Virtumonde again

[Connery]

Still working my way through getting updates working as described here:
http://forums.spybot.info/showpost.php?p=162686&postcount=35
Not working so far, and meanwhile I've been hit again.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, February 29, 2008 2:32:40 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/02/2008
Kaspersky Anti-Virus database records: 587936
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 75186
Number of viruses found: 23
Number of infected objects: 318
Number of suspicious objects: 0
Duration of the scan process: 02:03:27

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-02-28_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\SDSD\KodakSvc\1.2.484.0\System.ServiceProcess, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a.html Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\x\Application Data\Symantec\PendingAlertsQueue.log Object is locked skipped
C:\Documents and Settings\x\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\x\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\x\Local Settings\History\History.IE5\MSHist012008022920080301\index.dat Object is locked skipped
C:\Documents and Settings\x\Local Settings\Temp\A43AD1E.dmp Object is locked skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX60F.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX615.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX618.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX61E.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX624.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX627.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX62A.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX634.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX637.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX63D.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX643.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX646.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX649.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX66F.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX67F.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX69B.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX6BE.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX6DB.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX6EC.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX715.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX718.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX71E.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX725.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX728.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX72B.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCXD89.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCXD94.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCXDA2.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCXDA8.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCXDBA.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCXDC7.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\TMP37.tmp Infected: Trojan-Downloader.Win32.Agent.jhv skipped
C:\Documents and Settings\x\Local Settings\Temp\winvsnet.exe Infected: not-a-virusownloader.Win32.WinFixer.dz skipped
C:\Documents and Settings\x\Local Settings\Temp\yazzsnet.exe/data0003 Infected: Trojan.Win32.Scapur.k skipped
C:\Documents and Settings\x\Local Settings\Temp\yazzsnet.exe NSIS: infected - 1 skipped
C:\Documents and Settings\x\Local Settings\Temporary Internet Files\Content.IE5\0VW3UDCB\install_en[1].exe Infected: not-a-virusownloader.Win32.WinFixer.au skipped
C:\Documents and Settings\x\Local Settings\Temporary Internet Files\Content.IE5\4N7VMKPT\cmp638[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\x\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\x\Local Settings\Temporary Internet Files\Content.IE5\K1O5W1OH\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\x\Local Settings\Temporary Internet Files\Content.IE5\M3830VK1\cmd[2].htm Object is locked skipped
C:\Documents and Settings\x\Local Settings\Temporary Internet Files\Content.IE5\U7E5GVCT\ptch[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\x\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\x\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Accessories\vawok89104.dll Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\Program Files\Common Files\Real\Update_OB\realsched.exe Infected: Virus.Win32.Trats.d skipped
C:\Program Files\Common Files\Symantec Shared\ccApp.exe Infected: Virus.Win32.Trats.d skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\iTunes\iTunesHelper.exe Infected: Virus.Win32.Trats.d skipped
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe Infected: Virus.Win32.Trats.d skipped
C:\Program Files\Logitech\Video\ISStart.exe Infected: Virus.Win32.Trats.d skipped
C:\Program Files\Logitech\Video\LogiTray.exe Infected: Virus.Win32.Trats.d skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Savrt\0183NAV~.TMP Object is locked skipped
C:\Program Files\Norton AntiVirus\Savrt\0767NAV~.TMP Object is locked skipped
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe Infected: Virus.Win32.Trats.d skipped
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe Infected: Virus.Win32.Trats.d skipped
C:\Program Files\Support.com\Charter\bin\SSRunScript.exe Infected: Virus.Win32.Trats.d skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3364.exe Infected: Virus.Win32.Trats.d skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3367 Infected: Trojan.Win32.Zapchast.dt skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3368.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3371.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3372.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3374.tmp Infected: Virus.Win32.Trats.d skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3375.tmp Infected: Virus.Win32.Trats.d skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3376.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3377.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3378.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3379.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3380.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010004.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

 

[Connery]

C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP0\A0000001.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP0\A0000013.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP0\A0000014.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000032.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000033.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000034.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000035.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000036.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000039.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000040.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000041.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000042.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000043.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000044.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000046.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000047.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000048.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000049.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000050.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000051.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000052.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000053.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000054.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000055.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000056.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000057.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000059.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000060.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000061.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000062.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000063.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000065.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000067.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000068.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000069.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000070.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000071.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000072.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000073.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000074.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000075.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000076.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000077.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000078.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000079.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000080.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000081.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000082.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000083.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000084.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000085.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000086.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000087.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000088.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000089.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000090.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000091.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000092.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000093.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000094.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000095.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000096.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000097.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000098.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000099.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000100.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000101.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000102.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000103.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000104.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000105.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000106.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000107.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000108.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000109.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000110.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000111.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000112.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000113.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000114.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000115.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000116.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000117.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000118.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000119.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000120.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000121.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000123.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000124.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000125.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000126.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000127.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000128.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000129.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000130.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000131.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000132.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP2\A0000171.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP2\A0000172.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP2\A0000173.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP2\A0000174.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP2\A0000175.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP2\A0000177.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP2\A0000178.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP2\A0000179.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP2\A0000180.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP2\A0000181.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000182.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000183.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000184.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000185.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000186.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000187.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000188.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000191.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000192.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000193.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000194.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000195.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000198.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000199.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000200.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000201.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000209.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000211.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000212.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000213.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000214.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000215.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000216.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000217.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000218.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000219.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000220.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000224.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP35\A0007779.exe Infected: Trojan-Downloader.Win32.Agent.jhv skipped

 

[Connery]

