Hello,
I am trying to get rid of this malware... it's really getting on my nerves.
Following the steps indicated I post the logs of my Kaspersky and HJT scans.
I tried removing the "entry in red" with SB, but after each scan the entry reappeared. Since it takes about 30 minutes to scan and it is only until the end that virtumonde.dll is discovered, I believe there is no point in repeating it. If you believe that I should scan over and over and that the entry will finally disappear like this, I will certainly do it. But for now this is it.
Kaspersky log
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, May 25, 2008 8:18:31 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/05/2008
Kaspersky Anti-Virus database records: 800216
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 46785
Number of viruses found: 1
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 00:48:38
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Aardvark\Application Data\Mozilla\Firefox\Profiles\xcwzwima.default\cert8.db Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Mozilla\Firefox\Profiles\xcwzwima.default\history.dat Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Mozilla\Firefox\Profiles\xcwzwima.default\key3.db Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Mozilla\Firefox\Profiles\xcwzwima.default\parent.lock Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Mozilla\Firefox\Profiles\xcwzwima.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Mozilla\Firefox\Profiles\xcwzwima.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\call256.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\chat512.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\chatmsg2048.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\chatmsg4096.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\chatsync\e0\e0c8531cd4bde057.dat Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\chatsync\f6\f6fdd640261dec0b.dat Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\index2.dat Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\profile16384.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\transfer256.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\transfer512.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\user1024.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\user16384.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\user256.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\user4096.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Aardvark\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Aardvark\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Aardvark\Local Settings\Application Data\Mozilla\Firefox\Profiles\xcwzwima.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Aardvark\Local Settings\Application Data\Mozilla\Firefox\Profiles\xcwzwima.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Aardvark\Local Settings\Application Data\Mozilla\Firefox\Profiles\xcwzwima.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Aardvark\Local Settings\Application Data\Mozilla\Firefox\Profiles\xcwzwima.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Aardvark\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Aardvark\Local Settings\History\History.IE5\MSHist012008052520080526\index.dat Object is locked skipped
C:\Documents and Settings\Aardvark\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Aardvark\My Documents\lietze\Flashget_0_98_spywarefrei.exe/WISE0075.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\Documents and Settings\Aardvark\My Documents\lietze\Flashget_0_98_spywarefrei.exe/WISE0076.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\Documents and Settings\Aardvark\My Documents\lietze\Flashget_0_98_spywarefrei.exe/WISE0077.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\Documents and Settings\Aardvark\My Documents\lietze\Flashget_0_98_spywarefrei.exe/WISE0078.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\Documents and Settings\Aardvark\My Documents\lietze\Flashget_0_98_spywarefrei.exe/WISE0079.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\Documents and Settings\Aardvark\My Documents\lietze\Flashget_0_98_spywarefrei.exe WiseSFX: infected - 5 skipped
C:\Documents and Settings\Aardvark\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Aardvark\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Aardvark\UserData\index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\tracking.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
Scan process completed.
HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:35 AM, on 5/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {239C0970-7DAB-4DB8-8BED-121903BB5A59} - C:\WINDOWS\system32\mlJBSKBT.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5F2BE998-BB0C-4E29-AC4B-E5820E379950} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {982AE0F8-C33C-4890-8165-229E1F0A4A29} - C:\WINDOWS\system32\efcASjIa.dll (file missing)
O2 - BHO: (no name) - {C108AE59-C97F-4517-8B74-5590BE3C2A82} - C:\WINDOWS\system32\hgGYsSmM.dll
O2 - BHO: (no name) - {C650DC35-9423-4F0D-B53F-C33A8C41C72C} - C:\WINDOWS\system32\qoMeBULe.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [64105090] rundll32.exe "C:\WINDOWS\system32\oufqvnji.dll",b
O4 - HKLM\..\Run: [BM6723630c] Rundll32.exe "C:\WINDOWS\system32\iicxsjej.dll",s
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: hgGYsSmM - C:\WINDOWS\SYSTEM32\hgGYsSmM.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 7180 bytes
Thanks a lot for your time and help, I really appreciate it.
chris
I am trying to get rid of this malware... it's really getting on my nerves.
