected C:\WINNT\Temp\
 
Hi villager

Rename HijackThis.exe to scanner.exe and post back a fresh HijackThis log, please :)
 
Thank you so much for answering. This is a nightmare!

To bring you up to date: I ran Avast antivirus and cleaned out a lot, but not all, of the viruses reported in the online scan, and I can now boot into "safe mode" should that be necessary. Here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:11:48 AM, on 5/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\avp.exe
C:\WINNT\smanager.7.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\SABRE\Apps\ATS\SSSClnt.EXE
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\system32\ssoftsrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PINs\PINs.exe
C:\Program Files\HijackThis\Scanner.exe.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {51248DEA-04B5-4AD8-AC08-547371D86740} - C:\WINNT\system32\efcawww.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINNT\system32\ksjjtjxu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_01\bin\ssv.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {F12DA0CD-FF51-4056-997B-325CD5E47E05} - C:\WINNT\system32\jkkjj.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [avp] C:\WINNT\system32\avp.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [SvcManager] servicess0.exe
O4 - HKLM\..\Run: [runner1] C:\WINNT\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINNT\system32\vfifjufx.dll",realset
O4 - HKCU\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE
O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\COMMON~1\FNTS~1\mshta.exe" -vt yazb
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: TweakIE 3.1 - {79F436C2-3CA2-45A4-A52E-694B23DFFA88} - C:\Program Files\TweakIE 3.1\TweakIE.exe
O9 - Extra 'Tools' menuitem: TweakIE 3.1 - {79F436C2-3CA2-45A4-A52E-694B23DFFA88} - C:\Program Files\TweakIE 3.1\TweakIE.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.agentnet.com
O15 - Trusted Zone: *.amadeuscruise.com
O15 - Trusted Zone: http://*.amadeusproweb.com
O15 - Trusted Zone: *.amadeusvista.com
O15 - Trusted Zone: http://*.amadeusvista.com
O15 - Trusted Zone: *.amaseusproweb.com
O15 - Trusted Zone: http://*.amadeus.com (HKLM)
O15 - Trusted Zone: http://*.amadeuscruise.com (HKLM)
O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BE203D9-A743-4D79-8C97-D358D3B93812}: NameServer = 192.168.0.1
O20 - Winlogon Notify: efcawww - C:\WINNT\SYSTEM32\efcawww.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkkjj - C:\WINNT\system32\jkkjj.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\
O20 - Winlogon Notify: winmxw32 - C:\WINNT\SYSTEM32\winmxw32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Config Service Helper (CfgSrvc) - Unknown owner - C:\WINNT\System32\CfgSrvc.exe (file missing)
O23 - Service: HSSP Configuration Module (HsspConfig) - Unknown owner - C:\WINNT\System32\CfgSrvc.exe (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINNT\SYSTEM32\ssoftsrv.exe
 
Hi

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
 
Hi, Shaba;

Here are the results:

VundoFix V6.3.23

Checking Java version...

Scan started at 11:46:59 AM 5/19/2007

Listing files found while scanning....

C:\WINNT\system32\bgqcdjyg.dll
C:\WINNT\system32\ddcbxyv.dll
C:\WINNT\system32\ddcdbxv.dll
C:\WINNT\system32\efcawww.dll
C:\WINNT\system32\gntkdiqk.dll
C:\WINNT\system32\jjkkj.bak1
C:\WINNT\system32\jjkkj.bak2
C:\WINNT\system32\jjkkj.ini
C:\WINNT\system32\jjkkj.ini2
C:\WINNT\system32\jjkkj.tmp
C:\WINNT\system32\jkkjj.dll
C:\WINNT\system32\kqidktng.ini
C:\WINNT\system32\vfifjufx.dll
C:\WINNT\system32\xfujfifv.ini

Beginning removal...

Attempting to delete C:\WINNT\system32\bgqcdjyg.dll
C:\WINNT\system32\bgqcdjyg.dll Has been deleted!

Attempting to delete C:\WINNT\system32\ddcbxyv.dll
C:\WINNT\system32\ddcbxyv.dll Has been deleted!

Attempting to delete C:\WINNT\system32\ddcdbxv.dll
C:\WINNT\system32\ddcdbxv.dll Has been deleted!

Attempting to delete C:\WINNT\system32\efcawww.dll
C:\WINNT\system32\efcawww.dll Has been deleted!

Attempting to delete C:\WINNT\system32\gntkdiqk.dll
C:\WINNT\system32\gntkdiqk.dll Has been deleted!

Attempting to delete C:\WINNT\system32\jjkkj.bak1
C:\WINNT\system32\jjkkj.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\jjkkj.bak2
C:\WINNT\system32\jjkkj.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\jjkkj.ini
C:\WINNT\system32\jjkkj.ini Has been deleted!

Attempting to delete C:\WINNT\system32\jjkkj.ini2
C:\WINNT\system32\jjkkj.ini2 Has been deleted!

Attempting to delete C:\WINNT\system32\jjkkj.tmp
C:\WINNT\system32\jjkkj.tmp Has been deleted!

Attempting to delete C:\WINNT\system32\jkkjj.dll
C:\WINNT\system32\jkkjj.dll Has been deleted!

Attempting to delete C:\WINNT\system32\kqidktng.ini
C:\WINNT\system32\kqidktng.ini Has been deleted!

Attempting to delete C:\WINNT\system32\vfifjufx.dll
C:\WINNT\system32\vfifjufx.dll Has been deleted!

Attempting to delete C:\WINNT\system32\xfujfifv.ini
C:\WINNT\system32\xfujfifv.ini Has been deleted!

Performing Repairs to the registry.
Done!