C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP35\A0007791.exe Infected: Trojan-Downloader.Win32.Agent.jhv skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009762.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009764.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009766.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009767.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009768.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009769.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009770.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009771.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009772.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009773.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009774.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009782.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009791.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0010759.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011762.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011764.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011765.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011766.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011767.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011768.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011769.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011770.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011771.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011772.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011773.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011776.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011781.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011781.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011782.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011792.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011793.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011794.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011795.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011796.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011797.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011798.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011799.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011800.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011801.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011820.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011834.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011837.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011838.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011839.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011840.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011841.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011842.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011843.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011844.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011845.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011846.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011847.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011848.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\change.log Object is locked skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000236.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000237.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000238.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000239.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000240.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000241.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000242.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000243.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000244.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000245.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000246.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000247.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000269.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP5\A0000270.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP6\A0000314.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP6\A0000315.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP7\A0000316.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP7\A0000320.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP7\A0000321.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0000332.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0000337.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0000338.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0000346.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001371.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001373.exe/a_bcd.dll Infected: Backdoor.IRC.Cloner skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001373.exe/abc2.dll Infected: Backdoor.IRC.Cloner.x skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001373.exe/abcd.jpg Infected: Backdoor.IRC.Cloner skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001373.exe/adobea.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.601 skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001373.exe/adobes.exe Infected: Backdoor.Win32.mIRC-based skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001373.exe/gg.bat Infected: Backdoor.IRC.Cloner.k skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001373.exe/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001373.exe ZIP: infected - 7 skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001373.exe CryptFF: infected - 7 skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001375.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001377.dll Infected: Trojan-Downloader.Win32.Agent.yf skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001378.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001379.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001380.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001381.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001382.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001382.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001383.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001384.exe Infected: Trojan-Proxy.Win32.Wopla.at skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001385.exe Infected: Virus.Win32.Trats.d skipped
C:\WINNT\17PHolmes572.exe Infected: Trojan-Downloader.Win32.Agent.jhv skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Debug\UserMode\boot.exe Infected: not-a-virus:RiskTool.Win32.PsExec.131 skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\mrofinu1000106.exe Infected: Trojan-Downloader.Win32.Agent.jhv skipped
C:\WINNT\mrofinu572.exe Infected: Trojan-Downloader.Win32.Agent.jhv skipped
C:\WINNT\mrofinu572.exe.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{51BBA5FA-6AC7-4488-B2D4-172AED976C78}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\awtqnmn.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\boctkxqj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped
C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\ctfmon.exe.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINNT\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINNT\system32\drivers\drmkk.sys Object is locked skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\hc4\pon89104.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\WINNT\system32\hc4\pon89104.exe NSIS: infected - 1 skipped
C:\WINNT\system32\hgqiwwvy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\iDlo01\iDlo011065.exe Infected: Trojan-Downloader.Win32.VB.caw skipped
C:\WINNT\system32\jlsmhoii.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINNT\system32\mlnmp.ini Object is locked skipped
C:\WINNT\system32\niujwtjl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\pmnlm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\pmnlm.exe Infected: Virus.Win32.Trats.d skipped
C:\WINNT\system32\pvptixxw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\rbyhwciy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe Infected: Virus.Win32.Trats.d skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\system32\windows Infected: Trojan.Win32.Zapchast.dt skipped
C:\WINNT\system32\windows_tobedeleted_old Infected: Trojan.Win32.Zapchast.dt skipped
C:\WINNT\system32\ypnedfdp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\tk58.exe Infected: Trojan.Win32.BHO.ab skipped
C:\WINNT\wiadebug.log Object is locked skipped
C:\WINNT\wiaservc.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

 

[Connery]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:59 PM, on 2/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched .exe
C:\Program Files\Logitech\Video\LogiTray .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\LVComS.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\cidaemon.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCSRVCE.EXE
C:\Program Files\Trend Micro\HijackThis\connery.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINNT\system32\pmnlm.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {05F1D121-6A5B-4756-818C-23BEDF093E30} - C:\Program Files\Accessories\vawok89104.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35FBE3AD-9375-441A-B30C-9473D6A07935} - C:\WINNT\system32\pmnlm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINNT\system32\ypnedfdp.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: {dcb77d86-b8ec-8628-9c24-81e01c34132c} - {c23143c1-0e18-42c9-8268-ce8b68d77bcd} - C:\WINNT\system32\pvptixxw.dll
O2 - BHO: (no name) - {ED120D76-BF31-412C-A99B-783C6676E128} - C:\WINNT\system32\awtqnmn.dll
O2 - BHO: 0 - {F550F5E6-F62A-423C-2F8A-E2B2439513A0} - C:\Program Files\Windows Media Player\rybiv.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O20 - Winlogon Notify: awtqnmn - C:\WINNT\SYSTEM32\awtqnmn.dll
O20 - Winlogon Notify: ypnedfdp - C:\WINNT\SYSTEM32\ypnedfdp.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 11781 bytes

 

[little eagle]

Download VundoFix.exe to your desktop.

* Double-click VundoFix.exe to run it.
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

Post the log from the scan please.

 

[Connery]

Didn't find any log from the scan. It found 2 items and deleted them successfully. Neither shows up if I repeat the scan.

