Virus Trouble

ludi4burnley · Apr 13, 2007

"User" - 07-04-13 16:00:54 Service Pack 2
ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\User\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-03-13 to 2007-04-13 ))))))))))))))))))))))))))))))))))

2007-04-01 12:19 <DIR> d----c--- C:\avenger
2007-03-31 19:23 <DIR> d----c--- C:\!KillBox
2007-03-30 18:16 2,874 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-30 18:15 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-03-30 18:15 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-03-30 18:15 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-03-30 18:15 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-03-30 18:15 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-03-30 18:15 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-03-30 16:54 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-03-26 20:04 <DIR> d-------- C:\VundoFix Backups
2007-03-22 17:19 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-03-26 18:51 -------- d-------- C:\Program Files\windows live toolbar
2007-03-26 18:49 -------- d-------- C:\Program Files\yahoo!
2007-03-26 18:48 -------- d-------- C:\Program Files\msn messenger
2007-03-26 18:48 -------- d-------- C:\Program Files\motherboard monitor 5
2007-03-22 19:21 -------- d-------- C:\Program Files\norton internet security
2007-03-17 14:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 16:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 16:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 16:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 14:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-03 16:33 -------- d-------- C:\Program Files\java
2007-02-05 21:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-01-24 18:47 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll
2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"igfxtray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\System32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\System32\\igfxpers.exe"
"Dell Photo AIO Printer 922"="\"C:\\Program Files\\Dell Photo AIO Printer 922\\dlbtbmgr.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7D064D71-DD76-4596-90C0-921766AD560A}"=""
"{9796007A-181E-4C97-99EB-7F71B8989A7B}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - User.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-13 16:04:26
C:\ComboFix2.txt ... 07-04-13 10:02
C:\ComboFix3.txt ... 07-04-12 11:34

ludi4burnley · Apr 13, 2007

here is vundofix report, nothing found:

VundoFix V6.3.17

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 20:04:44 26/03/2007

Listing files found while scanning....

Beginning removal...

VundoFix V6.3.17

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 20:09:40 26/03/2007

Listing files found while scanning....

VundoFix V6.3.17

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 20:18:00 26/03/2007

Listing files found while scanning....

Beginning removal...

VundoFix V6.3.17

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 20:18:43 26/03/2007

Listing files found while scanning....

C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\xneufrpi.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\ilkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ilkkj.ini
C:\WINDOWS\system32\ilkkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\jkkli.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xneufrpi.dll
C:\WINDOWS\system32\xneufrpi.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\jkkli.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.17

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 20:58:57 26/03/2007

Listing files found while scanning....

C:\WINDOWS\system32\ilnpo.bak1
C:\WINDOWS\system32\ilnpo.ini
C:\WINDOWS\system32\opnli.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ilnpo.bak1
C:\WINDOWS\system32\ilnpo.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ilnpo.ini
C:\WINDOWS\system32\ilnpo.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnli.dll
C:\WINDOWS\system32\opnli.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\opnli.dll
C:\WINDOWS\system32\opnli.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.18

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 16:23:51 31/03/2007

Listing files found while scanning....