Logfile of HijackThis v1.99.1
Scan saved at 12:13:31 PM, on 5/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\avp.exe
C:\WINNT\smanager.7.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\SABRE\Apps\ATS\SSSClnt.EXE
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\system32\ssoftsrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PINs\PINs.exe
C:\Program Files\HijackThis\Scanner.exe.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {51248DEA-04B5-4AD8-AC08-547371D86740} - C:\WINNT\system32\efcawww.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINNT\system32\ksjjtjxu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_01\bin\ssv.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {F12DA0CD-FF51-4056-997B-325CD5E47E05} - C:\WINNT\system32\jkkjj.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [avp] C:\WINNT\system32\avp.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [SvcManager] servicess0.exe
O4 - HKLM\..\Run: [runner1] C:\WINNT\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINNT\system32\vfifjufx.dll",realset
O4 - HKCU\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE
O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\COMMON~1\FNTS~1\mshta.exe" -vt yazb
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: TweakIE 3.1 - {79F436C2-3CA2-45A4-A52E-694B23DFFA88} - C:\Program Files\TweakIE 3.1\TweakIE.exe
O9 - Extra 'Tools' menuitem: TweakIE 3.1 - {79F436C2-3CA2-45A4-A52E-694B23DFFA88} - C:\Program Files\TweakIE 3.1\TweakIE.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.agentnet.com
O15 - Trusted Zone: *.amadeuscruise.com
O15 - Trusted Zone: http://*.amadeusproweb.com
O15 - Trusted Zone: *.amadeusvista.com
O15 - Trusted Zone: http://*.amadeusvista.com
O15 - Trusted Zone: *.amaseusproweb.com
O15 - Trusted Zone: http://*.amadeus.com (HKLM)
O15 - Trusted Zone: http://*.amadeuscruise.com (HKLM)
O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BE203D9-A743-4D79-8C97-D358D3B93812}: NameServer = 192.168.0.1
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\
O20 - Winlogon Notify: winmxw32 - C:\WINNT\SYSTEM32\winmxw32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Config Service Helper (CfgSrvc) - Unknown owner - C:\WINNT\System32\CfgSrvc.exe (file missing)
O23 - Service: HSSP Configuration Module (HsspConfig) - Unknown owner - C:\WINNT\System32\CfgSrvc.exe (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINNT\SYSTEM32\ssoftsrv.exe
 
Hi

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report
 
Hi! That took a while! Here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 1:00:45 PM, on 5/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\system32\ssoftsrv.exe
C:\WINNT\system32\fxssvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\avp.exe
C:\WINNT\smanager.7.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\SABRE\Apps\ATS\SSSClnt.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\explorer.exe
C:\Program Files\PINs\PINs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\Scanner.exe.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_01\bin\ssv.dll (file missing)
O2 - BHO: (no name) - {77FC54F9-2B5E-49DB-BE1B-8C5382C9F44D} - C:\WINNT\system32\ddcyx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {F12DA0CD-FF51-4056-997B-325CD5E47E05} - C:\WINNT\system32\jkkjj.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [avp] C:\WINNT\system32\avp.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [SvcManager] servicess0.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKCU\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE
O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\COMMON~1\FNTS~1\mshta.exe" -vt yazb
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: TweakIE 3.1 - {79F436C2-3CA2-45A4-A52E-694B23DFFA88} - C:\Program Files\TweakIE 3.1\TweakIE.exe
O9 - Extra 'Tools' menuitem: TweakIE 3.1 - {79F436C2-3CA2-45A4-A52E-694B23DFFA88} - C:\Program Files\TweakIE 3.1\TweakIE.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.agentnet.com
O15 - Trusted Zone: *.amadeuscruise.com
O15 - Trusted Zone: http://*.amadeusproweb.com
O15 - Trusted Zone: *.amadeusvista.com
O15 - Trusted Zone: http://*.amadeusvista.com
O15 - Trusted Zone: *.amaseusproweb.com
O15 - Trusted Zone: http://*.amadeus.com (HKLM)
O15 - Trusted Zone: http://*.amadeuscruise.com (HKLM)
O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BE203D9-A743-4D79-8C97-D358D3B93812}: NameServer = 192.168.0.1
O20 - Winlogon Notify: ddcyx - C:\WINNT\system32\ddcyx.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: nnnkjih - nnnkjih.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINNT\
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Config Service Helper (CfgSrvc) - Unknown owner - C:\WINNT\System32\CfgSrvc.exe (file missing)
O23 - Service: HSSP Configuration Module (HsspConfig) - Unknown owner - C:\WINNT\System32\CfgSrvc.exe (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINNT\SYSTEM32\ssoftsrv.exe


"Administration" - 2007-05-19 12:28:49 Service Pack 2
ComboFix 07-05.19.5.V - Running from: "C:\Documents and Settings\Administration\Desktop\"

Rootkit driver pe386 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.
ADS removed - system32: deleted 79094 bytes in 1 streams.


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\ksjjtjxu.dll
C:\WINNT\system32\mljhifg.dll
C:\WINNT\system32\mljjjjg.dll
C:\WINNT\system32\qomkhgd.dll
C:\WINNT\system32\vtuutqo.dll
C:\WINNT\system32\xxywutu.dll
C:\WINNT\system32\winmxw32.dll
C:\WINNT\system32\nnnkjih.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\Common Files\FNTS~1
C:\qoobox\purity\C\WINNT\MBOLS~1


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-19 ))))))))))))))))))))))))))))))))))


2007-05-19 12:38 262,708 ---hs---- C:\WINNT\system32\ddcyx.dll
2007-05-19 11:46 <DIR> d-------- C:\VundoFix Backups
2007-05-15 17:57 11,776 --a------ C:\WINNT\smanager.7.exe
2007-05-15 15:16 17,408 --a------ C:\WINNT\system32\avp.exe
2007-05-15 11:16 43,529 --a------ C:\bnmhr.exe
2007-05-15 11:08 86,016 --a------ C:\mgvrprgl.exe
2007-05-15 09:58 <DIR> d-------- C:\Program Files\MEDA Audio Recorder
2007-05-10 12:20 <DIR> d-------- C:\Program Files\freebird
2007-05-08 11:39 <DIR> d-------- C:\Program Files\TMPGEnc Plus 2.5