Here's a new hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:42:11 AM, on 3/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched .exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINNT\system32\drivers\svchost.exe
C:\Program Files\Logitech\Video\LogiTray .exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI .exe
C:\WINNT\system32\ctfmon .exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\WINNT\system32\drivers\svchost .exe
C:\WINNT\system32\LVComS.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCSRVCE.EXE
C:\WINNT\System32\alg.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\Program Files\Trend Micro\HijackThis\connery.exe
C:\WINNT\system32\wbem\wmiprvse.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINNT\system32\pmnlm.exe
F3 - REG:win.ini: run="C:\WINNT\system32\winupdate.exe"
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {05F1D121-6A5B-4756-818C-23BEDF093E30} - C:\Program Files\Accessories\vawok89104.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2AE6DFF5-EABE-4A8F-BB26-C88F5D375D28} - C:\WINNT\system32\pmnlm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: 0 - {D38FEDDD-5116-46E5-E993-B24BA7717E2B} - C:\Program Files\Windows Media Player\rybiv.dll (file missing)
O2 - BHO: {b751cb9a-9e49-adba-5254-56c522b5ef7d} - {d7fe5b22-5c65-4525-abda-94e9a9bc157b} - C:\WINNT\system32\cyarguir.dll
O2 - BHO: (no name) - {ED120D76-BF31-412C-A99B-783C6676E128} - C:\WINNT\system32\awtqnmn.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &WinSec Toolbar - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - C:\WINNT\system32\wscmp.dll
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [7cbc824f] rundll32.exe "C:\WINNT\system32\nssigidw.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD9E6973-BA53-4C84-9A03-2E0A39B1C79D}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O17 - HKLM\System\CS2\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O20 - Winlogon Notify: awtqnmn - C:\WINNT\SYSTEM32\awtqnmn.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 13083 bytes

 

[little eagle]

It should be located here C:\vundofix.txt

---------------------------------------

Download ComboFix from Here or Here to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Remember to re enable the protection again afterwards before connecting to the net

2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

• IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
• If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

 

[Connery]

VundoFix V7.0.1
Scan started at 11:59:22 PM 3/9/2008

Listing files found while scanning....

VundoFix V7.0.1

Scan started at 6:24:22 AM 3/10/2008

Listing files found while scanning....

C:\WINNT\system32\ypnedfdp.dll
C:\WINNT\tk58.exe

Beginning removal...

Attempting to delete C:\WINNT\system32\ypnedfdp.dll
C:\WINNT\system32\ypnedfdp.dll Has been deleted!

Attempting to delete C:\WINNT\tk58.exe
C:\WINNT\tk58.exe Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V7.0.1

Scan started at 12:36:06 AM 3/11/2008

Listing files found while scanning....

No infected files were found.


ComboFix 08-03-10.1 - x 2008-03-11 18:49:53.5 - NTFSx86
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Accessories\vawok89104.dll
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Logitech\Video\ISStart.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\Program Files\RABCO
C:\Program Files\RABCO\ExecutionDll.dll
C:\Program Files\RABCO\RABCO.dll
C:\Program Files\RABCO\RABCO.dll.intermediate.manifest
C:\Program Files\RABCO\RABCOse.exe
C:\Program Files\RABCO\RABCOse.info
C:\Program Files\RABCO\RABCOse.original
C:\Program Files\RABCO\Setup.log
C:\Program Files\RABCO\un_RABCOSetup_16230.exe
C:\Program Files\RABCO\un_RABCOSetup_16230.txt
C:\Program Files\RABCO\X_RABCOse.exe
C:\Program Files\RABCO\X_RABCOse.log
C:\Program Files\Support.com\Charter\bin\SSRunScript.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\sanR24
C:\Temp\sanR24\lDii.log
C:\temp\tn3
C:\WINNT\BM7f8fb1d3.xml
C:\WINNT\pskt.ini
C:\WINNT\system32\awtqnmn.dll
C:\WINNT\system32\boctkxqj.dll
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\ctfmon.exe.tmp
C:\WINNT\system32\cyarguir.dll
C:\WINNT\system32\drivers\drmkk.sys
C:\WINNT\system32\drivers\svchost.exe
C:\WINNT\system32\edgvqvpu.ini
C:\WINNT\system32\hgqiwwvy.dll
C:\WINNT\system32\iDlo01
C:\WINNT\system32\iDlo01\iDlo011065.exe
C:\WINNT\system32\jlsmhoii.dll
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\mlnmp.ini
C:\WINNT\system32\mlnmp.ini2
C:\WINNT\system32\niujwtjl.dll
C:\WINNT\system32\nssigidw.dll
C:\WINNT\system32\ntload.sys
C:\WINNT\system32\pac.txt
C:\WINNT\system32\pmnlm.dll
C:\WINNT\system32\pmnlm.exe
C:\WINNT\system32\pvptixxw.dll
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\WINNT\system32\upvqvgde.dll
C:\WINNT\system32\wdigissn.ini
C:\WINNT\system32\windows
C:\WINNT\system32\winupdate.exe
C:\WINNT\system32\wscmp.dll
C:\WINNT\system32\yvwwiqgh.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_DRMKK
-------\LEGACY_NTLOAD
-------\drmkk
-------\ntload


((((((((((((((((((((((((( Files Created from 2008-02-12 to 2008-03-12 )))))))))))))))))))))))))))))))
.