C:\WINDOWS\system32\awtqnkh.dll
C:\WINDOWS\system32\awtuvvv.dll
C:\WINDOWS\system32\byxwutq.dll
C:\WINDOWS\system32\byxxyya.dll
C:\WINDOWS\system32\byxywxx.dll
C:\WINDOWS\system32\cbxxwxv.dll
C:\WINDOWS\system32\fccabyx.dll
C:\WINDOWS\system32\fccbbax.dll
C:\WINDOWS\system32\fccccda.dll
C:\WINDOWS\system32\gebay.dll
C:\WINDOWS\system32\gebbbbx.dll
C:\WINDOWS\system32\gebbyvv.dll
C:\WINDOWS\system32\gebxw.dll
C:\WINDOWS\system32\hgghghh.dll
C:\WINDOWS\system32\iifcyaa.dll
C:\WINDOWS\system32\iifdaab.dll
C:\WINDOWS\system32\jkhgh.dll
C:\WINDOWS\system32\jkkkjgh.dll
C:\WINDOWS\system32\ljjhihg.dll
C:\WINDOWS\system32\nnnkigh.dll
C:\WINDOWS\system32\nnnlihf.dll
C:\WINDOWS\system32\nnnopnk.dll
C:\WINDOWS\system32\opnoonk.dll
C:\WINDOWS\system32\pmnkhif.dll
C:\WINDOWS\system32\pmnlife.dll
C:\WINDOWS\system32\pmnnnnm.dll
C:\WINDOWS\system32\qomnnnm.dll
C:\WINDOWS\system32\rqrqqpo.dll
C:\WINDOWS\system32\rqrrpol.dll
C:\WINDOWS\system32\ssqomjk.dll
C:\WINDOWS\system32\ssqon.dll
C:\WINDOWS\system32\ssqqppm.dll
C:\WINDOWS\system32\ssqrsss.dll
C:\WINDOWS\system32\tusrq.dll
C:\WINDOWS\system32\vtutqom.dll
C:\WINDOWS\system32\vtuursq.dll
C:\WINDOWS\system32\wvurstu.dll
C:\WINDOWS\system32\wvussqr.dll
C:\WINDOWS\system32\wvwxw.dll
C:\WINDOWS\system32\wxbeg.ini
C:\WINDOWS\system32\wxwvw.bak1
C:\WINDOWS\system32\wxwvw.bak2
C:\WINDOWS\system32\wxwvw.ini
C:\WINDOWS\system32\wxwvw.ini2
C:\WINDOWS\system32\wxwvw.tmp
C:\WINDOWS\system32\xxyabbb.dll
C:\WINDOWS\system32\xxyawvv.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtqnkh.dll
C:\WINDOWS\system32\awtqnkh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awtuvvv.dll
C:\WINDOWS\system32\awtuvvv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxwutq.dll
C:\WINDOWS\system32\byxwutq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxxyya.dll
C:\WINDOWS\system32\byxxyya.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxywxx.dll
C:\WINDOWS\system32\byxywxx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbxxwxv.dll
C:\WINDOWS\system32\cbxxwxv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fccabyx.dll
C:\WINDOWS\system32\fccabyx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fccbbax.dll
C:\WINDOWS\system32\fccbbax.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fccccda.dll
C:\WINDOWS\system32\fccccda.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebay.dll
C:\WINDOWS\system32\gebay.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebbbbx.dll
C:\WINDOWS\system32\gebbbbx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebbyvv.dll
C:\WINDOWS\system32\gebbyvv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebxw.dll
C:\WINDOWS\system32\gebxw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hgghghh.dll
C:\WINDOWS\system32\hgghghh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifcyaa.dll
C:\WINDOWS\system32\iifcyaa.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifdaab.dll
C:\WINDOWS\system32\iifdaab.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkhgh.dll
C:\WINDOWS\system32\jkhgh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkkjgh.dll
C:\WINDOWS\system32\jkkkjgh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjhihg.dll
C:\WINDOWS\system32\ljjhihg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnnkigh.dll
C:\WINDOWS\system32\nnnkigh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnnlihf.dll
C:\WINDOWS\system32\nnnlihf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnnopnk.dll
C:\WINDOWS\system32\nnnopnk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnoonk.dll
C:\WINDOWS\system32\opnoonk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnkhif.dll
C:\WINDOWS\system32\pmnkhif.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnlife.dll
C:\WINDOWS\system32\pmnlife.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnnnnm.dll
C:\WINDOWS\system32\pmnnnnm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qomnnnm.dll
C:\WINDOWS\system32\qomnnnm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrqqpo.dll
C:\WINDOWS\system32\rqrqqpo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrrpol.dll
C:\WINDOWS\system32\rqrrpol.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqomjk.dll
C:\WINDOWS\system32\ssqomjk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqon.dll
C:\WINDOWS\system32\ssqon.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqqppm.dll
C:\WINDOWS\system32\ssqqppm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrsss.dll
C:\WINDOWS\system32\ssqrsss.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tusrq.dll
C:\WINDOWS\system32\tusrq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtutqom.dll
C:\WINDOWS\system32\vtutqom.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtuursq.dll
C:\WINDOWS\system32\vtuursq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvurstu.dll
C:\WINDOWS\system32\wvurstu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvussqr.dll
C:\WINDOWS\system32\wvussqr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvwxw.dll
C:\WINDOWS\system32\wvwxw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wxbeg.ini
C:\WINDOWS\system32\wxbeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\wxwvw.bak1
C:\WINDOWS\system32\wxwvw.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wxwvw.bak2
C:\WINDOWS\system32\wxwvw.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wxwvw.ini
C:\WINDOWS\system32\wxwvw.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\wxwvw.ini2
C:\WINDOWS\system32\wxwvw.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wxwvw.tmp
C:\WINDOWS\system32\wxwvw.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxyabbb.dll
C:\WINDOWS\system32\xxyabbb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxyawvv.dll
C:\WINDOWS\system32\xxyawvv.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.18

