Vitumonde

Llama · Jan 4, 2008

Had this for a while now and is more of an annoyance than a problem. Anyway, from the procedure...

1) Kaspersky Online Scanner did not work with opera so I tried using IE like it said but then it couldnt load the webpage so I redownloaded IE then ran it again, the web-page loaded but the "accept" button wouldn't work even after setting all options in the security menu to "prompt" then clicking "yes" to allowing activeX controlls from the webpage. If im doing something wrong tell me and ill fix it

2) & 3) Running SpyBot-S&D while in safe mode (this also happens in normal startup), well, it gets about 1/2 way through then comes up with a "failed to load xxxx_xx.dll" for every entry that it didnt get to remove the displayes "error-out of ram" I had 1GB of my 1.5GB left at the time and spybot was only using 130ishMB

4) HJT-the thing that actually worked

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:04 p.m., on 4/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089BB353-5ED8-4C9B-866C-31605CFD2EFF} - (no file)
O2 - BHO: (no name) - {0F13071E-0B38-4324-839C-CA20E1C8C27C} - (no file)
O2 - BHO: (no name) - {153E1C77-992C-47A7-884D-04C89AF8E73F} - (no file)
O2 - BHO: {dfcd1620-1261-50ab-14b4-e8e2ccb3f302} - {203f3bcc-2e8e-4b41-ba05-16210261dcfd} - C:\WINDOWS\system32\sniifkxi.dll
O2 - BHO: (no name) - {2B380D9A-61A6-4D9F-97C0-4916CC7003EA} - (no file)
O2 - BHO: (no name) - {2F626105-5DC9-4623-A85B-67E64503249B} - C:\WINDOWS\system32\mljjk.dll (file missing)
O2 - BHO: (no name) - {2F7A9AF9-2277-4C31-B19E-7B09931AC99F} - (no file)
O2 - BHO: (no name) - {31B2E6EC-2CAF-42F2-8A69-D5208B13D3A4} - C:\WINDOWS\system32\awvvt.dll (file missing)
O2 - BHO: (no name) - {3496AEAA-BD5E-4FC9-8E9E-66725F6A545B} - (no file)
O2 - BHO: (no name) - {36330830-6053-4E17-9B59-B55CF7101A19} - (no file)
O2 - BHO: (no name) - {37024FFE-F851-45A4-81DE-372AE57056C3} - (no file)
O2 - BHO: (no name) - {46782F63-2C18-4B43-90EC-C63E8AF6166B} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59DFAEF9-71AB-44D0-ACE5-065317A0B614} - (no file)
O2 - BHO: (no name) - {6AE40AC7-A7FB-4077-B271-5A156B9D980D} - (no file)
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - C:\WINDOWS\system32\byxyvut.dll (file missing)
O2 - BHO: (no name) - {77C5A4AE-A217-4EF2-A70A-2A41D7D75B0A} - (no file)
O2 - BHO: (no name) - {81FC19CA-4C54-4AB6-8952-341345BB8E7C} - (no file)
O2 - BHO: (no name) - {A204BC7D-6B84-4915-A629-76F790E96751} - (no file)
O2 - BHO: (no name) - {ACD52C84-DCCD-4A64-ACF3-478DA69B95CF} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-nz\msntb.dll (file missing)
O2 - BHO: (no name) - {C4D3D881-5B72-4966-8418-4B1C3C6D8D5B} - C:\WINDOWS\system32\vtuts.dll (file missing)
O2 - BHO: (no name) - {C744ED46-F576-4C63-B383-8A80CFCBC5F5} - (no file)
O2 - BHO: (no name) - {CA3EA2D9-48F5-4012-8C1A-10274F99A3FD} - (no file)
O2 - BHO: (no name) - {E735962A-4C19-4447-BE6F-0BA3CE6EAE44} - (no file)
O2 - BHO: (no name) - {E96D4F03-E048-46DD-98D7-B15530AF90EC} - (no file)
O2 - BHO: (no name) - {EE403AD3-4C0A-48D4-9618-BC8D5838CD9E} - C:\WINDOWS\system32\mljgg.dll (file missing)
O2 - BHO: (no name) - {EFD2D48C-972D-48F3-BD00-089DFB39DAEC} - C:\WINDOWS\system32\jkhfd.dll
O2 - BHO: (no name) - {F5CB5F68-091E-4F25-8998-40B75CF3D268} - C:\WINDOWS\system32\ijctcdso.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: byxyvut - byxyvut.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7242 bytes

Cheers!

ken545 · Jan 4, 2008

Hello
Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Your infected with the Vundo Trojan.

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

====================================================

Open Hijackthis to Scan Only, close all open windows including this one , place a checkmark in the following entries and click on Fix Checked.