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-17 20:48:30 -------- d-----w C:\Program Files\Cryptainer LE
2007-05-16 18:30:32 -------- d-----w C:\Program Files\Disclib
2007-05-15 21:25:43 -------- d-----w C:\Program Files\TweakIE 3.1
2007-05-14 14:56:51 1,012 ----a-w C:\WINNT\system32\kri.dat
2007-04-30 15:46:10 745,600 ----a-w C:\WINNT\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINNT\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINNT\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINNT\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINNT\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINNT\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINNT\system32\AVASTSS.scr
2007-04-09 19:34:01 261 ----a-w C:\WINNT\RESTORE.DAT
2007-04-06 13:54:35 -------- d-----w C:\Program Files\CyberLink
2007-03-29 21:10:00 40,960 ----a-w C:\WINNT\DelPiv.exe
2007-03-29 16:28:57 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\CyberLink
2007-03-29 16:13:01 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-29 15:49:03 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\WinRAR
2007-03-09 15:54:31 -------- d-----w C:\Program Files\FavIcons


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_01\bin\ssv.dll []
{77FC54F9-2B5E-49DB-BE1B-8C5382C9F44D}=C:\WINNT\system32\ddcyx.dll [2007-05-19 12:38]
{AE7CD045-E861-484f-8273-0445EE161910}=C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 02:03]
{F12DA0CD-FF51-4056-997B-325CD5E47E05}=C:\WINNT\system32\jkkjj.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 16:21]
"avp"="C:\WINNT\system32\avp.exe" [2007-05-15 15:16]
"SManager"="smanager.7.exe" []
"SvcManager"="servicess0.exe" []
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 16:24]
"IgfxTray"="C:\WINNT\System32\igfxtray.exe" [2002-05-14 22:29]
"HotKeysCmds"="C:\WINNT\System32\hkcmd.exe" [2002-05-14 22:20]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 16:50 C:\WINNT\system32\SK9910DM.EXE]
"GWMDMpi"="C:\WINNT\GWMDMpi.exe" []
"GWMDMMSG"="GWMDMMSG.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sabre Site Services"="C:\SABRE\Apps\ATS\SSSClnt.EXE" [2002-02-07 19:40]
"Ltho"="C:\PROGRA~1\COMMON~1\FNTS~1\mshta.exe" []
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Sabre Site Services"=C:\SABRE\Apps\ATS\SSSClnt.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"=01000000
"NoRecentDocsMenu"=01000000
"NoSMMyDocs"=01000000
"NoSMMyPictures"=01000000
"NoNetworkConnections"=01000000
"ClearRecentDocsOnExit"=01000000
"NoRecentDocsHistory"=01000000
"NoSaveSettings"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F7CF7B22-82BA-466D-BC65-D51B31C07455}"="C:\WINNT\system32\nnnkjih.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyx]
C:\WINNT\system32\ddcyx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnkjih]
nnnkjih.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages :\WINNT\system3

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TweakIE Scheduler"=:

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService
HTTPFilter HTTPFilter
DcomLaunch DcomLaunch TermService

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

*Newly Created Service* -NMSSVC

Contents of the 'Scheduled Tasks' folder
2003-01-18 17:05:32 C:\WINNT\tasks\ISP signup reminder 1.job
2003-01-18 17:05:33 C:\WINNT\tasks\ISP signup reminder 2.job
2003-01-18 17:05:33 C:\WINNT\tasks\ISP signup reminder 3.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-19 12:45:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\0OE3UDTM\a[3].html 4096 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\0OE3UDTM\index[2].html 20480 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\0OE3UDTM\lvm_e5131us[2].css 4096 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\0OE3UDTM\more_2[1].gif 4096 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\0OE3UDTM\snlgradient_panelsurround[1].gif 4096 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\0OE3UDTM\S_aotd[1].jpeg 8192 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\0OE3UDTM\vbulletin_multi_quote[1].js 4096 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\3G80YBOD\bidnow_but_61x22[1].gif 4096 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\3G80YBOD\blank[2].gif 168 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\3G80YBOD\Category6[1].swf 4096 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\3G80YBOD\digg[1].png 384 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\3G80YBOD\frontdoor[1].js 12288 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\3G80YBOD\iepngfix[1].htc 4096 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\3G80YBOD\movie_youtube[1].gif 4096 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\3G80YBOD\result_list[2].css 4096 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\3G80YBOD\ThumbnailServer2[3].jpeg 8192 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\71XYJSK7\1800291448328080_0[1].jpeg 4096 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\71XYJSK7\1801179410498080_1[1].jpeg 4096 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\71XYJSK7\ebaysup_e5111uk[2].js 20480 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\71XYJSK7\searchbox_title_flights[1].gif 4096 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\71XYJSK7\skype[1].gif 400 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\71XYJSK7\SYS_EventDispatcher_e5134658490_1_en_US[2].js 8192 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\71XYJSK7\tab2Right[1].gif 4096 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\SRWLOPIX\CAF7LH11.swf 32768 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\SRWLOPIX\CAYF450H.swf 32768 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\SRWLOPIX\find_btn[1].jpeg 8192 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\SRWLOPIX\larrow[1].gif 80 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\SRWLOPIX\login[1].swf 592 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\SRWLOPIX\sp2_b[1].gif 8192 bytes
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\SRWLOPIX\thread_hot_new[1].gif 4096 bytes
C:\sccfg.sys 376 bytes

scan completed successfully
hidden files: 31


********************************************************************

Completion time: 2007-05-19 12:56:46 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-19 12:56


--- E O F ---
 
Hi

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {F12DA0CD-FF51-4056-997B-325CD5E47E05} - C:\WINNT\system32\jkkjj.dll (file missing)
O4 - HKLM\..\Run: [avp] C:\WINNT\system32\avp.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [SvcManager] servicess0.exe
O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\COMMON~1\FNTS~1\mshta.exe" -vt yazb
O20 - Winlogon Notify: nnnkjih - nnnkjih.dll (file missing)

Close all windows including browser and press fix checked.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once the scan is complete, Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the 2 entries below into the top 2 boxes

    C:\WINNT\system32\ddcyx.dll
    C:\WINNT\system32\xycdd.*
  • Click Add Files and Click Close Window
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.[/list]

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Delete if present:

C:\WINNT\system32\avp.exe
C:\WINNT\smanager.7.exe
C:\PROGRA~1\COMMON~1\FNTS~1

Empty Recycle Bin

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\bnmhr.exe
C:\mgvrprgl.exe
C:\WINNT\System32\CfgSrvc.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/flash/index_en.html

Re-run combofix

Post:

- a fresh HijackThis log
- combofix report
- vundofix report
- jotti/virustotal results
 
Hi. Here are the results from Virustotal:

(Note - couldn't find file C:\WINNT\System32\CfgSrvc.exe
but did find C:\WINNT\System32\CfgSrvc.exe~ which is the file I submitted.)

