Virtumonde needed

[sUBs]

That's very good.

Now please delete your existing copy of ComboFix.exe. Grab a new copy from here:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Then post a fresh log

 

[VegasMMA]

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:57 PM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - _{0199DF25-9820-4bd5-9FEE-5A765AB4371E} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtqr.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\auserinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {103796FE-B525-4A2B-91C1-47B83FD06119} - (no file)
O2 - BHO: (no name) - {1326779e-fe2c-4663-9f8f-83b58d1b3114} - (no file)
O2 - BHO: (no name) - {15A208AD-5521-4756-B44E-081284617A2A} - (no file)
O2 - BHO: (no name) - {20F30CE6-F360-4377-9906-A9E35B8D1B68} - (no file)
O2 - BHO: (no name) - {2397E501-D32B-4A08-89F0-738B22837813} - (no file)
O2 - BHO: (no name) - {4A1BD81D-5A87-49D9-913B-CE84F212189F} - (no file)
O2 - BHO: (no name) - {4B0E6357-5FA1-4B69-BD08-5CCD6548F0D4} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {8ADBB5DD-E036-473E-8D4F-E6A4E575FD22} - (no file)
O2 - BHO: (no name) - {8BACA703-FBFD-4612-BFA3-0252DD463194} - (no file)
O2 - BHO: (no name) - {a4c2639c-b394-49b1-97ed-74f49ca784ab} - (no file)
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BA8F14D2-0465-4BE3-A973-A43B58BC7FE7} - (no file)
O2 - BHO: (no name) - {C92E32EC-E255-48A4-A85C-3961E49A0AC8} - (no file)
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {E6064609-3386-4954-AFC1-AD569B53BC20} - (no file)
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [8c51bc18] rundll32.exe "C:\WINDOWS\system32\nnoylpuc.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HOTLLAMA Update Check.lnk = C:\Program Files\HOTLLAMA MEDIA\Player\WiseUpdt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.com/save/makeover.cab
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda.com/rraaapps/rraasec/codebase/RRAAINAX/RraainAX.CAB
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw15fd.law15.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: qcetuggw - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

--
End of file - 12626 bytes

 

[VegasMMA]

Combofix log

ComboFix 08-01-29.2 - Owner 2008-01-28 15:32:27.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.170 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-27 14:15 . 2008-01-27 14:15 <DIR> d-------- C:\Program Files\Sun
2008-01-27 14:15 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-27 13:59 . 2008-01-27 13:59 1,251 --a------ C:\1201471125551-integrated.jnlp
2008-01-27 13:54 . 2008-01-27 13:55 <DIR> d-------- C:\Documents and Settings\Owner\.SunDownloadManager
2008-01-27 12:11 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-27 12:11 . 2005-07-04 19:06 211 --a------ C:\Boot.bak
2008-01-25 13:16 . 2008-01-25 13:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-25 13:16 . 2008-01-25 13:16 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-21 20:38 . 2008-01-21 20:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-21 20:38 . 2008-01-21 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-20 09:05 . 2008-01-20 09:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-19 20:23 . 2008-01-20 20:32 <DIR> d-------- C:\Program Files\RegistryFix
2008-01-18 21:35 . 2008-01-18 21:41 <DIR> d-------- C:\Program Files\Nimbuzz
2008-01-16 22:12 . 2008-01-20 10:44 <DIR> d-------- C:\VundoFix Backups
2008-01-13 19:58 . 2008-01-14 21:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-01-07 16:52 . 2008-01-07 16:52 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-07 16:52 . 2008-01-16 09:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-02 23:21 . 2008-01-06 01:32 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-02 23:21 . 2008-01-06 01:32 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-02 21:55 . 2008-01-02 21:55 497,376 --a------ C:\WINDOWS\p_981116.exe
2008-01-02 21:55 . 2008-01-02 21:55 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-01-02 21:55 . 2008-01-02 21:55 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-02 20:00 . 2008-01-02 20:00 0 --a------ C:\Install
2008-01-02 19:55 . 2008-01-02 19:55 <DIR> d-------- C:\Program Files\Neoretix
2008-01-02 19:44 . 2008-01-02 19:52 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-01-02 18:08 . 2008-01-26 12:44 <DIR> d-------- C:\Program Files\QuickTime
2008-01-02 18:05 . 2008-01-02 18:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-01 13:47 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-01 13:47 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-01 13:47 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-01 13:47 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 23:22 --------- d-----w C:\Program Files\iTunes
2008-01-27 22:15 --------- d-----w C:\Program Files\Java
2008-01-27 05:41 --------- d-----w C:\Program Files\Common Files\Mediafour
2008-01-26 11:23 --------- d-----w C:\Program Files\Common Files\Command Software
2008-01-25 19:24 93,040 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-01-21 23:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
2008-01-20 20:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-17 05:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-01-16 17:20 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-08 00:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-03 07:11 --------- d-----w C:\Program Files\Kazaa
2008-01-03 02:05 --------- d-----w C:\Program Files\Apple Software Update
2007-12-18 02:55 --------- d-----w C:\Program Files\Hanes T-ShirtMaker Lite
2007-12-18 02:55 --------- d-----w C:\Program Files\Application
2007-12-06 19:57 --------- d-----w C:\Program Files\Virtual Earth 3D
2007-12-06 19:36 --------- d-----w C:\Program Files\Google
2007-11-29 18:05 --------- d-----w C:\Program Files\Mediafour
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-08-30 05:46 22 ----a-w C:\Program Files\3wPlayer.zip
2007-04-16 22:05 87,608 ----a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2007-04-16 22:05 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2006-12-28 17:09 25,755,448 ----a-w C:\Program Files\wmp11-windowsxp-x86-enu.exe
2006-05-08 18:19 9,876 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2004-03-25 03:03 220 --sha-w C:\WINDOWS\dwin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-24 09:08 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2008-01-23 08:27 313472]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-06 01:32 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-24 09:08 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2008-01-24 09:08 86016]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2008-01-24 09:08 53248]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2008-01-24 09:08 50688]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-24 09:08 180269]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-24 09:08 256576]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2008-01-24 09:08 1197648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
HOTLLAMA Update Check.lnk - C:\Program Files\HOTLLAMA MEDIA\Player\WiseUpdt.exe [2004-12-31 11:45:49 162834]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

