Virtumonde keeps coming back

K

kadoshtx

New member
Hi,
I have AVG and Spybot and they are updated. AVG cleaned off some Trojans and Spybot cleaned off Virtumonde and some tracking cookies. Virtumonde comes back everytime I scan. If I regedit and delete this key
HKEY_USERS\S-1-5-21-23361614-3276182822-2560479030-1009\Software\Microsoft\aldd
Spybot does not find Virtumonde, but it always comes back after I reboot. How can I get rid of this pest?

Additional behavior occurs after I open IE (I use Firefox usually). In addition to popups, spybot finds tracking cookies as follows: Coremetrics, ReliableStats, SystemDoctor2006, WebTrends Live, and Winsoftware.WinAntivirusPro2006. Spybot can of course clean these off, but they always come back. I don't use IE, but I don't like these tracking cookies popping in everytime it is opened for the occasional need.

Following is a post of my HijackThis log. Your help is greatly appreciated!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:05 AM, on 7/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\emhpdarn.dll",forkonce
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Application Management AppMgmtNetDDE (AppMgmtNetDDE) - Unknown owner - C:\WINDOWS\system32\6to4svct.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 7248 bytes
 
Last edited by a moderator:
Hi kadoshtx

Rename HijackThis.exe to scanner.exe and post back a fresh HijackThis log, please :)
 
hijackthis.exe renamed to scanner.exe

Done. Here's the new output.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:28:11 PM, on 7/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\HijackThis\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1133CB71-12E1-4C85-AB38-1257B90878C8} - C:\WINDOWS\system32\awtsr.dll
O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINDOWS\system32\uaqhrhdm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {8BF884A4-CF81-4E00-B7C1-076FCE6CFDD7} - (no file)
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\emhpdarn.dll",forkonce
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: awtsr - C:\WINDOWS\system32\awtsr.dll
O20 - Winlogon Notify: qomljjg - qomljjg.dll (file missing)
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Application Management AppMgmtNetDDE (AppMgmtNetDDE) - Unknown owner - C:\WINDOWS\system32\6to4svct.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 7857 bytes
 
Hi

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
 
vundofix and hjt logs

Ok, here are the two logs. Just for good measure I ran vundofix again after it rebooted. It did not find anything. I sure am grateful for your help!

VundoFix V6.5.4

Checking Java version...

Scan started at 7:22:36 AM 7/10/2007

Listing files found while scanning....

C:\WINDOWS\system32\awtsr.dll
C:\windows\system32\emhpdarn.dll
C:\windows\system32\jcwrswup.ini
C:\windows\system32\nradphme.ini
C:\WINDOWS\system32\ofqvaqar.dll
C:\windows\system32\puwsrwcj.dll
C:\WINDOWS\system32\raqavqfo.ini
C:\WINDOWS\system32\rstwa.bak1
C:\WINDOWS\system32\rstwa.bak2
C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\uaqhrhdm.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtsr.dll
C:\WINDOWS\system32\awtsr.dll Has been deleted!

Attempting to delete C:\windows\system32\emhpdarn.dll
C:\windows\system32\emhpdarn.dll Has been deleted!

Attempting to delete C:\windows\system32\jcwrswup.ini
C:\windows\system32\jcwrswup.ini Has been deleted!

Attempting to delete C:\windows\system32\nradphme.ini
C:\windows\system32\nradphme.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ofqvaqar.dll
C:\WINDOWS\system32\ofqvaqar.dll Has been deleted!

Attempting to delete C:\windows\system32\puwsrwcj.dll
C:\windows\system32\puwsrwcj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\raqavqfo.ini
C:\WINDOWS\system32\raqavqfo.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\rstwa.bak1
C:\WINDOWS\system32\rstwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rstwa.bak2
C:\WINDOWS\system32\rstwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\rstwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\uaqhrhdm.dll
C:\WINDOWS\system32\uaqhrhdm.dll Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:42 AM, on 7/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {63523EE4-96C4-468B-8A8D-D011DB7EA225} - C:\WINDOWS\system32\awtsr.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {8BF884A4-CF81-4E00-B7C1-076FCE6CFDD7} - (no file)
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: qomljjg - qomljjg.dll (file missing)
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Application Management AppMgmtNetDDE (AppMgmtNetDDE) - Unknown owner - C:\WINDOWS\system32\6to4svct.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 7795 bytes
 
Hi

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {63523EE4-96C4-468B-8A8D-D011DB7EA225} - C:\WINDOWS\system32\awtsr.dll (file missing)
O2 - BHO: (no name) - {8BF884A4-CF81-4E00-B7C1-076FCE6CFDD7} - (no file)
O20 - Winlogon Notify: qomljjg - qomljjg.dll (file missing)

Close all windows including browser and press fix checked.