Will post this now and then will post the fresh HJT log/combofix report/vundofix report separately.



STATUS: FINISHEDComplete scanning result of "bnmhr.exe", received in VirusTotal at 05.19.2007, 19:54:38 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.16.1 05.18.2007 no virus found
AntiVir 7.4.0.23 05.18.2007 TR/FirePass.E
Authentium 4.93.8 05.18.2007 Possibly a new variant of W32/CodeCru-based!Maximus
Avast 4.7.997.0 05.18.2007 no virus found
AVG 7.5.0.467 05.19.2007 Generic4.QNI
BitDefender 7.2 05.19.2007 no virus found
CAT-QuickHeal 9.00 05.18.2007 Trojan.PolyCrypt.b
ClamAV devel-20070416 05.19.2007 no virus found
DrWeb 4.33 05.19.2007 BackDoor.Prive
eSafe 7.0.15.0 05.17.2007 Win32.PolyCrypt.b
eTrust-Vet 30.7.3644 05.19.2007 no virus found
Ewido 4.0 05.19.2007 Trojan.PolyCrypt.b
FileAdvisor 1 05.19.2007 no virus found
Fortinet 2.85.0.0 05.19.2007 suspicious
F-Prot 4.3.2.48 05.18.2007 W32/CodeCru-based!Maximus
F-Secure 6.70.13030.0 05.18.2007 Packed.Win32.PolyCrypt.b
Ikarus T3.1.1.7 05.19.2007 Packed.Win32.PolyCrypt.b
Kaspersky 4.0.2.24 05.19.2007 Packed.Win32.PolyCrypt.b
McAfee 5034 05.18.2007 no virus found
Microsoft 1.2503 05.19.2007 no virus found
NOD32v2 2277 05.18.2007 no virus found
Norman 5.80.02 05.18.2007 no virus found
Panda 9.0.0.4 05.19.2007 Trj/Agent.FIH
Prevx1 V2 05.19.2007 Malware.Trojan.Backdoor.Gen
Sophos 4.17.0 05.18.2007 Mal/HckPk-A
Sunbelt 2.2.907.0 05.17.2007 VIPRE.Suspicious
Symantec 10 05.19.2007 Trojan Horse
TheHacker 6.1.6.118 05.18.2007 Trojan/PolyCrypt.b
VBA32 3.12.0 05.18.2007 no virus found
VirusBuster 4.3.7:9 05.19.2007 no virus found
Webwasher-Gateway 6.0.1 05.18.2007 Trojan.FirePass.E


Aditional Information
File size: 43529 bytes



VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines.


Select file : DistributeSSL

Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu:
News Hot news in the virus/antivirus sector.
Estadisticas Statistics of VirusTotal procesing.
Virustotal More info about Virustotal.


STATUS: FINISHEDComplete scanning result of "mgvrprgl.exe", received in VirusTotal at 05.19.2007, 20:14:16 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.16.1 05.18.2007 no virus found
AntiVir 7.4.0.23 05.18.2007 TR/Crypt.XDR.Gen
Authentium 4.93.8 05.18.2007 W32/Dropper.gen6
Avast 4.7.997.0 05.18.2007 no virus found
AVG 7.5.0.467 05.19.2007 BackDoor.Generic6.VCS
BitDefender 7.2 05.19.2007 Dropped:Rootkit.Agent.CO
CAT-QuickHeal 9.00 05.18.2007 Rootkit.Agent.ea
ClamAV devel-20070416 05.19.2007 no virus found
DrWeb 4.33 05.19.2007 Trojan.MulDrop.6216
eSafe 7.0.15.0 05.17.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3644 05.19.2007 no virus found
Ewido 4.0 05.19.2007 Rootkit.Agent.ea
FileAdvisor 1 05.19.2007 no virus found
Fortinet 2.85.0.0 05.19.2007 W32/Agent.EA!tr.rkit
F-Prot 4.3.2.48 05.18.2007 W32/Dropper.gen6
F-Secure 6.70.13030.0 05.18.2007 Rootkit.Win32.Agent.ea
Ikarus T3.1.1.7 05.19.2007 Rootkit.Win32.Agent.ea
Kaspersky 4.0.2.24 05.19.2007 Rootkit.Win32.Agent.ea
McAfee 5034 05.18.2007 no virus found
Microsoft 1.2503 05.19.2007 no virus found
NOD32v2 2277 05.18.2007 no virus found
Norman 5.80.02 05.18.2007 W32/Rootkit.ACL.dropper
Panda 9.0.0.4 05.19.2007 Malware Generic
Prevx1 V2 05.19.2007 Polynomial.Code.Exploit
Sophos 4.17.0 05.18.2007 no virus found
Sunbelt 2.2.907.0 05.17.2007 Rootkit.Win32.Agent.ea
Symantec 10 05.19.2007 no virus found
TheHacker 6.1.6.118 05.18.2007 Trojan/Agent.ea
VBA32 3.12.0 05.18.2007 no virus found
VirusBuster 4.3.7:9 05.19.2007 no virus found
Webwasher-Gateway 6.0.1 05.18.2007 Trojan.Crypt.XDR.Gen


Aditional Information
File size: 86016 bytes
MD5: 3515732e48996e3ac195b571b07122e4
SHA1: 27b78574635d48e91d492a3c90e955e8139edfcb
packers: UPX
packers: UPX
packers: UPX
norman sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* Decompressing UPX.
* File length: 86016 bytes.

[ Changes to filesystem ]
* Creates file C:WINDOWSsystem32windbg48.sys.
* Creates file C:WINDOWSTEMP_uninsep.bat.