R2 GRTdiMon;GR TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2004-11-10 07:50]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-25 03:27:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-28 21:46:22 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 15:36:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-29 15:38:36
ComboFix-quarantined-files.txt 2008-01-29 23:38:32
ComboFix2.txt 2008-01-27 17:24:43
ComboFix3.txt 2008-01-27 05:48:30
ComboFix4.txt 2008-01-26 20:55:33
.
2008-01-09 11:05:12 --- E O F ---

 

[sUBs]

Should I delete the following files since I never had my computer back in 2001?

2001-08-30 09:20 991 ----a-r C:\Program Files\14AF136D45A676B5D98749C2E4458213
2001-08-30 09:20 990 ----a-r C:\Program Files\B59FC2EED30704599DCED8A8972A8869
2001-08-30 09:20 989 ----a-r C:\Program Files\957E70B155C8352A9CB447A6709D2871

Did you delete them?

This would fix that red X icon on your drive C.

Open NOTEPAD.exe and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons]

Save this as fix.reg Choose to "Save type as - All Files"
It should look like this:

Double click on fix.reg & allow it to merge into the registry

 

[sUBs]

Should I delete the following files since I never had my computer back in 2001?

Be careful with these sort of thinking. Just because you do not own this computer before 2001 does not mean files dated 2001 are bad. Many legit programs are written before 2001.

 

[VegasMMA]

I did what you asked and the icon is back to normal.

Thank-you so much!

 

[VegasMMA]

Did you delete them?

Yes I deleted them.

 

[sUBs]

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
      [*]Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

 

[VegasMMA]

Kapersky scan 1

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, January 29, 2008 6:02:17 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/01/2008
Kaspersky Anti-Virus database records: 535069
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 85305
Number of viruses found: 19
Number of infected objects: 130
Number of suspicious objects: 2
Duration of the scan process: 01:17:13