O2 - BHO: (no name) - {089BB353-5ED8-4C9B-866C-31605CFD2EFF} - (no file)
O2 - BHO: (no name) - {0F13071E-0B38-4324-839C-CA20E1C8C27C} - (no file)
O2 - BHO: (no name) - {153E1C77-992C-47A7-884D-04C89AF8E73F} - (no file)
O2 - BHO: {dfcd1620-1261-50ab-14b4-e8e2ccb3f302} - {203f3bcc-2e8e-4b41-ba05-16210261dcfd} - C:\WINDOWS\system32\sniifkxi.dll
O2 - BHO: (no name) - {2B380D9A-61A6-4D9F-97C0-4916CC7003EA} - (no file)
O2 - BHO: (no name) - {2F626105-5DC9-4623-A85B-67E64503249B} - C:\WINDOWS\system32\mljjk.dll (file missing)
O2 - BHO: (no name) - {2F7A9AF9-2277-4C31-B19E-7B09931AC99F} - (no file)
O2 - BHO: (no name) - {31B2E6EC-2CAF-42F2-8A69-D5208B13D3A4} - C:\WINDOWS\system32\awvvt.dll (file missing)
O2 - BHO: (no name) - {3496AEAA-BD5E-4FC9-8E9E-66725F6A545B} - (no file)
O2 - BHO: (no name) - {36330830-6053-4E17-9B59-B55CF7101A19} - (no file)
O2 - BHO: (no name) - {37024FFE-F851-45A4-81DE-372AE57056C3} - (no file)
O2 - BHO: (no name) - {46782F63-2C18-4B43-90EC-C63E8AF6166B} - (no file)
O2 - BHO: (no name) - {59DFAEF9-71AB-44D0-ACE5-065317A0B614} - (no file)
O2 - BHO: (no name) - {6AE40AC7-A7FB-4077-B271-5A156B9D980D} - (no file)
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - C:\WINDOWS\system32\byxyvut.dll (file missing)
O2 - BHO: (no name) - {77C5A4AE-A217-4EF2-A70A-2A41D7D75B0A} - (no file)
O2 - BHO: (no name) - {81FC19CA-4C54-4AB6-8952-341345BB8E7C} - (no file)
O2 - BHO: (no name) - {A204BC7D-6B84-4915-A629-76F790E96751} - (no file)
O2 - BHO: (no name) - {ACD52C84-DCCD-4A64-ACF3-478DA69B95CF} - (no file)
O2 - BHO: (no name) - {C744ED46-F576-4C63-B383-8A80CFCBC5F5} - (no file)
O2 - BHO: (no name) - {CA3EA2D9-48F5-4012-8C1A-10274F99A3FD} - (no file)
O2 - BHO: (no name) - {E735962A-4C19-4447-BE6F-0BA3CE6EAE44} - (no file)
O2 - BHO: (no name) - {E96D4F03-E048-46DD-98D7-B15530AF90EC} - (no file)
O2 - BHO: (no name) - {EE403AD3-4C0A-48D4-9618-BC8D5838CD9E} - C:\WINDOWS\system32\mljgg.dll (file missing)
O2 - BHO: (no name) - {EFD2D48C-972D-48F3-BD00-089DFB39DAEC} - C:\WINDOWS\system32\jkhfd.dll
O2 - BHO: (no name) - {F5CB5F68-091E-4F25-8998-40B75CF3D268} - C:\WINDOWS\system32\ijctcdso.dll
O20 - Winlogon Notify: byxyvut - byxyvut.dll (file missing)

=============================================

Download VundoFix to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

=================================================

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

===============================================

The thieves that have written Vundo have written it to evade a HJT scan so we need to rename it

This is important, do this before you post a HJT log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass )and rename it to Safer.exe

I need to see the Vundo log, the Combofix log and a new HJT log renamed please

Llama · Jan 5, 2008

Vundofix, combofix and new HJT log

alrighty then, here are the logs:

HJT (renamed safer):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:58 p.m., on 5/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera 9\Opera.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Safer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-nz\msntb.dll (file missing)
O2 - BHO: (no name) - {BE4E0AAE-947C-4C6D-A58C-11531F18F615} - C:\WINDOWS\system32\jkhfd.dll (file missing)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4814 bytes

================================

note that with the HJT there was no entry for:

O2 - BHO: {dfcd1620-1261-50ab-14b4-e8e2ccb3f302} - {203f3bcc-2e8e-4b41-ba05-16210261dcfd} - C:\WINDOWS\system32\sniifkxi.dll

that was in the original log so im going to assume that thats a good thing. Also that there were 3 more entires that wernt in the old log but I had told teatimer to block but then must've come back when I had to disable teatimer. They were
02-BHO: (no name)-{BE4EO... (I didnt record beyond there)
02-BHO: (no name)-{C4D3D...
02-BHO: {cleqf355... ...eayswvhm.dll

I told HJT to fix these also

Cheers!

Llama · Jan 5, 2008

logs continued

VundoFix V6.7.7

Checking Java version...

Scan started at 2:27:03 p.m. 5/01/2008

Listing files found while scanning....