Reboot.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report
 
Kaspersky running . . .

Hi,

I removed those three items and Kaspersky is running. I recall seeing in another post that someone's log was 200 pages long and you had them delete some entires from the log to make it shorter. Do you want me to do that before I post the log? If so, what is it that I can delete?

Just for the record, I did run the eTrust webscanner yesterday, but then it did not find anything to fix :sad:. This scan looks like it is going to take several hours, so I'll post again later. Thanks again for your help. My computer is running better already! :bigthumb:

ktx
 
Hi

"I recall seeing in another post that someone's log was 200 pages long and you had them delete some entires from the log to make it shorter. Do you want me to do that before I post the log? If so, what is it that I can delete?"

If it's too long, you can edit out all lines with "object locked skipped".

"Just for the record, I did run the eTrust webscanner yesterday, but then it did not find anything to fix"

Kaspersky tends to find better malware than eTrust, that's why asked to run it :)
 
Kaspersky finished

Ok, I am pasting in the Kaspersky report from the scan. It found quite a few items, but mostly adware. I am also pasting in another HJT log.

*KASPERSKY ONLINE SCANNER REPORT*
Tuesday, July 10, 2007 6:09:23 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2
(Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 10/07/2007
Kaspersky Anti-Virus database records: 360525

*Scan Settings*
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
*Scan Target* My Computer
C:\
D:\
E:\
F:\
L:\
N:\
*Scan Statistics*
Total number of scanned objects 283443
Number of viruses found 17
Number of infected objects 43
Number of suspicious objects 0
Duration of the scan process 04:51:46


*Infected Object Name* *Virus Name* *Last Action*
C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped

***Note to Shaba: I emptied the recycle bin, so I assume these RECYCLER entries are gone.
C:\RECYCLER\S-1-5-21-23361614-3276182822-2560479030-1009\Dc6\fast.exe~
Infected: Trojan-Downloader.Win32.PurityScan.ej skipped
C:\RECYCLER\S-1-5-21-23361614-3276182822-2560479030-1009\Dc8.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/1/EnigmaUpdater.dll
Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\RECYCLER\S-1-5-21-23361614-3276182822-2560479030-1009\Dc8.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/2/esgi_md5h.dll
Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\RECYCLER\S-1-5-21-23361614-3276182822-2560479030-1009\Dc8.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/7/SpyHunter.exe
Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\RECYCLER\S-1-5-21-23361614-3276182822-2560479030-1009\Dc8.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/17/Esgiutl1.dll
Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\RECYCLER\S-1-5-21-23361614-3276182822-2560479030-1009\Dc8.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/18/SHSched.dll
Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\RECYCLER\S-1-5-21-23361614-3276182822-2560479030-1009\Dc8.exe/PRE
Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\RECYCLER\S-1-5-21-23361614-3276182822-2560479030-1009\Dc8.exe Ghost
Installer: infected - 6 skipped
C:\RECYCLER\S-1-5-21-23361614-3276182822-2560479030-1009\Dc8.exe UPX:
infected - 6 skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036323.exe
Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036325.exe/data.rar/keygen.exe
Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036325.exe/data.rar/crack.exe
Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036325.exe/data.rar/serial.exe
Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036325.exe/data.rar/install.exe
Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036325.exe/data.rar
Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036325.exe
RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036326.exe/data.rar/keygen.exe
Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036326.exe/data.rar/crack.exe
Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036326.exe/data.rar/serial.exe
Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036326.exe/data.rar/install.exe
Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036326.exe/data.rar
Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036326.exe
RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036383.sys
Infected: Rootkit.Win32.Agent.gk skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036384.exe
Object is locked skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036396.exe
Infected: Packed.Win32.PolyCrypt.b skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036401.sys
Infected: Rootkit.Win32.Agent.gk skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036402.exe
Object is locked skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036412.dll
Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036417.exe
Object is locked skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036423.exe
Object is locked skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036424.exe
Object is locked skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036425.exe
Infected: Trojan-Downloader.Win32.Alphabet.k skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036487.exe
Infected: Trojan-Downloader.Win32.Alphabet.k skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP148\A0036542.exe
Infected: Trojan-Downloader.Win32.Alphabet.k skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP150\A0036757.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.af skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP150\A0036762.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\VundoFix Backups\awtsr.dll.bad Infected:
not-a-virus:AdWare.Win32.Virtumonde.af skipped
C:\VundoFix Backups\puwsrwcj.dll.bad Infected:
not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\WINDOWS\system32\lanmandrv.sys Infected: Rootkit.Win32.Agent.gk skipped
C:\WINDOWS\system32\syswin.exe Infected: Trojan-Downloader.Win32.Alphabet.k skipped
C:\WINDOWS\system32\syswin6000.exe Infected: Trojan-Downloader.Win32.Alphabet.k skipped
C:\WINDOWS\system32\yayabab.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
*Scan process completed.*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:47 PM, on 7/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Application Management AppMgmtNetDDE (AppMgmtNetDDE) - Unknown owner - C:\WINDOWS\system32\6to4svct.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 7161 bytes
 