2008-03-10 21:42 . 2008-03-10 21:42 338,944 --a------ C:\WINNT\system32\RCX26.tmp
2008-03-10 20:25 . 2008-03-10 20:25 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2008-03-09 23:59 . 2008-03-10 20:48 <DIR> d-------- C:\VundoFix Backups
2008-03-09 21:26 . 2008-03-10 21:43 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-03-09 21:26 . 2008-03-09 21:26 1,409 --a------ C:\WINNT\QTFont.for
2008-03-08 15:36 . 2008-03-08 15:36 41,723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2008-03-04 07:42 . 2008-03-04 07:42 0 --a------ C:\WINNT\system32\sex2.ico.tmp
2008-03-03 20:42 . 2008-03-03 20:42 0 --a------ C:\WINNT\system32\sex1.ico.tmp
2008-03-03 20:31 . 2008-03-10 21:43 22,016 --a------ C:\WINNT\system32\drivers\svchost .exe
2008-03-02 18:16 . 2008-03-02 18:16 3,262 --a------ C:\WINNT\system32\sex5.ico
2008-03-02 18:15 . 2008-03-02 18:15 3,262 --a------ C:\WINNT\system32\sex4.ico
2008-03-02 18:15 . 2008-03-02 18:15 3,262 --a------ C:\WINNT\system32\sex3.ico
2008-03-02 18:14 . 2008-03-04 07:41 3,262 --a------ C:\WINNT\system32\sex2.ico
2008-03-02 18:14 . 2008-03-02 18:14 3,262 --a------ C:\WINNT\system32\sex1.ico
2008-03-02 18:11 . 2008-03-02 18:11 87,040 --a------ C:\WINNT\e01.exe
2008-03-02 18:11 . 2008-03-02 18:11 23,040 --a------ C:\acuqb6.exe
2008-02-29 21:54 . 2008-02-29 21:54 167,545 --a------ C:\WINNT\system32\drivers\core.cache.dsk
2008-02-28 22:44 . 2008-03-10 21:43 15,360 --a------ C:\WINNT\system32\ctfmon .exe
2008-02-28 07:37 . 2008-02-28 22:55 294 ---hs---- C:\WINNT\system32\yicwhybr.ini
2008-02-27 20:27 . 2008-02-27 20:27 7,168 --------- C:\WINNT\system32\windows_tobedeleted_old
2008-02-27 00:34 . 2008-03-11 19:15 13,646 --a------ C:\WINNT\system32\wpa.dbl
2008-02-26 20:49 . 2008-03-10 19:48 23,362 ---hs---- C:\WINNT\system32\ypnedfdp.dllbox
2008-02-26 20:47 . 2008-02-26 20:47 36,864 --a------ C:\WINNT\17PHolmes572.exe
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\jk8
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\hc4
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\fs7
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\ax3
2008-02-26 20:41 . 2008-02-26 21:34 376,832 --a------ C:\WINNT\mrofinu572.exe.tmp
2008-02-26 20:41 . 2008-02-26 21:34 36,864 --a------ C:\WINNT\mrofinu572.exe
2008-02-26 20:41 . 2008-02-26 20:41 36,864 --a------ C:\WINNT\mrofinu1000106.exe
2008-02-26 20:40 . 2008-03-11 18:53 <DIR> d-------- C:\Temp
2008-02-20 20:22 . 2008-02-20 20:22 745 --a------ C:\WINNT\COD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 03:16 335,360 ----a-w C:\WINNT\system32\pmnlm.dll
2008-03-12 03:08 --------- d-----w C:\Program Files\iTunes
2008-03-12 03:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-12 03:08 --------- d-----w C:\Program Files\Accessories
2008-02-21 04:26 --------- d-----w C:\Program Files\Call of Duty
2008-02-07 15:46 --------- d-----w C:\Program Files\QuickTime
2008-02-07 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 15:19 7,536 ----a-w C:\WINNT\loadqm.exe
2008-01-27 01:42 --------- d-----w C:\Program Files\Trend Micro
2008-01-18 00:52 126 ----a-w C:\tempdel.bat
2008-01-17 10:34 --------- d-----w C:\Program Files\iPod
2008-01-15 21:52 140,800 --sh--w C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
2008-01-15 02:12 --------- d-----w C:\Program Files\RcvSystem
2002-11-06 23:45 57,344 ----a-w C:\WINNT\Fonts\omnithread_rt.dll
2002-11-06 23:45 32,768 ----a-w C:\WINNT\Fonts\VNCHooks.dll
2002-06-09 23:40 271 --sh--w C:\Program Files\desktop.ini
2002-06-09 23:40 21,952 ---ha-w C:\Program Files\folder.htt
.

<pre>
----a-w           151,597 2008-03-11 05:42:45  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            52,840 2008-03-11 05:43:03  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w           267,048 2008-03-11 05:43:06  C:\Program Files\iTunes\iTunesHelper .exe
----a-w            32,881 2008-03-11 05:42:49  C:\Program Files\Java\j2re1.4.2_04\bin\jusched .exe
----a-w           188,416 2008-03-11 05:42:57  C:\Program Files\Logitech\Video\ISStart .exe
----a-w            77,824 2008-03-11 05:42:54  C:\Program Files\Logitech\Video\LogiTray .exe
----a-w            40,960 2008-03-11 05:42:54  C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart .exe
----a-w           420,352 2008-03-12 03:18:03  C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
----a-w            40,960 2008-03-11 05:42:41  C:\Program Files\Support.com\Charter\bin\SSRunScript .exe
----a-w            15,360 2008-03-11 05:43:13  C:\WINNT\system32\ctfmon .exe
----a-w            22,016 2008-03-11 05:43:16  C:\WINNT\system32\drivers\svchost .exe
----a-w           753,664 2008-03-11 05:43:08  C:\WINNT\system32\spool\drivers\w32x86\3\EKIJ5000MUI .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8FDB8E2-E646-47B1-888E-F960D2AA8D6A}]
2008-03-11 19:16 335360 --a------ C:\WINNT\system32\pmnlm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D38FEDDD-5116-46E5-E993-B24BA7717E2B}]
C:\Program Files\Windows Media Player\rybiv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe" [2008-03-11 19:18 420352]
"SVCHOST.EXE"="C:\WINNT\system32\drivers\svchost.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSRunScript"="C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Synchronization Manager"="mobsync.exe" [2006-02-28 04:00 143360 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [ ]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [ ]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"LoadQM"="loadqm.exe" [2008-02-04 07:19 7536 C:\WINNT\loadqm.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"EKIJ5000StatusMonitor"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 09:05 6856704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2006-02-28 04:00 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2006-02-28 04:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnmn]
awtqnmn.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINNT\system32\pmnlm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\system32\pmnlm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"CamMonitor"=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINNT\\system32\\drivers\\svchost .exe"=