C:\WINDOWS\system32\aaknmvjq.dll
C:\WINDOWS\system32\adlsnobs.exe
C:\WINDOWS\system32\ahdwqato.dll
C:\WINDOWS\system32\ajonptpu.exe
C:\windows\system32\alhtvotv.exe
C:\WINDOWS\system32\awtsq.dll
C:\windows\system32\awtst.dll
C:\WINDOWS\system32\awvtr.dll
C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\axcuflob.ini
C:\WINDOWS\system32\bbsxcuij.dll
C:\windows\system32\becwkcjv.dll
C:\WINDOWS\system32\bolfucxa.dll
C:\WINDOWS\system32\bvdkmxth.dll
C:\WINDOWS\system32\bvqibiym.exe
C:\WINDOWS\system32\chglhuof.exe
C:\windows\system32\cwetqyra.exe
C:\WINDOWS\system32\cxokrsci.exe
C:\WINDOWS\system32\cyphjvsd.dll
C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\ddayw.dll
C:\windows\system32\dfhkj.bak1
C:\windows\system32\dfhkj.bak2
C:\windows\system32\dfhkj.ini
C:\windows\system32\dmogiavb.exe
C:\windows\system32\dpqjsxib.exe
C:\windows\system32\dvlqgali.dll
C:\WINDOWS\system32\eayswvhm.dll
C:\WINDOWS\system32\elaxnhma.dll
C:\WINDOWS\system32\eyreuxfn.dll
C:\WINDOWS\system32\fasfeobe.dll
C:\windows\system32\fdjnrltd.exe
C:\WINDOWS\system32\fesbqxie.dll
C:\WINDOWS\system32\fklglesy.dll
C:\WINDOWS\system32\fsfcwhtx.exe
C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\geeba.dll
C:\windows\system32\geqqsquo.exe
C:\WINDOWS\system32\gjbgxynq.dll
C:\windows\system32\gjifoxau.exe
C:\WINDOWS\system32\gqvrmqup.exe
C:\windows\system32\gykxqafx.dll
C:\WINDOWS\system32\hdhxgsfp.dll
C:\windows\system32\hfsdbvnc.exe
C:\WINDOWS\system32\hfuoneen.dll
C:\windows\system32\hlmkucft.exe
C:\windows\system32\hquvjuap.exe
C:\windows\system32\hrollkox.dll
C:\windows\system32\igpibhxt.exe
C:\WINDOWS\system32\igufkhxu.dll
C:\windows\system32\jjkmp.bak1
C:\windows\system32\jjkmp.bak2
C:\windows\system32\jjkmp.ini
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\jkkhhhh.dll
C:\WINDOWS\system32\jmjefleo.dll
C:\windows\system32\jrodkada.dll
C:\WINDOWS\system32\jvgprrfc.dll
C:\windows\system32\kacrvcyg.exe
C:\WINDOWS\system32\katvejuw.dll
C:\WINDOWS\system32\kmimrcan.dll
C:\WINDOWS\system32\kqnrxlfd.dll
C:\windows\system32\krxrmntp.exe
C:\WINDOWS\system32\ktukoyuk.dll
C:\windows\system32\lacfywqk.exe
C:\windows\system32\lgwtldka.exe
C:\WINDOWS\system32\lkjjjqwd.dll
C:\windows\system32\lsobirnp.exe
C:\windows\system32\lweibfwf.dll
C:\WINDOWS\system32\lxglswgq.exe
C:\windows\system32\lypgbkip.dll
C:\windows\system32\mecdfdko.exe
C:\windows\system32\mfosuqis.exe
C:\windows\system32\mrykioey.exe
C:\windows\system32\naajkicb.exe
C:\WINDOWS\system32\nnnolji.dll
C:\WINDOWS\system32\nukbqfth.dll
C:\WINDOWS\system32\obwmknxi.dll
C:\WINDOWS\system32\oddwwhvn.exe
C:\windows\system32\oiitldsl.exe
C:\windows\system32\oitqnbnw.dll
C:\windows\system32\ojdoqvdx.exe
C:\windows\system32\olqtxsad.exe
C:\WINDOWS\system32\otaqwdha.ini
C:\windows\system32\ovgvfrss.exe
C:\WINDOWS\system32\pecmhkdc.dll
C:\windows\system32\pflsjqrh.exe
C:\WINDOWS\system32\pjpgaqqp.dll
C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\pmnnn.dll
C:\WINDOWS\system32\pmnno.dll
C:\WINDOWS\system32\pmnyjecn.dll
C:\windows\system32\prjjbnuj.exe
C:\windows\system32\pvbsrogp.exe
C:\windows\system32\qbyhnxay.exe
C:\windows\system32\qirqllld.exe
C:\WINDOWS\system32\qjvmnkaa.ini
C:\WINDOWS\system32\qkwtvamq.dll
C:\windows\system32\qqstv.bak1
C:\windows\system32\qqstv.bak2
C:\windows\system32\qqstv.ini
C:\windows\system32\qstwa.bak1
C:\windows\system32\qstwa.ini
C:\WINDOWS\system32\qxbgyhrt.dll
C:\windows\system32\rdgoqilo.dll
C:\windows\system32\rhhgbaov.exe
C:\windows\system32\rnekbkav.exe
C:\windows\system32\rtkugord.exe
C:\WINDOWS\system32\rtvwa.bak1
C:\WINDOWS\system32\rtvwa.bak2
C:\WINDOWS\system32\rtvwa.ini
C:\WINDOWS\system32\rvudfbln.dll
C:\windows\system32\rxqemcmh.dll
C:\WINDOWS\system32\ryyrcatv.dll
C:\WINDOWS\system32\sniifkxi.dll
C:\WINDOWS\system32\sscmyuhb.dll
C:\WINDOWS\system32\ssqrq.dll
C:\windows\system32\stbkhppd.dll
C:\windows\system32\stvwa.bak1
C:\windows\system32\stvwa.ini
C:\WINDOWS\system32\suhuhspi.dll
C:\WINDOWS\system32\svmnyjms.dll
C:\WINDOWS\system32\swjiftdp.dll
C:\windows\system32\tstwa.bak1
C:\windows\system32\tstwa.ini
C:\WINDOWS\system32\ttlavuqh.exe
C:\windows\system32\txdbbppg.dll
C:\WINDOWS\system32\uexeygti.exe
C:\WINDOWS\system32\ufqdiqog.dll
C:\WINDOWS\system32\unfjwvfd.dll
C:\WINDOWS\system32\uoxqpvtf.dll
C:\windows\system32\usqetaxl.exe
C:\windows\system32\vaculevs.dll
C:\WINDOWS\system32\vcowypym.dll
C:\WINDOWS\system32\vgxkbxgg.dll
C:\windows\system32\vieoegty.exe
C:\windows\system32\voumqsqp.dll
C:\WINDOWS\system32\vtsqq.dll
C:\windows\system32\vyxejewr.exe
C:\WINDOWS\system32\wigkbtry.dll
C:\WINDOWS\system32\wqfutprs.exe
C:\windows\system32\wrbcjmtt.exe
C:\WINDOWS\system32\wvuutts.dll
C:\windows\system32\wyilrbiv.exe
C:\windows\system32\xljkllom.exe
C:\windows\system32\xlwfaeiu.exe
C:\WINDOWS\system32\xthmfrms.dll
C:\WINDOWS\system32\yayxwxy.dll
C:\WINDOWS\system32\yjdxymxw.dll
C:\WINDOWS\system32\yjxrodkv.dll
C:\windows\system32\yrdomwof.exe
C:\WINDOWS\system32\ysitxjgt.dll
C:\windows\system32\yyfdfvip.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\aaknmvjq.dll
C:\WINDOWS\system32\aaknmvjq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\adlsnobs.exe
C:\WINDOWS\system32\adlsnobs.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ahdwqato.dll
C:\WINDOWS\system32\ahdwqato.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ajonptpu.exe
C:\WINDOWS\system32\ajonptpu.exe Has been deleted!