[ Changes to registry ]
* Creates key "HKLMSystemCurrentControlSetServiceswindbg48".
* Sets value "ImagePath"="C:WINDOWSsystem32windbg48.sys" in key "HKLMSystemCurrentControlSetServiceswindbg48".
* Sets value "DisplayName"="windbg48" in key "HKLMSystemCurrentControlSetServiceswindbg48".

[ Process/window information ]
* Creates service "windbg48 (windbg48)" as "C:WINDOWSsystem32windbg48.sys".
* Attemps to open C:WINDOWSTEMP_uninsep.bat NULL.

[ Signature Scanning ]
* C:WINDOWSsystem32windbg48.sys (152576 bytes) : W32/Rootkit.ACL.


Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=660b93954788

VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines.


Select file : DistributeSSL

Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu:
News Hot news in the virus/antivirus sector.
Estadisticas Statistics of VirusTotal procesing.
Virustotal More info about Virustotal.


STATUS: FINISHEDComplete scanning result of "CfgSrvc.exe_", received in VirusTotal at 05.19.2007, 20:25:01 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.16.1 05.18.2007 no virus found
AntiVir 7.4.0.23 05.18.2007 no virus found
Authentium 4.93.8 05.18.2007 no virus found
Avast 4.7.997.0 05.18.2007 no virus found
AVG 7.5.0.467 05.19.2007 no virus found
BitDefender 7.2 05.19.2007 no virus found
CAT-QuickHeal 9.00 05.18.2007 no virus found
ClamAV devel-20070416 05.19.2007 no virus found
DrWeb 4.33 05.19.2007 no virus found
eSafe 7.0.15.0 05.17.2007 no virus found
eTrust-Vet 30.7.3644 05.19.2007 no virus found
Ewido 4.0 05.19.2007 no virus found
FileAdvisor 1 05.19.2007 no virus found
Fortinet 2.85.0.0 05.19.2007 no virus found
F-Prot 4.3.2.48 05.18.2007 no virus found
F-Secure 6.70.13030.0 05.18.2007 no virus found
Ikarus T3.1.1.7 05.19.2007 no virus found
Kaspersky 4.0.2.24 05.19.2007 no virus found
McAfee 5034 05.18.2007 no virus found
Microsoft 1.2503 05.19.2007 no virus found
NOD32v2 2277 05.18.2007 no virus found
Norman 5.80.02 05.18.2007 no virus found
Panda 9.0.0.4 05.19.2007 no virus found
Prevx1 V2 05.19.2007 no virus found
Sophos 4.17.0 05.18.2007 no virus found
Sunbelt 2.2.907.0 05.17.2007 no virus found
Symantec 10 05.19.2007 no virus found
TheHacker 6.1.6.118 05.18.2007 no virus found
VBA32 3.12.0 05.18.2007 no virus found
VirusBuster 4.3.7:9 05.19.2007 no virus found
Webwasher-Gateway 6.0.1 05.18.2007 no virus found


Aditional Information
File size: 55296 bytes
MD5: 01b158419aa4525054d0673619ae3067
SHA1: 083511c950e40d8e57cba204eb451f30da3fd3fa
 
As promised:

Note - Instruction to Delete if present ... the only file present was C:\WINNT\system32\avp.exe and I duly deleted it.

"Administration" - 2007-05-19 14:36:08 Service Pack 2
ComboFix 07-05.19.5.V - Running from: "C:\Documents and Settings\Administration\Desktop\"



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\Common Files\FNTS~1
C:\qoobox\purity\C\WINNT\MBOLS~1


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-19 ))))))))))))))))))))))))))))))))))


2007-05-19 12:56 49,152 --a------ C:\WINNT\nircmd.exe
2007-05-19 11:46 <DIR> d-------- C:\VundoFix Backups
2007-05-15 17:57 11,776 --a------ C:\WINNT\smanager.7.exe
2007-05-15 11:16 43,529 --a------ C:\bnmhr.exe
2007-05-15 11:08 86,016 --a------ C:\mgvrprgl.exe
2007-05-15 09:58 <DIR> d-------- C:\Program Files\MEDA Audio Recorder
2007-05-10 12:20 <DIR> d-------- C:\Program Files\freebird
2007-05-08 11:39 <DIR> d-------- C:\Program Files\TMPGEnc Plus 2.5


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-17 20:48:30 -------- d-----w C:\Program Files\Cryptainer LE
2007-05-16 18:30:32 -------- d-----w C:\Program Files\Disclib
2007-05-15 21:25:43 -------- d-----w C:\Program Files\TweakIE 3.1
2007-05-14 14:56:51 1,012 ----a-w C:\WINNT\system32\kri.dat
2007-04-30 15:46:10 745,600 ----a-w C:\WINNT\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINNT\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINNT\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINNT\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINNT\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINNT\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINNT\system32\AVASTSS.scr
2007-04-09 19:34:01 261 ----a-w C:\WINNT\RESTORE.DAT
2007-04-06 13:54:35 -------- d-----w C:\Program Files\CyberLink
2007-03-29 21:10:00 40,960 ----a-w C:\WINNT\DelPiv.exe
2007-03-29 16:28:57 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\CyberLink
2007-03-29 16:13:01 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-29 15:49:03 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\WinRAR
2007-03-09 15:54:31 -------- d-----w C:\Program Files\FavIcons


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_01\bin\ssv.dll []
{77FC54F9-2B5E-49DB-BE1B-8C5382C9F44D}=C:\WINNT\system32\ddcyx.dll []
{AE7CD045-E861-484f-8273-0445EE161910}=C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 02:03]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 16:21]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 16:24]
"IgfxTray"="C:\WINNT\System32\igfxtray.exe" [2002-05-14 22:29]
"HotKeysCmds"="C:\WINNT\System32\hkcmd.exe" [2002-05-14 22:20]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 16:50 C:\WINNT\system32\SK9910DM.EXE]
"GWMDMpi"="C:\WINNT\GWMDMpi.exe" []
"GWMDMMSG"="GWMDMMSG.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sabre Site Services"="C:\SABRE\Apps\ATS\SSSClnt.EXE" [2002-02-07 19:40]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Sabre Site Services"=C:\SABRE\Apps\ATS\SSSClnt.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"=01000000
"NoRecentDocsMenu"=01000000
"NoSMMyDocs"=01000000
"NoSMMyPictures"=01000000
"NoNetworkConnections"=01000000
"ClearRecentDocsOnExit"=01000000
"NoRecentDocsHistory"=01000000
"NoSaveSettings"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F7CF7B22-82BA-466D-BC65-D51B31C07455}"="C:\WINNT\system32\nnnkjih.dll" []