R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys [2001-09-04 14:38]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 18:04]
R3 tbcspud;Santa Cruz Driver;C:\WINNT\system32\drivers\tbcspud.sys [2001-08-29 12:19]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINNT\system32\drivers\tbcwdm.sys [2001-08-29 12:19]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 11:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 07:47:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-09 05:57:03 C:\WINNT\Tasks\EasyShare Registration Task.job"
- C:\WINNT\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-03-12 00:05:00 C:\WINNT\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2007-12-15 07:40:31 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - x.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2006-08-10 05:49:11 C:\WINNT\Tasks\Norton AntiVirus - Run Norton QuickScan - x.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEg/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-11 19:15:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINNT\system32\mlnmp.ini 318 bytes
C:\WINNT\system32\mlnmp.ini2 318 bytes
C:\WINNT\system32\pmnlm.exe 338944 bytes executable

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\explorer.exe [6.00.2900.2180]
-> C:\WINNT\system32\pmnlm.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINNT\system32\imapi.exe
C:\WINNT\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-03-11 19:26:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-12 03:25:51
ComboFix2.txt 2008-02-06 15:31:22
ComboFix3.txt 2008-02-05 17:23:33
ComboFix4.txt 2008-02-05 04:38:31
ComboFix5.txt 2008-02-03 21:52:40
.
2008-03-12 03:24:25 --- E O F ---

 

[Connery]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:28 PM, on 3/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\connery.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINNT\system32\pmnlm.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: 0 - {D38FEDDD-5116-46E5-E993-B24BA7717E2B} - C:\Program Files\Windows Media Player\rybiv.dll (file missing)
O2 - BHO: (no name) - {F11D0CCE-84A1-40B9-A192-EDDCBCE0BDF9} - C:\WINNT\system32\pmnlm.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD9E6973-BA53-4C84-9A03-2E0A39B1C79D}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O17 - HKLM\System\CS2\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O20 - Winlogon Notify: awtqnmn - awtqnmn.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 11673 bytes

 

[little eagle]

Open notepad and copy/paste the text in the codebox below into it:

Driver::
drmkk
ntload
File::
C:\WINNT\system32\pmnlm.dll
C:\WINNT\system32\pmnlm.exe
C:\Program Files\Accessories\vawok89104.dll
C:\WINNT\system32\sex5.ico
C:\WINNT\system32\sex4.ico
C:\WINNT\system32\sex2.ico.tmp
C:\WINNT\system32\sex1.ico.tmp
C:\WINNT\system32\sex3.ico
C:\WINNT\system32\sex2.ico
C:\WINNT\system32\sex1.ico
C:\acuqb6.exe
C:\WINNT\system32\yicwhybr.ini
C:\WINNT\mrofinu572.exe
C:\WINNT\mrofinu1000106.exe
C:\WINNT\system32\RCX26.tmp
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINNT\system32\cyarguir.dll
C:\WINNT\system32\wscmp.dll
C:\WINNT\system32\awtqnmn.dll
C:\WINNT\system32\nssigidw.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8FDB8E2-E646-47B1-888E-F960D2AA8D6A}]
RenV::
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched .exe
C:\Program Files\Logitech\Video\ISStart .exe
C:\Program Files\Logitech\Video\LogiTray .exe
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart .exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\Program Files\Support.com\Charter\bin\SSRunScript .exe
C:\WINNT\system32\ctfmon .exe
C:\WINNT\system32\drivers\svchost .exe
C:\WINNT\system32\spool\drivers\w32x86\3\EKIJ5000MUI .exe

Save this as Save this as "CFScript"

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

 

[Connery]

ComboFix 08-03-10.1 - x 2008-03-12 6:02:25.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.52 [GMT -8:00]
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\x\Desktop\CFScript
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\acuqb6.exe
C:\Program Files\Accessories\vawok89104.dll
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINNT\mrofinu1000106.exe
C:\WINNT\mrofinu572.exe
C:\WINNT\system32\awtqnmn.dll
C:\WINNT\system32\cyarguir.dll
C:\WINNT\system32\nssigidw.dll
C:\WINNT\system32\pmnlm.dll
C:\WINNT\system32\pmnlm.exe
C:\WINNT\system32\RCX26.tmp
C:\WINNT\system32\sex1.ico
C:\WINNT\system32\sex1.ico.tmp
C:\WINNT\system32\sex2.ico
C:\WINNT\system32\sex2.ico.tmp
C:\WINNT\system32\sex3.ico
C:\WINNT\system32\sex4.ico
C:\WINNT\system32\sex5.ico
C:\WINNT\system32\wscmp.dll
C:\WINNT\system32\yicwhybr.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\acuqb6.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINNT\BM7f8fb1d3.xml
C:\WINNT\mrofinu1000106.exe
C:\WINNT\mrofinu572.exe
C:\WINNT\pskt.ini
C:\WINNT\system32\ctpqwaby.ini
C:\WINNT\system32\drivers\svchost.exe
C:\WINNT\system32\mlnmp.ini
C:\WINNT\system32\mlnmp.ini2
C:\WINNT\system32\pmnlm.dll
C:\WINNT\system32\pmnlm.exe
C:\WINNT\system32\RCX26.tmp
C:\WINNT\system32\sex1.ico
C:\WINNT\system32\sex1.ico.tmp
C:\WINNT\system32\sex2.ico
C:\WINNT\system32\sex2.ico.tmp
C:\WINNT\system32\sex3.ico
C:\WINNT\system32\sex4.ico
C:\WINNT\system32\sex5.ico
C:\WINNT\system32\wghexnsu.dll
C:\WINNT\system32\xywhkjyp.dll
C:\WINNT\system32\ybawqptc.dll
C:\WINNT\system32\yicwhybr.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-12 to 2008-03-12 )))))))))))))))))))))))))))))))
.