Attempting to delete C:\windows\system32\alhtvotv.exe
C:\windows\system32\alhtvotv.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\awtsq.dll
C:\WINDOWS\system32\awtsq.dll Has been deleted!

Attempting to delete C:\windows\system32\awtst.dll
C:\windows\system32\awtst.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awvtr.dll
C:\WINDOWS\system32\awvtr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\awvts.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\axcuflob.ini
C:\WINDOWS\system32\axcuflob.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\bbsxcuij.dll
C:\WINDOWS\system32\bbsxcuij.dll Has been deleted!

Attempting to delete C:\windows\system32\becwkcjv.dll
C:\windows\system32\becwkcjv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bolfucxa.dll
C:\WINDOWS\system32\bolfucxa.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bvdkmxth.dll
C:\WINDOWS\system32\bvdkmxth.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bvqibiym.exe
C:\WINDOWS\system32\bvqibiym.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\chglhuof.exe
C:\WINDOWS\system32\chglhuof.exe Has been deleted!

Attempting to delete C:\windows\system32\cwetqyra.exe
C:\windows\system32\cwetqyra.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\cxokrsci.exe
C:\WINDOWS\system32\cxokrsci.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\cyphjvsd.dll
C:\WINDOWS\system32\cyphjvsd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\ddayv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddayw.dll
C:\WINDOWS\system32\ddayw.dll Has been deleted!

Attempting to delete C:\windows\system32\dfhkj.bak1
C:\windows\system32\dfhkj.bak1 Has been deleted!

Attempting to delete C:\windows\system32\dfhkj.bak2
C:\windows\system32\dfhkj.bak2 Has been deleted!

Attempting to delete C:\windows\system32\dfhkj.ini
C:\windows\system32\dfhkj.ini Has been deleted!

Attempting to delete C:\windows\system32\dmogiavb.exe
C:\windows\system32\dmogiavb.exe Has been deleted!