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\log\FireWall.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\AuthIoPolicy.6CC79B42C91440E081059B470BC3BACD.store Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\MiscData.bst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\R3Vlc3Q=.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-13F4B4C78199D4682 Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-13FAA3AE144846B5B Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-13FB24381D0E1290 Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-13FFB53AB335F631C Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-140803F5C6026752E Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-140A47CF32DB118 Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-143DA40363D666E10 Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-144765B502DC71FE1 Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-144CF652E3A636358 Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-ACCB240D1EE312B0 Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\{CEFE73D0-6B4A-4870-81A8-360B9398B105} Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\{D2F5620D-8DB3-427d-9356-04AB08B907CB} Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MalwareAlarm.zip/lsass.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MalwareAlarm.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS.zip/serverwin.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS1.zip/serverlook.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS2.zip/powerserver.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS3.zip/mon16.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS4.zip/hostmon.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS5.zip/agenthost.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NousTechUCleaner.zip/mgrs.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NousTechUCleaner.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NousTechUCleaner1.zip/spoolsv.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NousTechUCleaner1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NousTechUDefender.zip/trant.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NousTechUDefender.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/winhab32.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack.zip/shell.exe Infected: Trojan.Win32.Qhost.adl skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack1.zip/spoolvs.exe Infected: Trojan.Win32.Qhost.adl skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack3.zip/gos169.tmp Infected: Trojan.Win32.Dialer.yz skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack4.zip/printer.exe Infected: Trojan.Win32.Qhost.adl skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack6.zip/shell.exe Infected: Trojan.Win32.Qhost.adl skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack6.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack7.zip/spoolvs.exe Infected: Trojan.Win32.Qhost.adl skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack7.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack8.zip/printer.exe Infected: Trojan.Win32.Qhost.adl skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack8.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric2.zip/icxouhee.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBHOje.zip/Helper9.dll Infected: Trojan-Downloader.Win32.BHO.cf skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBHOje.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw.zip/windows Infected: Trojan.Win32.Zapchast.dt skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw1.zip/windows Infected: Trojan.Win32.Zapchast.dt skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostabh.zip/wowfx.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostabh.zip ZIP: infected - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008012920080130\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFD5C9.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFEFB6.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Authentium Shared\Filter\stlst\StatListDb.dat Object is locked skipped
C:\Program Files\Common Files\Authentium Shared\Filter\stlst\StatListDb.idx Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\2DDA1E22.exe Infected: Backdoor.Win32.DSSdoor.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\3EB01B9A.exe Infected: Backdoor.Win32.DSSdoor.a skipped

 

[VegasMMA]

Kapersky scan 2

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll Infected: not-a-virus:AdWare.Win32.SideStep.f skipped
C:\WINDOWS\MEMORY.DMP Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\etc\HOSTS.bak Infected: Trojan.Win32.Qhost.f skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\in5bCs.dll Infected: Trojan-Dropper.Win32.Agent.of skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_428.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\ywgqpzd.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.c skipped

Scan process completed.

 

[sUBs]

Did you delete the folder - C:\QooBox ?

There were a ton of infected files there. It's puzzling why Kaspersky didn't detect any from there.


--------



Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
"C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-13F4B4C78199D4682"
"C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-13FAA3AE144846B5B"
"C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-13FB24381D0E1290"
"C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-13FFB53AB335F631C"
"C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-140803F5C6026752E"
"C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-140A47CF32DB118"
"C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-143DA40363D666E10"
"C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-144765B502DC71FE1"
"C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-144CF652E3A636358"
"C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-ACCB240D1EE312B0"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MalwareAlarm.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS1.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS2.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS3.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS4.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS5.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NousTechUCleaner.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NousTechUCleaner1.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NousTechUDefender.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack1.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack3.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack4.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack6.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack7.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack8.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric2.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBHOje.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw1.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostabh.zip"
"C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll"
"C:\WINDOWS\system32\in5bCs.dll"
"C:\WINDOWS\system32\drivers\etc\HOSTS.bak"
"C:\WINDOWS\ywgqpzd.exe"
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
for %%g in (
"%systemdrive%\VundoFix Backups"
%systemdrive%\Deckard
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
nircmd wait 7000
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

Double click on fix.bat & allow it to run

Post back to tell me what it says



----------


I noted certain things when reviewing your log. I have a question that bears asking. Do you visit crack sites?

 

[VegasMMA]

I did not delete the folder - C:\QooBox


Message said "Deleted files successfully!!"

What do you mean by crack sites? I visit torent sites if thats what you mean.

 

[sUBs]

Not that I have anything against torrents but some of these sites (or the files you downlaod) are terrible sources of infection. Any idea how you got infected this time round? When was the previous time you got infected?

 

[VegasMMA]

It happened around end of December to he beginning of January. I went to click on the download button (I don't remember the website) and I saw a MS-DOS looking black box open and then I started getting pop-up web pages and I ran Spybot and it said I had a vitumonde infection.

 

[sUBs]

It's nearing the end of January. You have been infected for close to a month. The damage toll has been heavy. Some programs may need to be reinstalled. If you do online transactions, I will suggest that passwords be changed now. If this computer contains important personal data, I'ld suggest a regime of frequent backups. You never know when the next infection will come along & cause you to lose everything.

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

1. Uninstall ComboFix ... do not skip this step
   This process will perform some post cleanup measures.
   Do this by going to to Start > Run & typing in ComboFix /u
   
   
2. ANTIVIRUS SOFTWARE
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
3. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here ? http://www.bleepingcomputer.com/forums/tutorial60.html
   
   
   
4. Microsoft Windows Update ? http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
5. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

 

[VegasMMA]

Thank-you so much for all of your help. It looks like I'll be changing all my passwords :red:

I appeciate the time that all of you spend helping others.