2008-03-10 20:25 . 2008-03-10 20:25 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2008-03-09 23:59 . 2008-03-10 20:48 <DIR> d-------- C:\VundoFix Backups
2008-03-09 21:26 . 2008-03-10 21:43 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-03-09 21:26 . 2008-03-09 21:26 1,409 --a------ C:\WINNT\QTFont.for
2008-03-02 18:11 . 2008-03-02 18:11 87,040 --a------ C:\WINNT\e01.exe
2008-02-29 21:54 . 2008-02-29 21:54 167,545 --a------ C:\WINNT\system32\drivers\core.cache.dsk
2008-02-28 22:44 . 2008-03-10 21:43 15,360 --a--c--- C:\WINNT\system32\dllcache\ctfmon.exe
2008-02-28 22:44 . 2008-03-10 21:43 15,360 --a------ C:\WINNT\system32\ctfmon.exe
2008-02-27 20:27 . 2008-02-27 20:27 7,168 --------- C:\WINNT\system32\windows_tobedeleted_old
2008-02-27 00:34 . 2008-03-12 06:11 13,646 --a------ C:\WINNT\system32\wpa.dbl
2008-02-26 20:49 . 2008-03-10 19:48 23,362 ---hs---- C:\WINNT\system32\ypnedfdp.dllbox
2008-02-26 20:47 . 2008-02-26 20:47 36,864 --a------ C:\WINNT\17PHolmes572.exe
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\jk8
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\hc4
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\fs7
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\ax3
2008-02-26 20:41 . 2008-02-26 21:34 376,832 --a------ C:\WINNT\mrofinu572.exe.tmp
2008-02-26 20:40 . 2008-03-11 18:53 <DIR> d-------- C:\Temp
2008-02-20 20:22 . 2008-02-20 20:22 745 --a------ C:\WINNT\COD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 14:01 --------- d-----w C:\Program Files\iTunes
2008-03-12 14:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-12 03:08 --------- d-----w C:\Program Files\Accessories
2008-02-21 04:26 --------- d-----w C:\Program Files\Call of Duty
2008-02-07 15:46 --------- d-----w C:\Program Files\QuickTime
2008-02-07 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 15:19 7,536 ----a-w C:\WINNT\loadqm.exe
2008-01-27 01:42 --------- d-----w C:\Program Files\Trend Micro
2008-01-18 00:52 126 ----a-w C:\tempdel.bat
2008-01-17 10:34 --------- d-----w C:\Program Files\iPod
2008-01-15 21:52 140,800 --sh--w C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
2008-01-15 02:12 --------- d-----w C:\Program Files\RcvSystem
2002-11-06 23:45 57,344 ----a-w C:\WINNT\Fonts\omnithread_rt.dll
2002-11-06 23:45 32,768 ----a-w C:\WINNT\Fonts\VNCHooks.dll
2002-06-09 23:40 271 --sh--w C:\Program Files\desktop.ini
2002-06-09 23:40 21,952 ---ha-w C:\Program Files\folder.htt
.

<pre>
----a-w           420,352 2008-03-12 14:13:13  C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D38FEDDD-5116-46E5-E993-B24BA7717E2B}]
C:\Program Files\Windows Media Player\rybiv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-03-10 21:43 15360]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe" [2008-03-12 06:13 420352]
"SVCHOST.EXE"="C:\WINNT\system32\drivers\svchost.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSRunScript"="C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-10 21:42 151597]
"Synchronization Manager"="mobsync.exe" [2006-02-28 04:00 143360 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [2008-03-10 21:42 32881]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2008-03-10 21:42 40960]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2008-03-10 21:42 77824]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2008-03-10 21:42 188416]
"LoadQM"="loadqm.exe" [2008-02-04 07:19 7536 C:\WINNT\loadqm.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-10 21:43 267048]
"EKIJ5000StatusMonitor"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-03-10 21:43 753664]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-03-10 21:43 52840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 09:05 6856704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2006-02-28 04:00 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2006-02-28 04:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnmn]
awtqnmn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\\WINNT\\system32\\pmnlm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"CamMonitor"=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys [2001-09-04 14:38]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 18:04]
R3 tbcspud;Santa Cruz Driver;C:\WINNT\system32\drivers\tbcspud.sys [2001-08-29 12:19]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINNT\system32\drivers\tbcwdm.sys [2001-08-29 12:19]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 11:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 07:47:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-09 05:57:03 C:\WINNT\Tasks\EasyShare Registration Task.job"
- C:\WINNT\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-03-12 08:05:00 C:\WINNT\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2007-12-15 07:40:31 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - x.job"
- C:\PROGRA~1\NORTON~1\Navw32.exe
"2006-08-10 05:49:11 C:\WINNT\Tasks\Norton AntiVirus - Run Norton QuickScan - x.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEg/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 06:11:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINNT\system32\mlnmp.ini 318 bytes
C:\WINNT\system32\pmnlm.dll 335360 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINNT\system32\imapi.exe
C:\WINNT\system32\LVComS.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCSRVCE.EXE
.
**************************************************************************
.
Completion time: 2008-03-12 6:22:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-12 14:21:52
ComboFix2.txt 2008-03-12 03:26:02
ComboFix3.txt 2008-02-06 15:31:22
ComboFix4.txt 2008-02-05 17:23:33
ComboFix5.txt 2008-02-05 04:38:31
.
2008-03-12 09:57:53 --- E O F ---