Attempting to delete C:\windows\system32\dpqjsxib.exe
C:\windows\system32\dpqjsxib.exe Has been deleted!

Attempting to delete C:\windows\system32\dvlqgali.dll
C:\windows\system32\dvlqgali.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\eayswvhm.dll
C:\WINDOWS\system32\eayswvhm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\elaxnhma.dll
C:\WINDOWS\system32\elaxnhma.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\eyreuxfn.dll
C:\WINDOWS\system32\eyreuxfn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fasfeobe.dll
C:\WINDOWS\system32\fasfeobe.dll Has been deleted!

Attempting to delete C:\windows\system32\fdjnrltd.exe
C:\windows\system32\fdjnrltd.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\fesbqxie.dll
C:\WINDOWS\system32\fesbqxie.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fklglesy.dll
C:\WINDOWS\system32\fklglesy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fsfcwhtx.exe
C:\WINDOWS\system32\fsfcwhtx.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\gebcd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\geeba.dll Has been deleted!

Attempting to delete C:\windows\system32\geqqsquo.exe
C:\windows\system32\geqqsquo.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\gjbgxynq.dll
C:\WINDOWS\system32\gjbgxynq.dll Has been deleted!

Attempting to delete C:\windows\system32\gjifoxau.exe
C:\windows\system32\gjifoxau.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\gqvrmqup.exe
C:\WINDOWS\system32\gqvrmqup.exe Has been deleted!

Attempting to delete C:\windows\system32\gykxqafx.dll
C:\windows\system32\gykxqafx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hdhxgsfp.dll
C:\WINDOWS\system32\hdhxgsfp.dll Has been deleted!

Attempting to delete C:\windows\system32\hfsdbvnc.exe
C:\windows\system32\hfsdbvnc.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\hfuoneen.dll
C:\WINDOWS\system32\hfuoneen.dll Has been deleted!

Attempting to delete C:\windows\system32\hlmkucft.exe
C:\windows\system32\hlmkucft.exe Has been deleted!

Attempting to delete C:\windows\system32\hquvjuap.exe
C:\windows\system32\hquvjuap.exe Has been deleted!

Attempting to delete C:\windows\system32\hrollkox.dll
C:\windows\system32\hrollkox.dll Has been deleted!

Attempting to delete C:\windows\system32\igpibhxt.exe
C:\windows\system32\igpibhxt.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\igufkhxu.dll
C:\WINDOWS\system32\igufkhxu.dll Has been deleted!

Attempting to delete C:\windows\system32\jjkmp.bak1
C:\windows\system32\jjkmp.bak1 Has been deleted!

Attempting to delete C:\windows\system32\jjkmp.bak2
C:\windows\system32\jjkmp.bak2 Has been deleted!

Attempting to delete C:\windows\system32\jjkmp.ini
C:\windows\system32\jjkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\jkhfd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkhhhh.dll
C:\WINDOWS\system32\jkkhhhh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jmjefleo.dll
C:\WINDOWS\system32\jmjefleo.dll Has been deleted!

Attempting to delete C:\windows\system32\jrodkada.dll
C:\windows\system32\jrodkada.dll Has been deleted!

Attempting to delete C:\windows\system32\kacrvcyg.exe
C:\windows\system32\kacrvcyg.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\katvejuw.dll
C:\WINDOWS\system32\katvejuw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kmimrcan.dll
C:\WINDOWS\system32\kmimrcan.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kqnrxlfd.dll
C:\WINDOWS\system32\kqnrxlfd.dll Has been deleted!

Attempting to delete C:\windows\system32\krxrmntp.exe
C:\windows\system32\krxrmntp.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ktukoyuk.dll
C:\WINDOWS\system32\ktukoyuk.dll Has been deleted!

Attempting to delete C:\windows\system32\lacfywqk.exe
C:\windows\system32\lacfywqk.exe Has been deleted!

Attempting to delete C:\windows\system32\lgwtldka.exe
C:\windows\system32\lgwtldka.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\lkjjjqwd.dll
C:\WINDOWS\system32\lkjjjqwd.dll Has been deleted!

Attempting to delete C:\windows\system32\lsobirnp.exe
C:\windows\system32\lsobirnp.exe Has been deleted!

Attempting to delete C:\windows\system32\lweibfwf.dll
C:\windows\system32\lweibfwf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lxglswgq.exe
C:\WINDOWS\system32\lxglswgq.exe Has been deleted!

Attempting to delete C:\windows\system32\lypgbkip.dll
C:\windows\system32\lypgbkip.dll Has been deleted!

Attempting to delete C:\windows\system32\mecdfdko.exe
C:\windows\system32\mecdfdko.exe Has been deleted!

Attempting to delete C:\windows\system32\mfosuqis.exe
C:\windows\system32\mfosuqis.exe Has been deleted!

Attempting to delete C:\windows\system32\mrykioey.exe
C:\windows\system32\mrykioey.exe Has been deleted!