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 17:30:50 31/03/2007

Listing files found while scanning....

C:\WINDOWS\system32\cdccf.ini2
C:\WINDOWS\system32\cdccf.tmp
C:\WINDOWS\system32\fccdc.dll
C:\WINDOWS\system32\pmnkhif.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cdccf.ini2
C:\WINDOWS\system32\cdccf.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\cdccf.tmp
C:\WINDOWS\system32\cdccf.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\fccdc.dll
C:\WINDOWS\system32\fccdc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnkhif.dll
C:\WINDOWS\system32\pmnkhif.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.18

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 17:52:47 31/03/2007

Listing files found while scanning....

C:\WINDOWS\system32\cbxxutt.dll
C:\WINDOWS\system32\loppo.bak1
C:\WINDOWS\system32\loppo.ini
C:\WINDOWS\system32\oppol.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cbxxutt.dll
C:\WINDOWS\system32\cbxxutt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\loppo.bak1
C:\WINDOWS\system32\loppo.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\loppo.ini
C:\WINDOWS\system32\loppo.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\oppol.dll
C:\WINDOWS\system32\oppol.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.3.18

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 11:38:15 12/04/2007

Listing files found while scanning....

C:\WINDOWS\system32\gihkj.bak1
C:\WINDOWS\system32\gihkj.ini
C:\WINDOWS\system32\hfssedic.dll
C:\WINDOWS\system32\jkhig.dll
C:\WINDOWS\system32\nwpusfew.dll
C:\WINDOWS\system32\sdhntdti.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\gihkj.bak1
C:\WINDOWS\system32\gihkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\gihkj.ini
C:\WINDOWS\system32\gihkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\hfssedic.dll
C:\WINDOWS\system32\hfssedic.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkhig.dll
C:\WINDOWS\system32\jkhig.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nwpusfew.dll
C:\WINDOWS\system32\nwpusfew.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sdhntdti.dll
C:\WINDOWS\system32\sdhntdti.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.18

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 16:42:14 12/04/2007

Listing files found while scanning....

C:\WINDOWS\system32\gagjmhsa.dll
C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\mmllm.bak1
C:\WINDOWS\system32\mmllm.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\gagjmhsa.dll
C:\WINDOWS\system32\gagjmhsa.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\mllmm.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.18

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 10:05:27 13/04/2007

Listing files found while scanning....