 

[Connery]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:31:00 AM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\WINNT\system32\LVComS.exe
C:\WINNT\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCSRVCE.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\connery.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: 0 - {D38FEDDD-5116-46E5-E993-B24BA7717E2B} - C:\Program Files\Windows Media Player\rybiv.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD9E6973-BA53-4C84-9A03-2E0A39B1C79D}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O17 - HKLM\System\CS2\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O20 - Winlogon Notify: awtqnmn - awtqnmn.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 11951 bytes

 

[little eagle]

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

* Save it to your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish.
* The fix will begin; follow the prompts.
* You will be asked to reboot your computer; please do so.
* Your system may take longer than usual to load; this is normal.
* Once the desktop loads, post the text that will open (report.txt)

 

[Connery]

Username "x" - 03/12/2008 19:23:23 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.113.140 85.255.112.93" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}
"nameserver"="85.255.113.140,85.255.112.93" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{CD9E6973-BA53-4C84-9A03-2E0A39B1C79D}
"nameserver"="85.255.113.140,85.255.112.93" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}
"DhcpNameServer"="85.255.113.140,85.255.112.93" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{0E2AD612-CAFB-4077-A91F-1B670B3DFF66}
"DhcpNameServer"="85.255.113.140,85.255.112.93" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{91D11D59-A131-498D-9F0C-D0F5037CBFDD}
"DhcpNameServer"="85.255.113.140,85.255.112.93" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"SSRunScript"="\"C:\\Program Files\\Support.com\\Charter\\bin\\SSRunScript.exe\" /script \"C:\\Program Files\\Support.com\\Charter\\vbs\\verifyconnection.vbs\" /args //b startupdelay"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Synchronization Manager"="mobsync.exe /logon"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\jusched.exe"
"OM_Monitor"="C:\\Program Files\\OLYMPUS\\OLYMPUS Master\\FirstStart.exe"
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"LoadQM"="loadqm.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"EKIJ5000StatusMonitor"="C:\\WINNT\\System32\\spool\\DRIVERS\\W32X86\\3\\EKIJ5000MUI.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"BM7f8fb1d3"="Rundll32.exe \"C:\\WINNT\\system32\\nwciwigq.dll\",s"
"7cbc824f"="rundll32.exe \"C:\\WINNT\\system32\\jukvwmck.dll\",b"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"ctfmon.exe"="C:\\WINNT\\system32\\ctfmon.exe"
"OM_Monitor"="C:\\Program Files\\OLYMPUS\\OLYMPUS Master\\Monitor .exe"
"SVCHOST.EXE"="C:\\WINNT\\system32\\drivers\\svchost.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

 

[little eagle]

Open notepad and copy/paste the text in the codebox below into it:

RenV::
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe

Save this as Save this as "CFScript"

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

 

[Connery]

ComboFix 08-03-10.1 - x 2008-03-13 6:16:06.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.55 [GMT -8:00]
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\x\Desktop\CFScript
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Logitech\Video\ISStart.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\WINNT\BM7f8fb1d3.xml
C:\WINNT\pskt.ini
C:\WINNT\system32\ctfmon.exe.tmp
C:\WINNT\system32\dgmnkfdd.dll
C:\WINNT\system32\jukvwmck.dll
C:\WINNT\system32\kcmwvkuj.ini
C:\WINNT\system32\mlnmp.ini
C:\WINNT\system32\mlnmp.ini2
C:\WINNT\system32\nwciwigq.dll
C:\WINNT\system32\pmnlm.dll
C:\WINNT\system32\pmnlm.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-13 to 2008-03-13 )))))))))))))))))))))))))))))))
.

2008-03-12 19:09 . 2008-03-13 05:50 15,360 --a------ C:\WINNT\system32\ctfmon .exe
2008-03-10 20:25 . 2008-03-10 20:25 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2008-03-09 23:59 . 2008-03-10 20:48 <DIR> d-------- C:\VundoFix Backups
2008-03-09 21:26 . 2008-03-13 05:51 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-03-09 21:26 . 2008-03-09 21:26 1,409 --a------ C:\WINNT\QTFont.for
2008-03-02 18:11 . 2008-03-02 18:11 87,040 --a------ C:\WINNT\e01.exe
2008-02-29 21:54 . 2008-02-29 21:54 167,545 --a------ C:\WINNT\system32\drivers\core.cache.dsk
2008-02-28 22:44 . 2008-03-10 21:43 15,360 --a--c--- C:\WINNT\system32\dllcache\ctfmon.exe
2008-02-28 22:44 . 2008-03-10 21:43 15,360 --a------ C:\WINNT\system32\ctfmon.exe
2008-02-27 20:27 . 2008-02-27 20:27 7,168 --------- C:\WINNT\system32\windows_tobedeleted_old
2008-02-27 00:34 . 2008-03-13 06:27 13,646 --a------ C:\WINNT\system32\wpa.dbl
2008-02-26 20:49 . 2008-03-10 19:48 23,362 ---hs---- C:\WINNT\system32\ypnedfdp.dllbox
2008-02-26 20:47 . 2008-02-26 20:47 36,864 --a------ C:\WINNT\17PHolmes572.exe
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\jk8
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\hc4
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\fs7
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\ax3
2008-02-26 20:41 . 2008-02-26 21:34 376,832 --a------ C:\WINNT\mrofinu572.exe.tmp
2008-02-26 20:40 . 2008-03-11 18:53 <DIR> d-------- C:\Temp
2008-02-20 20:22 . 2008-02-20 20:22 745 --a------ C:\WINNT\COD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-13 14:23 --------- d-----w C:\Program Files\iTunes
2008-03-13 14:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-12 03:08 --------- d-----w C:\Program Files\Accessories
2008-02-21 04:26 --------- d-----w C:\Program Files\Call of Duty
2008-02-07 15:46 --------- d-----w C:\Program Files\QuickTime
2008-02-07 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 15:19 7,536 ----a-w C:\WINNT\loadqm.exe
2008-01-27 01:42 --------- d-----w C:\Program Files\Trend Micro
2008-01-18 00:52 126 ----a-w C:\tempdel.bat
2008-01-17 10:34 --------- d-----w C:\Program Files\iPod
2008-01-15 21:52 140,800 --sh--w C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
2008-01-15 02:12 --------- d-----w C:\Program Files\RcvSystem
2002-11-06 23:45 57,344 ----a-w C:\WINNT\Fonts\omnithread_rt.dll
2002-11-06 23:45 32,768 ----a-w C:\WINNT\Fonts\VNCHooks.dll
2002-06-09 23:40 271 --sh--w C:\Program Files\desktop.ini
2002-06-09 23:40 21,952 ---ha-w C:\Program Files\folder.htt
.