Attempting to delete C:\windows\system32\naajkicb.exe
C:\windows\system32\naajkicb.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnnolji.dll
C:\WINDOWS\system32\nnnolji.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nukbqfth.dll
C:\WINDOWS\system32\nukbqfth.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\obwmknxi.dll
C:\WINDOWS\system32\obwmknxi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oddwwhvn.exe
C:\WINDOWS\system32\oddwwhvn.exe Has been deleted!

Attempting to delete C:\windows\system32\oiitldsl.exe
C:\windows\system32\oiitldsl.exe Has been deleted!

Attempting to delete C:\windows\system32\oitqnbnw.dll
C:\windows\system32\oitqnbnw.dll Has been deleted!

Attempting to delete C:\windows\system32\ojdoqvdx.exe
C:\windows\system32\ojdoqvdx.exe Has been deleted!

Attempting to delete C:\windows\system32\olqtxsad.exe
C:\windows\system32\olqtxsad.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\otaqwdha.ini
C:\WINDOWS\system32\otaqwdha.ini Has been deleted!

Attempting to delete C:\windows\system32\ovgvfrss.exe
C:\windows\system32\ovgvfrss.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\pecmhkdc.dll
C:\WINDOWS\system32\pecmhkdc.dll Has been deleted!

Attempting to delete C:\windows\system32\pflsjqrh.exe
C:\windows\system32\pflsjqrh.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\pjpgaqqp.dll
C:\WINDOWS\system32\pjpgaqqp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\pmkjj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\pmnlj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnnn.dll
C:\WINDOWS\system32\pmnnn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnno.dll
C:\WINDOWS\system32\pmnno.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnyjecn.dll
C:\WINDOWS\system32\pmnyjecn.dll Has been deleted!

Attempting to delete C:\windows\system32\prjjbnuj.exe
C:\windows\system32\prjjbnuj.exe Has been deleted!

Attempting to delete C:\windows\system32\pvbsrogp.exe
C:\windows\system32\pvbsrogp.exe Has been deleted!

Attempting to delete C:\windows\system32\qbyhnxay.exe
C:\windows\system32\qbyhnxay.exe Has been deleted!

Attempting to delete C:\windows\system32\qirqllld.exe
C:\windows\system32\qirqllld.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\qjvmnkaa.ini
C:\WINDOWS\system32\qjvmnkaa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qkwtvamq.dll
C:\WINDOWS\system32\qkwtvamq.dll Has been deleted!

Attempting to delete C:\windows\system32\qqstv.bak1
C:\windows\system32\qqstv.bak1 Has been deleted!

Attempting to delete C:\windows\system32\qqstv.bak2
C:\windows\system32\qqstv.bak2 Has been deleted!

Attempting to delete C:\windows\system32\qqstv.ini
C:\windows\system32\qqstv.ini Has been deleted!

Attempting to delete C:\windows\system32\qstwa.bak1
C:\windows\system32\qstwa.bak1 Has been deleted!

Attempting to delete C:\windows\system32\qstwa.ini
C:\windows\system32\qstwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qxbgyhrt.dll
C:\WINDOWS\system32\qxbgyhrt.dll Has been deleted!

Attempting to delete C:\windows\system32\rdgoqilo.dll
C:\windows\system32\rdgoqilo.dll Has been deleted!

Attempting to delete C:\windows\system32\rhhgbaov.exe
C:\windows\system32\rhhgbaov.exe Has been deleted!

Attempting to delete C:\windows\system32\rnekbkav.exe
C:\windows\system32\rnekbkav.exe Has been deleted!

Attempting to delete C:\windows\system32\rtkugord.exe
C:\windows\system32\rtkugord.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtvwa.bak1
C:\WINDOWS\system32\rtvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtvwa.bak2
C:\WINDOWS\system32\rtvwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtvwa.ini
C:\WINDOWS\system32\rtvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\rvudfbln.dll
C:\WINDOWS\system32\rvudfbln.dll Has been deleted!

Attempting to delete C:\windows\system32\rxqemcmh.dll
C:\windows\system32\rxqemcmh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ryyrcatv.dll
C:\WINDOWS\system32\ryyrcatv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sniifkxi.dll
C:\WINDOWS\system32\sniifkxi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sscmyuhb.dll
C:\WINDOWS\system32\sscmyuhb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\ssqrq.dll Has been deleted!

Attempting to delete C:\windows\system32\stbkhppd.dll
C:\windows\system32\stbkhppd.dll Has been deleted!

Attempting to delete C:\windows\system32\stvwa.bak1
C:\windows\system32\stvwa.bak1 Has been deleted!

Attempting to delete C:\windows\system32\stvwa.ini
C:\windows\system32\stvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\suhuhspi.dll
C:\WINDOWS\system32\suhuhspi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\svmnyjms.dll
C:\WINDOWS\system32\svmnyjms.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\swjiftdp.dll
C:\WINDOWS\system32\swjiftdp.dll Has been deleted!