C:\WINDOWS\system32\orqru.bak1
C:\WINDOWS\system32\orqru.ini2
C:\WINDOWS\system32\orqru.tmp
C:\WINDOWS\system32\urqro.dll
C:\WINDOWS\system32\wdrrxwal.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\orqru.bak1
C:\WINDOWS\system32\orqru.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\orqru.ini2
C:\WINDOWS\system32\orqru.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\orqru.tmp
C:\WINDOWS\system32\orqru.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\urqro.dll
C:\WINDOWS\system32\urqro.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wdrrxwal.dll
C:\WINDOWS\system32\wdrrxwal.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.18

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 16:04:45 13/04/2007

Listing files found while scanning....

No infected files were found.

the jjj.exe application is still visible on the desktop, should it still be there and does it mean that msn messenger will still be messed up?

Shaba · Apr 13, 2007

Hi

Yes, it looks very good

Delete jjj.exe from desktop.

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download MWav:

Unzip it to its predetermined directory (C:\Kaspersky)
Locate kavupd.exe in the new folder and double-click to Update.
If your firewall gives any messages about this program accessing to internet, allow it.
If it says the signatures are more than 30 days old, keep trying, until you get the actual definition updates.
When you see Updates Downloaded Successfully, hit Enter to continue.
Restart onto Safe Mode and locate the Kaspersky folder.
Locate mwavscan.com and double-click on it to launch the MWAV Scanner.

Now lets do the settings:

Leave the Default Settings checked.
Add a check to Drives
This will light up All Drives
Add a check to Scan all Files
Click Scan Clean to begin.

This scan might take around 3+ hours to finish when set to scan everything.

Please be sure it has finished before proceeding.
Once the Scan has finished, all entries identified as Infected, will be displayed in the lower panel.
Highlight everything that is inside the lower panel and hit Ctrl+C at the same time to copy.
Open an empty notepad file and paste the results (Ctrl+V) to it. Save the notepad to your desktop, name it as you want (e.g; MWav Results).

Reboot into normal Windows and post the results here along with a fresh HijackThis log.

ludi4burnley · Apr 15, 2007

sorry, but someone restarted the computer without realising, but i do know there were 87 viruses, here is hjt log though:

Logfile of HijackThis v1.99.1
Scan saved at 18:00:24, on 15/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\HJT.exe

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Shaba · Apr 15, 2007

Hi

Well let's then run online scanner:

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Post:

- a fresh HijackThis log
- kaspersky report

ludi4burnley · Apr 15, 2007

here is virus scan log:
Sunday, April 15, 2007 7:07:56 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 15/04/2007
Kaspersky Anti-Virus database records: 297622

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\

Scan Statistics
Total number of scanned objects 39043
Number of viruses found 10
Number of infected objects 147
Number of suspicious objects 0
Duration of the scan process 00:44:51

Infected Object Name Virus Name Last Action
C:\avenger\backup.zip/avenger/x.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\avenger\backup.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-04-15_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\802696F3.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\User\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\User\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\User\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\User\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temp\~DFD6CA.tmp Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temp\~DFD72C.tmp Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\User\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\MSN Messenger\MsnMsgr.Exe.mwt Infected: Backdoor.Win32.MSNMaker.ag skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0031957.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0031958.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0031982.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0031994.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0031995.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0031999.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0032038.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0034054.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0034056.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0034060.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0034062.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0034066.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0034067.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0034079.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0034080.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0034088.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0034106.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP108\A0034107.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034115.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034136.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034140.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034141.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034142.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034143.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034144.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034145.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034146.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034147.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034149.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034150.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034151.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034152.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034153.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034154.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