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages :\WINNT\system3

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TweakIE Scheduler"=:

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService
HTTPFilter HTTPFilter
DcomLaunch DcomLaunch TermService

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

*Newly Created Service* -NMSSVC

Contents of the 'Scheduled Tasks' folder
2003-01-18 17:05:32 C:\WINNT\tasks\ISP signup reminder 1.job
2003-01-18 17:05:33 C:\WINNT\tasks\ISP signup reminder 2.job
2003-01-18 17:05:33 C:\WINNT\tasks\ISP signup reminder 3.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-19 14:40:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\sccfg.sys 376 bytes

scan completed successfully
hidden files: 1


********************************************************************

Completion time: 2007-05-19 14:43:16
C:\ComboFix-quarantined-files.txt ... 2007-05-19 14:43
C:\ComboFix2.txt ... 2007-05-19 12:56


--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 2:49:04 PM, on 5/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\SABRE\Apps\ATS\SSSClnt.EXE
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\system32\ssoftsrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\PINs\PINs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\explorer.exe
C:\Program Files\HijackThis\Scanner.exe.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_01\bin\ssv.dll (file missing)
O2 - BHO: (no name) - {77FC54F9-2B5E-49DB-BE1B-8C5382C9F44D} - C:\WINNT\system32\ddcyx.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKCU\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: TweakIE 3.1 - {79F436C2-3CA2-45A4-A52E-694B23DFFA88} - C:\Program Files\TweakIE 3.1\TweakIE.exe
O9 - Extra 'Tools' menuitem: TweakIE 3.1 - {79F436C2-3CA2-45A4-A52E-694B23DFFA88} - C:\Program Files\TweakIE 3.1\TweakIE.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.agentnet.com
O15 - Trusted Zone: *.amadeuscruise.com
O15 - Trusted Zone: http://*.amadeusproweb.com
O15 - Trusted Zone: *.amadeusvista.com
O15 - Trusted Zone: http://*.amadeusvista.com
O15 - Trusted Zone: *.amaseusproweb.com
O15 - Trusted Zone: http://*.amadeus.com (HKLM)
O15 - Trusted Zone: http://*.amadeuscruise.com (HKLM)
O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BE203D9-A743-4D79-8C97-D358D3B93812}: NameServer = 192.168.0.1
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Config Service Helper (CfgSrvc) - Unknown owner - C:\WINNT\System32\CfgSrvc.exe (file missing)
O23 - Service: HSSP Configuration Module (HsspConfig) - Unknown owner - C:\WINNT\System32\CfgSrvc.exe (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINNT\SYSTEM32\ssoftsrv.exe


VundoFix V6.3.23

Checking Java version...

Scan started at 11:46:59 AM 5/19/2007

Listing files found while scanning....

C:\WINNT\system32\bgqcdjyg.dll
C:\WINNT\system32\ddcbxyv.dll
C:\WINNT\system32\ddcdbxv.dll
C:\WINNT\system32\efcawww.dll
C:\WINNT\system32\gntkdiqk.dll
C:\WINNT\system32\jjkkj.bak1
C:\WINNT\system32\jjkkj.bak2
C:\WINNT\system32\jjkkj.ini
C:\WINNT\system32\jjkkj.ini2
C:\WINNT\system32\jjkkj.tmp
C:\WINNT\system32\jkkjj.dll
C:\WINNT\system32\kqidktng.ini
C:\WINNT\system32\vfifjufx.dll
C:\WINNT\system32\xfujfifv.ini

Beginning removal...

Attempting to delete C:\WINNT\system32\bgqcdjyg.dll
C:\WINNT\system32\bgqcdjyg.dll Has been deleted!

Attempting to delete C:\WINNT\system32\ddcbxyv.dll
C:\WINNT\system32\ddcbxyv.dll Has been deleted!

Attempting to delete C:\WINNT\system32\ddcdbxv.dll
C:\WINNT\system32\ddcdbxv.dll Has been deleted!

Attempting to delete C:\WINNT\system32\efcawww.dll
C:\WINNT\system32\efcawww.dll Has been deleted!

Attempting to delete C:\WINNT\system32\gntkdiqk.dll
C:\WINNT\system32\gntkdiqk.dll Has been deleted!

Attempting to delete C:\WINNT\system32\jjkkj.bak1
C:\WINNT\system32\jjkkj.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\jjkkj.bak2
C:\WINNT\system32\jjkkj.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\jjkkj.ini
C:\WINNT\system32\jjkkj.ini Has been deleted!

Attempting to delete C:\WINNT\system32\jjkkj.ini2
C:\WINNT\system32\jjkkj.ini2 Has been deleted!

Attempting to delete C:\WINNT\system32\jjkkj.tmp
C:\WINNT\system32\jjkkj.tmp Has been deleted!

Attempting to delete C:\WINNT\system32\jkkjj.dll
C:\WINNT\system32\jkkjj.dll Has been deleted!

Attempting to delete C:\WINNT\system32\kqidktng.ini
C:\WINNT\system32\kqidktng.ini Has been deleted!

Attempting to delete C:\WINNT\system32\vfifjufx.dll
C:\WINNT\system32\vfifjufx.dll Has been deleted!

Attempting to delete C:\WINNT\system32\xfujfifv.ini
C:\WINNT\system32\xfujfifv.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.23

Checking Java version...

Scan started at 1:24:10 PM 5/19/2007

Listing files found while scanning....

C:\WINNT\system32\ddcyx.dll
C:\WINNT\system32\xycdd.ini

Beginning removal...