Hi

* Download GMER from
here:
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.
 
GMer results

FYI: When I ran GMer, my AVG popped up saying that it had found lanmandrv, a Trojan . . . . I let AVG "heal" it and then restarted Gmer. It still came up with the same list. Here is the first half of the results.

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-07-11 09:00:52
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.13 ----

SSDT \??\C:\WINDOWS\System32\lanmandrv.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\System32\lanmandrv.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\System32\lanmandrv.sys ZwQueryDirectoryFile
SSDT \??\C:\WINDOWS\System32\lanmandrv.sys ZwQuerySystemInformation

---- Kernel code sections - GMER 1.0.13 ----

? C:\WINDOWS\System32\lanmandrv.sys The system cannot find the file specified.

---- User IAT/EAT - GMER 1.0.13 ----

IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[536] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [BA91C742] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [BA91C742] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [BA91C000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [BA9195C2] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [BA91D5D2] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [BA91C000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [BA91C742] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [BADE0404] avg7rsw.sys
 
GMer results - 2nd half

Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [BAE6885A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [BAE6885A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [BAE6885A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [BAE6885A] avgtdi.sys
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL [B324ADD0] hcmon.sys
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL [B324ADD0] hcmon.sys
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL [B324B190] hcmon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [BAE6885A] avgtdi.sys
Device \Driver\usbhub \Device\0000006f IRP_MJ_PNP [B324A410] hcmon.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [BA91C742] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [BA91C742] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [BA91C000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [BA9195C2] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [BA91D5D2] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [BA91C000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [BA91C742] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [BADE0404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [BADE0404] avg7rsw.sys

---- EOF - GMER 1.0.13 ----
 
Hi

Run gmer.exe
Click the tab called Processes and click the Safe... button. The computer will reboot and the Gmer screen will open.
Click Files... and browse to the following file:
C:\WINDOWS\System32\lanmandrv.sys
Now click Delete

Now click the Services tab. Click the entries in red one by one with your right mouse button and click Delete... Answer Yes to all the warning windows.
When you've removed all the Service entries in red, reboot your computer.

Re-run gmer and post a fresh gmer log
 
Deleting Lanmandrv.sys

Ok, I went into safe mode, but could not find lanmandrv.sys. I did it twice to double check. There were also no red processes in the services tab, but there was \??\C:\Windows\System32\lanmandrv.sys . . . or something like it. It was not red, but I went ahead and deleted it. lanmandrv.sys is not there in either location after going back into Windows. A new log is posted below.