ludi4burnley · Apr 15, 2007

part 2:
C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034155.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034156.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034157.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034158.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034159.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034160.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034161.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034162.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034163.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034164.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034165.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034166.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034167.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034168.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034170.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034171.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034172.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034173.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034174.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034175.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034176.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034177.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034180.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034181.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034185.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034192.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034201.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0034205.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035206.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035209.dll.mwt Infected: Packed.Win32.Klone.j skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035212.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035213.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035222.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035280.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035285.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035286.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035294.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035349.dll Infected: Trojan.Win32.BHO.g skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035350.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035351.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035352.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035354.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035355.dll.mwt Infected: Packed.Win32.Klone.j skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035357.dll.mwt Infected: Packed.Win32.Klone.j skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035358.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035359.dll.mwt Infected: Packed.Win32.Klone.j skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035390.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035395.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035405.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035417.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035435.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035475.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035487.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035488.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035494.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035499.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035500.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035501.dll.mwt Infected: Packed.Win32.Klone.j skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035503.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035504.dll Infected: Trojan.Win32.BHO.g skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035505.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035506.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035507.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035508.dll.mwt Infected: Packed.Win32.Klone.j skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035509.dll.mwt Infected: Packed.Win32.Klone.j skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP109\A0035510.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035592.dll Infected: Trojan.Win32.BHO.g skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035593.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035594.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035595.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035596.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035597.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035598.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035599.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035600.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035601.dll Infected: Trojan.Win32.BHO.g skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035602.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035639.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0035650.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0037672.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0037673.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0037674.exe Infected: Trojan-Downloader.Win32.Agent.bca skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0037696.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038671.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038674.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038676.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038677.exe Infected: Trojan-Downloader.Win32.Agent.bca skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038681.dll.mwt Infected: Packed.Win32.Klone.j skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038682.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038684.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038686.dll Infected: Trojan.Win32.BHO.g skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038687.dll Infected: Trojan.Win32.BHO.g skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038688.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038689.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ic skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038690.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038691.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038697.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP110\A0038698.exe Infected: Trojan-Downloader.Win32.Agent.bca skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP111\A0038764.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP111\A0038793.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP111\A0038795.exe Infected: Trojan-Downloader.Win32.Agent.bca skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP111\A0038837.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP112\A0038851.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP112\A0038936.exe Infected: IM-Worm.Win32.Agent.a skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP112\A0038937.exe.mwt Infected: Backdoor.Win32.MSNMaker.ag skipped

C:\System Volume Information\_restore{5A0B87CE-97FD-4627-ACB7-D509238DC9F4}\RP113\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{59574EF2-D775-4511-8F48-61F4E91E007A}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\_OTMoveIt\MovedFiles\DOCUME~1\user\in.exe Infected: Trojan-Downloader.Win32.Agent.bca skipped

Scan process completed.

ludi4burnley · Apr 15, 2007

here is hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 19:11:08, on 15/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\User\Desktop\HJT.exe

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Shaba · Apr 15, 2007

Hi

Empty this folder:

C:\_OTMoveIt\MovedFiles

Delete this:

C:\avenger\backup.zip

Rest of viruses are in system restore and can be easily cleaned afterwards.

How are things running now?

ludi4burnley · Apr 15, 2007

how do i get rid of rest of viruses then, do a system restore?? is that all? thanks for all your help!!! :bigthumb:

Shaba · Apr 16, 2007

Hi

Then you're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Go here and download and install JRE 6.0u1. Click the link that says Java Runtime Environment (JRE) 6u1. You will then need to select Accept License Agreement and click the Continue button that is beside it. Then click the link that says Windows Offline Installation, Multi-language. Save it to your Desktop. Then go back to your Desktop and double click jre-6u1-windows-i586-p.exe to start the install. Once you have it installed, click Start>Run, type in appwiz.cpl and hit Enter. From the list, uninstall J2SE Runtime Environment 5.0 Update 11.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Windows XP System Restore Guide

Reenable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

Instructions for - Spybot S & D and Ad-aware
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!

Shaba · Apr 18, 2007

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Virus Trouble

ludi4burnley

New member

ludi4burnley

New member

Shaba

Security Expert: Emeritus

ludi4burnley

New member

Shaba

Security Expert: Emeritus

ludi4burnley

New member

ludi4burnley

New member

ludi4burnley

New member

Shaba

Security Expert: Emeritus

ludi4burnley

New member

Shaba

Security Expert: Emeritus

Shaba

Security Expert: Emeritus