Attempting to delete C:\WINNT\system32\ddcyx.dll
C:\WINNT\system32\ddcyx.dll Has been deleted!

Attempting to delete C:\WINNT\system32\xycdd.ini
C:\WINNT\system32\xycdd.ini Has been deleted!

Performing Repairs to the registry.
Done!
 
Hi

Looking better :)

Delete these if present:

C:\bnmhr.exe
C:\mgvrprgl.exe
C:\WINNT\smanager.7.exe
C:\WINNT\system32\windbg48.sys

Have you set all 015 lines by yourself?

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Post:

- a fresh HijackThis log
- kaspersky report
 
Hello! Glad it's looking better - and it's acting a bit more like a puppy than the tired old dog it was a couple of days ago.

1. Deleted all except C:\WINNT\system32
windbg48.sys which was not there.

2. Yes, all the 015 lines were by me and are valid

3. Kaspersky results and new HJT log follow:

Logfile of HijackThis v1.99.1
Scan saved at 1:01:39 PM, on 5/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\SABRE\Apps\ATS\SSSClnt.EXE
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\system32\ssoftsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\Scanner.exe.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_01\bin\ssv.dll (file missing)
O2 - BHO: (no name) - {77FC54F9-2B5E-49DB-BE1B-8C5382C9F44D} - C:\WINNT\system32\ddcyx.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKCU\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: TweakIE 3.1 - {79F436C2-3CA2-45A4-A52E-694B23DFFA88} - C:\Program Files\TweakIE 3.1\TweakIE.exe
O9 - Extra 'Tools' menuitem: TweakIE 3.1 - {79F436C2-3CA2-45A4-A52E-694B23DFFA88} - C:\Program Files\TweakIE 3.1\TweakIE.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.agentnet.com
O15 - Trusted Zone: *.amadeuscruise.com
O15 - Trusted Zone: http://*.amadeusproweb.com
O15 - Trusted Zone: *.amadeusvista.com
O15 - Trusted Zone: http://*.amadeusvista.com
O15 - Trusted Zone: *.amaseusproweb.com
O15 - Trusted Zone: http://*.amadeus.com (HKLM)
O15 - Trusted Zone: http://*.amadeuscruise.com (HKLM)
O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BE203D9-A743-4D79-8C97-D358D3B93812}: NameServer = 192.168.0.1
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Config Service Helper (CfgSrvc) - Unknown owner - C:\WINNT\System32\CfgSrvc.exe (file missing)
O23 - Service: HSSP Configuration Module (HsspConfig) - Unknown owner - C:\WINNT\System32\CfgSrvc.exe (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINNT\SYSTEM32\ssoftsrv.exe
 
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, May 20, 2007 12:59:21 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 20/05/2007
Kaspersky Anti-Virus database records: 325040
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 53167
Number of viruses found: 18
Number of infected objects: 75
Number of suspicious objects: 0
Duration of the scan process: 02:13:20

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\FcPred.jar-10bfbdb3-16d4cdb8.zip/FcPred.class Infected: Trojan-Downloader.Java.Agent.c skipped
C:\Documents and Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\FcPred.jar-10bfbdb3-16d4cdb8.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\version.jar-7239fec5-115ef3b5.zip/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\version.jar-7239fec5-115ef3b5.zip/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\version.jar-7239fec5-115ef3b5.zip/Baaaaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\version.jar-7239fec5-115ef3b5.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Administration\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administration\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administration\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administration\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administration\Local Settings\History\History.IE5\MSHist012007052020070521\index.dat Object is locked skipped
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administration\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administration\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\511a0f3f9e960fa97de3d0b74adfc574_06909985-1057-49ba-86b3-8977e6de8ee1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f10b6104748a88495102fff47a288592_06909985-1057-49ba-86b3-8977e6de8ee1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Adobe PDF 6.0\Settings\Standard(1).joboptions Object is locked skipped
C:\Documents and Settings\All Users\Documents\desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst1.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst10.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst11.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst12.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst13.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst14.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst15.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst2.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst3.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst4.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst5.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst6.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst7.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst8.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst9.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Videos\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\RFA_Backups\2006_07_14_103936.reg Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\QooBox\Quarantine\C\WINNT\system32\ksjjtjxu.dll.vir Infected: Trojan.Win32.BHO.g skipped
C:\QooBox\Quarantine\C\WINNT\system32\mljhifg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINNT\system32\mljjjjg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINNT\system32\nnnkjih.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINNT\system32\qomkhgd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINNT\system32\vtuutqo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINNT\system32\winmxw32.dll.vir Infected: Trojan.Win32.Agent.qt skipped
C:\QooBox\Quarantine\C\WINNT\system32\xxywutu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\RECYCLER\S-1-5-21-1645913625-1343578559-2402560322-1005\Dc1.exe Infected: Packed.Win32.PolyCrypt.b skipped
C:\RECYCLER\S-1-5-21-1645913625-1343578559-2402560322-1005\Dc2.exe Infected: Rootkit.Win32.Agent.ea skipped
C:\RECYCLER\S-1-5-21-1645913625-1343578559-2402560322-1005\Dc3.exe~ Infected: Rootkit.Win32.Agent.ea skipped
C:\RECYCLER\S-1-5-21-1645913625-1343578559-2402560322-1005\Dc4.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP101\A0012798.exe/Stream/data0036 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP101\A0012798.exe/Stream Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP101\A0012798.exe Inno: infected - 2 skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014981.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014981.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014981.exe/data.rar/serial.exe Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014981.exe/data.rar Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014981.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014982.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014982.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014982.exe/data.rar/serial.exe Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014982.exe/data.rar Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014982.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014984.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014984.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014984.exe/data.rar/serial.exe Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014984.exe/data.rar Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014984.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP107\A0015085.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP107\A0015085.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP107\A0015085.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP107\A0015089.exe Infected: Packed.Win32.PolyCrypt.b skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP107\A0015090.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP109\A0015163.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP109\A0015199.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP109\A0015199.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP109\A0015199.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP109\A0015234.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP109\A0015258.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP109\A0015299.dll Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP109\A0015300.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP109\A0015301.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP109\A0015302.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP109\A0015304.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016405.dll Infected: Trojan.Win32.BHO.o skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016406.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016407.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016408.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016409.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016411.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016460.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016461.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016462.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016463.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016464.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016465.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016466.dll Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016542.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\change.log Object is locked skipped
C:\VundoFix Backups\bgqcdjyg.dll.bad Infected: Trojan.Win32.BHO.o skipped
C:\VundoFix Backups\ddcbxyv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\ddcdbxv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\ddcyx.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\efcawww.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\gntkdiqk.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\VundoFix Backups\jkkjj.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\vfifjufx.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped
C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINNT\system32\config\Antivirus.Evt Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\Internet.evt Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\servicess0.exe~ Infected: Packed.Win32.PolyCrypt.b skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\Temp\Perflib_Perfdata_638.dat Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.