<pre>
----a-w           151,597 2008-03-13 13:50:33  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            52,840 2008-03-13 13:50:46  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w           267,048 2008-03-13 13:50:41  C:\Program Files\iTunes\iTunesHelper .exe
----a-w            32,881 2008-03-13 13:50:34  C:\Program Files\Java\j2re1.4.2_04\bin\jusched .exe
----a-w           188,416 2008-03-13 13:50:39  C:\Program Files\Logitech\Video\ISStart .exe
----a-w            77,824 2008-03-13 13:50:36  C:\Program Files\Logitech\Video\LogiTray .exe
----a-w            40,960 2008-03-13 13:50:35  C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart .exe
----a-w            15,360 2008-03-13 13:50:48  C:\WINNT\system32\ctfmon .exe
----a-w           753,664 2008-03-13 13:50:44  C:\WINNT\system32\spool\drivers\w32x86\3\EKIJ5000MUI .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D38FEDDD-5116-46E5-E993-B24BA7717E2B}]
C:\Program Files\Windows Media Player\rybiv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-03-10 21:43 15360]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe" [ ]
"SVCHOST.EXE"="C:\WINNT\system32\drivers\svchost.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSRunScript"="C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Synchronization Manager"="mobsync.exe" [2006-02-28 04:00 143360 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [ ]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [ ]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"LoadQM"="loadqm.exe" [2008-02-04 07:19 7536 C:\WINNT\loadqm.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"EKIJ5000StatusMonitor"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 09:05 6856704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2006-02-28 04:00 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2006-02-28 04:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnmn]
awtqnmn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"CamMonitor"=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys [2001-09-04 14:38]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 18:04]
R3 tbcspud;Santa Cruz Driver;C:\WINNT\system32\drivers\tbcspud.sys [2001-08-29 12:19]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINNT\system32\drivers\tbcwdm.sys [2001-08-29 12:19]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 11:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 07:47:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-09 05:57:03 C:\WINNT\Tasks\EasyShare Registration Task.job"
- C:\WINNT\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-03-13 08:05:00 C:\WINNT\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2007-12-15 07:40:31 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - x.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2006-08-10 05:49:11 C:\WINNT\Tasks\Norton AntiVirus - Run Norton QuickScan - x.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEg/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 06:28:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
.
**************************************************************************
.
Completion time: 2008-03-13 6:32:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-13 14:32:44
ComboFix2.txt 2008-03-12 14:22:00
ComboFix3.txt 2008-03-12 03:26:02
ComboFix4.txt 2008-02-06 15:31:22
ComboFix5.txt 2008-02-05 17:23:33
.
2008-03-13 08:44:50 --- E O F ---

 

[Connery]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:40:15 AM, on 3/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\connery.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: 0 - {D38FEDDD-5116-46E5-E993-B24BA7717E2B} - C:\Program Files\Windows Media Player\rybiv.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O20 - Winlogon Notify: awtqnmn - awtqnmn.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 10538 bytes

 

[little eagle]

Well I'm working on a fix.
Please read the instructions on how to install the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post back here when done or before you follow my next post.

 

[little eagle]

I would like to see a copy of the file/folder in bold.

Click start / then my computer / local disk then follow the process tree.
Or using Windows Explorer, locate the first file you want to zip.
Right click on the file and select Send To and Compressed (zipped) Folder.
This makes a copy it does not delete it.
Please zip the file and upload it here
Or email it here

Please include a link to this thread.



C:\WINNT\system32\jk8
C:\WINNT\system32\hc4
C:\WINNT\system32\fs7
C:\WINNT\system32\ax3

 

[little eagle]

Well on with the fix.

Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINNT\e01.exe 
C:\WINNT\17PHolmes572.exe
C:\WINNT\mrofinu572.exe.tmp
C:\WINNT\mrofinu572.exe
C:\Program Files\Windows Media Player\rybiv.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D38FEDDD-5116-46E5-E993-B24BA7717E2B}]


RenV::
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched .exe
C:\Program Files\Logitech\Video\ISStart .exe
C:\Program Files\Logitech\Video\LogiTray .exe
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart .exe
C:\WINNT\system32\ctfmon .exe
C:\WINNT\system32\spool\drivers\w32x86\3\EKIJ5000MUI .exe

Save this as Save this as "CFScript"

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.