Following the steps indicated I post the logs of my Kaspersky and HJT scans.
I tried removing the "entry in red" with SB, but after each scan the entry reappeared. Since it takes about 30 minutes to scan and it is only until the end that virtumonde.dll is discovered, I believe there is no point in repeating it. If you believe that I should scan over and over and that the entry will finally disappear like this, I will certainly do it. But for now this is it.
Kaspersky log
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, May 25, 2008 8:18:31 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/05/2008
Kaspersky Anti-Virus database records: 800216
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 46785
Number of viruses found: 1
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 00:48:38
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Aardvark\Application Data\Mozilla\Firefox\Profiles\xcwzwima.default\cert8.db Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Mozilla\Firefox\Profiles\xcwzwima.default\history.dat Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Mozilla\Firefox\Profiles\xcwzwima.default\key3.db Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Mozilla\Firefox\Profiles\xcwzwima.default\parent.lock Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Mozilla\Firefox\Profiles\xcwzwima.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Mozilla\Firefox\Profiles\xcwzwima.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\call256.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\chat512.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\chatmsg2048.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\chatmsg4096.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\chatsync\e0\e0c8531cd4bde057.dat Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\chatsync\f6\f6fdd640261dec0b.dat Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\index2.dat Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\profile16384.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\transfer256.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\transfer512.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\user1024.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\user16384.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\user256.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\user4096.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Application Data\Skype\_my_skype_username\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Aardvark\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Aardvark\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Aardvark\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Aardvark\Local Settings\Application Data\Mozilla\Firefox\Profiles\xcwzwima.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Aardvark\Local Settings\Application Data\Mozilla\Firefox\Profiles\xcwzwima.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Aardvark\Local Settings\Application Data\Mozilla\Firefox\Profiles\xcwzwima.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Aardvark\Local Settings\Application Data\Mozilla\Firefox\Profiles\xcwzwima.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Aardvark\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Aardvark\Local Settings\History\History.IE5\MSHist012008052520080526\index.dat Object is locked skipped
C:\Documents and Settings\Aardvark\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Aardvark\My Documents\lietze\Flashget_0_98_spywarefrei.exe/WISE0075.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\Documents and Settings\Aardvark\My Documents\lietze\Flashget_0_98_spywarefrei.exe/WISE0076.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\Documents and Settings\Aardvark\My Documents\lietze\Flashget_0_98_spywarefrei.exe/WISE0077.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\Documents and Settings\Aardvark\My Documents\lietze\Flashget_0_98_spywarefrei.exe/WISE0078.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\Documents and Settings\Aardvark\My Documents\lietze\Flashget_0_98_spywarefrei.exe/WISE0079.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\Documents and Settings\Aardvark\My Documents\lietze\Flashget_0_98_spywarefrei.exe WiseSFX: infected - 5 skipped
C:\Documents and Settings\Aardvark\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Aardvark\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Aardvark\UserData\index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\tracking.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
Scan process completed.
HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:35 AM, on 5/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {239C0970-7DAB-4DB8-8BED-121903BB5A59} - C:\WINDOWS\system32\mlJBSKBT.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5F2BE998-BB0C-4E29-AC4B-E5820E379950} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {982AE0F8-C33C-4890-8165-229E1F0A4A29} - C:\WINDOWS\system32\efcASjIa.dll (file missing)
O2 - BHO: (no name) - {C108AE59-C97F-4517-8B74-5590BE3C2A82} - C:\WINDOWS\system32\hgGYsSmM.dll
O2 - BHO: (no name) - {C650DC35-9423-4F0D-B53F-C33A8C41C72C} - C:\WINDOWS\system32\qoMeBULe.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [64105090] rundll32.exe "C:\WINDOWS\system32\oufqvnji.dll",b
O4 - HKLM\..\Run: [BM6723630c] Rundll32.exe "C:\WINDOWS\system32\iicxsjej.dll",s
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: hgGYsSmM - C:\WINDOWS\SYSTEM32\hgGYsSmM.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 7180 bytes
Thanks a lot for your time and help, I really appreciate it.
chris