(FYI prior commitments will take me away from home this afternoon and evening, and I won't be able to reply again until tomorrow. Please know that I am very, very grateful for your help!)
 
Hi

Empty these folders:

C:\Documents and Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar
C:\QooBox\Quarantine
C:\VundoFix Backups

Delete this:

C:\WINNT\system32\servicess0.exe~

Empty Recycle Bin

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report
 
OK ... here we go!

Logfile of HijackThis v1.99.1
Scan saved at 11:33:26 AM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\SABRE\Apps\ATS\SSSClnt.EXE
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\system32\ssoftsrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\Scanner.exe.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_01\bin\ssv.dll (file missing)
O2 - BHO: (no name) - {77FC54F9-2B5E-49DB-BE1B-8C5382C9F44D} - C:\WINNT\system32\ddcyx.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKCU\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: TweakIE 3.1 - {79F436C2-3CA2-45A4-A52E-694B23DFFA88} - C:\Program Files\TweakIE 3.1\TweakIE.exe
O9 - Extra 'Tools' menuitem: TweakIE 3.1 - {79F436C2-3CA2-45A4-A52E-694B23DFFA88} - C:\Program Files\TweakIE 3.1\TweakIE.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.agentnet.com
O15 - Trusted Zone: *.amadeuscruise.com
O15 - Trusted Zone: http://*.amadeusproweb.com
O15 - Trusted Zone: *.amadeusvista.com
O15 - Trusted Zone: http://*.amadeusvista.com
O15 - Trusted Zone: *.amaseusproweb.com
O15 - Trusted Zone: http://*.amadeus.com (HKLM)
O15 - Trusted Zone: http://*.amadeuscruise.com (HKLM)
O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BE203D9-A743-4D79-8C97-D358D3B93812}: NameServer = 192.168.0.1
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Config Service Helper (CfgSrvc) - Unknown owner - C:\WINNT\System32\CfgSrvc.exe (file missing)
O23 - Service: HSSP Configuration Module (HsspConfig) - Unknown owner - C:\WINNT\System32\CfgSrvc.exe (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINNT\SYSTEM32\ssoftsrv.exe
 
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 21, 2007 11:29:18 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 21/05/2007
Kaspersky Anti-Virus database records: 325382
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 53213
Number of viruses found: 16
Number of infected objects: 51
Number of suspicious objects: 0
Duration of the scan process: 02:37:18

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administration\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administration\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administration\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administration\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administration\Local Settings\History\History.IE5\MSHist012007052120070522\index.dat Object is locked skipped
C:\Documents and Settings\Administration\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administration\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administration\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administration\UserData\index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\511a0f3f9e960fa97de3d0b74adfc574_06909985-1057-49ba-86b3-8977e6de8ee1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f10b6104748a88495102fff47a288592_06909985-1057-49ba-86b3-8977e6de8ee1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Adobe PDF 6.0\Settings\Standard(1).joboptions Object is locked skipped
C:\Documents and Settings\All Users\Documents\desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst1.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst10.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst11.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst12.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst13.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst14.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst15.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst2.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst3.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst4.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst5.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst6.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst7.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst8.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0005C451\Plylst9.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Videos\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\RFA_Backups\2006_07_14_103936.reg Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP101\A0012798.exe/Stream/data0036 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP101\A0012798.exe/Stream Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP101\A0012798.exe Inno: infected - 2 skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014981.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014981.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014981.exe/data.rar/serial.exe Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014981.exe/data.rar Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014981.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014982.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014982.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014982.exe/data.rar/serial.exe Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014982.exe/data.rar Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014982.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014984.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014984.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014984.exe/data.rar/serial.exe Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014984.exe/data.rar Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP103\A0014984.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP107\A0015085.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP107\A0015085.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP107\A0015085.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP107\A0015089.exe Infected: Packed.Win32.PolyCrypt.b skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP107\A0015090.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP109\A0015163.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP109\A0015199.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP109\A0015199.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP109\A0015199.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP109\A0015234.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP109\A0015258.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP109\A0015299.dll Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP109\A0015300.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP109\A0015301.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP109\A0015302.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP109\A0015304.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016405.dll Infected: Trojan.Win32.BHO.o skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016406.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016407.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016408.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016409.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016411.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016460.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016461.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016462.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016463.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016464.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016465.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016466.dll Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016542.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016649.exe Infected: Packed.Win32.PolyCrypt.b skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016650.exe Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\A0016651.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP111\change.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\Antivirus.Evt Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\Internet.evt Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\Temp\Perflib_Perfdata_620.dat Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.
 
Shaba ... Hi.

I don't think there are any more issues, but I won't know for sure until I use it a bit. When we started, bootup took 8 minutes. Now it only takes 3. No more pop-ups and everything internet related seems to be moving at normal speed.

Should I be concerned with the viruses in restore the latest Kaspersky reported? I don't ever use restore, but they make me nervous.

Hope this is right ... (it's googled): PALJON KIITOKSIA!
 
Hi

I give you later instructions how to clean system restore.

Other than that, any problems left?

And yes it was correct, "ole hyvä" ;)
 
Hi, Shaba;

Well ... I've used the computer for 24 hours now and no issues :D:

I would say that the exorcism was successful!

You do good work and thanks again!
 
You must log in or register to reply here.
Back
Top