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-07-11 10:28:40
Windows 5.1.2600 Service Pack 2


---- User IAT/EAT - GMER 1.0.13 ----

IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [01AA7376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2092] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01AA73CC] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [BA91C742] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [BA91C742] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [BA91C000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [BA9195C2] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [BA91D5D2] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [BA91C000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [BA91C742] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [BA919000] bb-run.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [BADD4404] avg7rsw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [BAE4885A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [BAE4885A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [BAE4885A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [BAE4885A] avgtdi.sys
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL [B3232DD0] hcmon.sys
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL [B3232DD0] hcmon.sys
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL [B3233190] hcmon.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [BAE4885A] avgtdi.sys
Device \Driver\usbhub \Device\0000006f IRP_MJ_PNP [B3232410] hcmon.sys
 
Deleting Lanmandrv.sys - post 2

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [BA91C742] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [BA91C742] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [BA91C000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [BA9195C2] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [BA91D5D2] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [BA91C000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [BA91C742] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [BA919000] bb-run.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [BADD4404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [BADD4404] avg7rsw.sys

---- EOF - GMER 1.0.13 ----
 
Hi

That looks better :)

Empty this folder:

C:\VundoFix Backups

Delete these:

C:\WINDOWS\system32\syswin.exe
C:\WINDOWS\system32\syswin6000.exe
C:\WINDOWS\system32\yayabab.dll

Empty Recycle Bin

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report
 
Another Kaspersky and HJT

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, July 11, 2007 9:14:24 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 11/07/2007
Kaspersky Anti-Virus database records: 361172
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
F:\
N:\

Scan Statistics:
Total number of scanned objects: 229158
Number of viruses found: 18
Number of infected objects: 48
Number of suspicious objects: 0
Duration of the scan process: 03:35:32

Infected Object Name / Virus Name / Last Action
C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036325.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036325.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036325.exe/data.rar/serial.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036325.exe/data.rar/install.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036325.exe/data.rar Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036325.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036326.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036326.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036326.exe/data.rar/serial.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036326.exe/data.rar/install.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036326.exe/data.rar Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP147\A0036326.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP150\A0036757.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.af skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP150\A0036762.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP151\A0036804.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/1/EnigmaUpdater.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP151\A0036804.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/2/esgi_md5h.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP151\A0036804.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/7/SpyHunter.exe Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP151\A0036804.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/17/Esgiutl1.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP151\A0036804.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/18/SHSched.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP151\A0036804.exe/PRE Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP151\A0036804.exe Ghost Installer: infected - 6 skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP151\A0036804.exe UPX: infected - 6 skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP151\A0036811.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037127.exe/data0012/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037127.exe/data0012/v2.0.2.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037127.exe/data0012/v2.0.2.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037127.exe/data0012/v2.0.2.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037127.exe/data0012/v2.0.2.cab Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037127.exe/data0012 Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037127.exe/data0013/data0139 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037127.exe/data0013 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037127.exe Inno: infected - 8 skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037128.exe/file36 Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037128.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037129.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1540 skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037132.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037138.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037139.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037154.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037162.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037164.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037165.exe/WISE0010.BIN Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037165.exe/WISE0011.BIN/WISE0009.BIN Infected: not-a-virus:AdWare.Win32.Gator.2002 skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037165.exe/WISE0011.BIN Infected: not-a-virus:AdWare.Win32.Gator.2002 skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037165.exe/WISE0012.BIN/WISE0011.BIN Infected: not-a-virus:AdWare.Win32.Gator.2001 skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037165.exe/WISE0012.BIN Infected: not-a-virus:AdWare.Win32.Gator.2001 skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP152\A0037165.exe WiseSFX: infected - 5 skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:05 PM, on 7/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Application Management AppMgmtNetDDE (AppMgmtNetDDE) - Unknown owner - C:\WINDOWS\system32\6to4svct.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 7472 bytes
 
Hi

That looks good :)

All viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?
 
No Other Problems

Hi,

That is good news. I did not know that those files were inactive. Does that mean that if I had to do a system restore, they would then be loaded and active?

I think that I can get to those file if I boot into Linux (it is a dual boot machine). Would it be good to just delete them? Did I also see that gmer can see the system restore files too? I would like to be rid of them for good.

I am very thankful for your help. Reloading Windows would have taken a long time. I have too many programs I use. :p: Having gone from many windows popping up, and programs closing for no reason, things are much better. Thanks again.

ktx
 
Hi

"Does that mean that if I had to do a system restore, they would then be loaded and active? "

Yes, that would have been possible.

"I think that I can get to those file if I boot into Linux (it is a dual boot machine). Would it be good to just delete them? "

Flushing system restore and creating a fresh restore point will remove those; you get soon instructions. So don't bother deleting them via Linux :)

Any other issues? :)
 
You must log in or register to reply here.
Back
Top