Attempting to delete C:\windows\system32\tstwa.bak1
C:\windows\system32\tstwa.bak1 Has been deleted!

Attempting to delete C:\windows\system32\tstwa.ini
C:\windows\system32\tstwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttlavuqh.exe
C:\WINDOWS\system32\ttlavuqh.exe Has been deleted!

Llama · Jan 5, 2008

vundofix log continued + partial combo fix log

Attempting to delete C:\windows\system32\txdbbppg.dll
C:\windows\system32\txdbbppg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uexeygti.exe
C:\WINDOWS\system32\uexeygti.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ufqdiqog.dll
C:\WINDOWS\system32\ufqdiqog.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\unfjwvfd.dll
C:\WINDOWS\system32\unfjwvfd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uoxqpvtf.dll
C:\WINDOWS\system32\uoxqpvtf.dll Has been deleted!

Attempting to delete C:\windows\system32\usqetaxl.exe
C:\windows\system32\usqetaxl.exe Has been deleted!

Attempting to delete C:\windows\system32\vaculevs.dll
C:\windows\system32\vaculevs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vcowypym.dll
C:\WINDOWS\system32\vcowypym.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vgxkbxgg.dll
C:\WINDOWS\system32\vgxkbxgg.dll Has been deleted!

Attempting to delete C:\windows\system32\vieoegty.exe
C:\windows\system32\vieoegty.exe Has been deleted!

Attempting to delete C:\windows\system32\voumqsqp.dll
C:\windows\system32\voumqsqp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtsqq.dll
C:\WINDOWS\system32\vtsqq.dll Has been deleted!

Attempting to delete C:\windows\system32\vyxejewr.exe
C:\windows\system32\vyxejewr.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\wigkbtry.dll
C:\WINDOWS\system32\wigkbtry.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wqfutprs.exe
C:\WINDOWS\system32\wqfutprs.exe Has been deleted!

Attempting to delete C:\windows\system32\wrbcjmtt.exe
C:\windows\system32\wrbcjmtt.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvuutts.dll
C:\WINDOWS\system32\wvuutts.dll Has been deleted!

Attempting to delete C:\windows\system32\wyilrbiv.exe
C:\windows\system32\wyilrbiv.exe Has been deleted!

Attempting to delete C:\windows\system32\xljkllom.exe
C:\windows\system32\xljkllom.exe Has been deleted!

Attempting to delete C:\windows\system32\xlwfaeiu.exe
C:\windows\system32\xlwfaeiu.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\xthmfrms.dll
C:\WINDOWS\system32\xthmfrms.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayxwxy.dll
C:\WINDOWS\system32\yayxwxy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yjdxymxw.dll
C:\WINDOWS\system32\yjdxymxw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yjxrodkv.dll
C:\WINDOWS\system32\yjxrodkv.dll Has been deleted!

Attempting to delete C:\windows\system32\yrdomwof.exe
C:\windows\system32\yrdomwof.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ysitxjgt.dll
C:\WINDOWS\system32\ysitxjgt.dll Has been deleted!

Attempting to delete C:\windows\system32\yyfdfvip.exe
C:\windows\system32\yyfdfvip.exe Has been deleted!

Performing Repairs to the registry.
Done!

Combo Fix:

ComboFix 08-01-04.1 - Joel Gibson 2008-01-05 15:16:12.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1153 [GMT 13:00]
Running from: C:\Documents and Settings\Joel Gibson\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\WINDOWS\aconti.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\abeeg.bak1
C:\WINDOWS\system32\abeeg.bak2
C:\WINDOWS\system32\abeeg.ini
C:\WINDOWS\system32\ajnbpxyl.ini
C:\WINDOWS\system32\alpfboli.ini
C:\WINDOWS\system32\anwvsmqn.dll
C:\WINDOWS\system32\aueklimu.ini
C:\WINDOWS\system32\bbadd.bak1
C:\WINDOWS\system32\bbadd.ini
C:\WINDOWS\system32\bemmthkf.ini
C:\WINDOWS\system32\bfxuyhhp.dll
C:\WINDOWS\system32\bkwgvrvx.ini
C:\WINDOWS\system32\bpxtejwl.ini
C:\WINDOWS\system32\bwslehht.ini
C:\WINDOWS\system32\ckcrcxex.ini
C:\WINDOWS\system32\cpxeumei.ini
C:\WINDOWS\system32\dcbeg.bak1
C:\WINDOWS\system32\dcbeg.ini
C:\WINDOWS\system32\dccdd.bak1
C:\WINDOWS\system32\dccdd.bak2
C:\WINDOWS\system32\dccdd.ini
C:\WINDOWS\system32\dewjjlxf.ini
C:\WINDOWS\system32\dgfxsyul.dll
C:\WINDOWS\system32\dlymnmii.ini
C:\WINDOWS\system32\drhvrkpm.dll
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\drtalrao.ini
C:\WINDOWS\system32\fvjfrqkt.dll
C:\WINDOWS\system32\gfytuphc.ini
C:\WINDOWS\system32\ggjlm.bak1
C:\WINDOWS\system32\ggjlm.ini
C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\gjfjqmuh.ini
C:\WINDOWS\system32\hgjlm.bak1
C:\WINDOWS\system32\hgjlm.bak2
C:\WINDOWS\system32\hgjlm.ini
C:\WINDOWS\system32\hjllm.bak1
C:\WINDOWS\system32\hjllm.bak2
C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\idjvjvif.dll
C:\WINDOWS\system32\ijctcdso.dll
C:\WINDOWS\system32\jewvwjoa.dll
C:\WINDOWS\system32\jleahhwf.dll
C:\WINDOWS\system32\jlnmp.bak1
C:\WINDOWS\system32\jlnmp.bak2
C:\WINDOWS\system32\jlnmp.ini
C:\WINDOWS\system32\keotfdcx.dll
C:\WINDOWS\system32\kjjlm.bak1
C:\WINDOWS\system32\kjjlm.ini
C:\WINDOWS\system32\knnjqgxa.ini
C:\WINDOWS\system32\krayrutd.ini
C:\WINDOWS\system32\kwhpysgt.ini
C:\WINDOWS\system32\lbnlvmom.dll
C:\WINDOWS\system32\lnnmp.bak1
C:\WINDOWS\system32\lnnmp.bak2
C:\WINDOWS\system32\lnnmp.ini
C:\WINDOWS\system32\lnnmp.ini2
C:\WINDOWS\system32\lrogoxwn.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msivvjin.ini
C:\WINDOWS\system32\msivvjin.ini2
C:\WINDOWS\system32\nebbhfbx.ini
C:\WINDOWS\system32\njqmckym.ini
C:\WINDOWS\system32\nmllm.bak1
C:\WINDOWS\system32\nmllm.bak2
C:\WINDOWS\system32\nmllm.ini
C:\WINDOWS\system32\nnnmp.bak1
C:\WINDOWS\system32\nnnmp.ini
C:\WINDOWS\system32\nwhlehed.dll
C:\WINDOWS\system32\nyvoscmh.ini
C:\WINDOWS\system32\oelfejmj.ini
C:\WINDOWS\system32\ohaijijx.ini
C:\WINDOWS\system32\oinstnmd.ini
C:\WINDOWS\system32\onnmdgla.ini
C:\WINDOWS\system32\onnmp.bak1
C:\WINDOWS\system32\onnmp.ini
C:\WINDOWS\system32\orutv.bak1
C:\WINDOWS\system32\orutv.ini
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pdkjbafu.ini
C:\WINDOWS\system32\prqss.bak1
C:\WINDOWS\system32\prqss.ini
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\qfprbbeb.dll
C:\WINDOWS\system32\qpqyfjiq.ini
C:\WINDOWS\system32\qrqss.bak1
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrutv.bak1
C:\WINDOWS\system32\qrutv.ini
C:\WINDOWS\system32\qwcrfxcc.ini
C:\WINDOWS\system32\rpldptmn.ini
C:\WINDOWS\system32\rqtss.bak1
C:\WINDOWS\system32\rqtss.ini
C:\WINDOWS\system32\rrdmccej.ini
C:\WINDOWS\system32\snqiyyfq.dll
C:\WINDOWS\system32\stutv.bak1
C:\WINDOWS\system32\stutv.ini
C:\WINDOWS\system32\tacdowdk.ini
C:\WINDOWS\system32\ttutv.bak1
C:\WINDOWS\system32\ttutv.bak2
C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.ini2
C:\WINDOWS\system32\ttutv.tmp
C:\WINDOWS\system32\ucvidior.dll
C:\WINDOWS\system32\udxbblcm.ini
C:\WINDOWS\system32\vabiekvh.ini
C:\WINDOWS\system32\vegnmtcq.ini
C:\WINDOWS\system32\vonlbupw.ini
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wjldnusv.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\wqcuhjxk.ini
C:\WINDOWS\system32\wtvvcmey.ini
C:\WINDOWS\system32\wxogyuck.ini
C:\WINDOWS\system32\wyadd.bak1
C:\WINDOWS\system32\wyadd.ini
C:\WINDOWS\system32\xadrfump.ini
C:\WINDOWS\system32\xdjoyaxv.ini
C:\WINDOWS\system32\xeaalcgi.ini
C:\WINDOWS\system32\xogemuvr.ini
C:\WINDOWS\system32\xvwaovtj.ini
C:\WINDOWS\system32\xxlfdmct.ini
C:\WINDOWS\system32\ybadd.bak2
C:\WINDOWS\system32\ycbeg.bak1
C:\WINDOWS\system32\ycbeg.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NPF
-------\LEGACY_SFSYNC02
-------\DomainService
-------\NPF
-------\sfsync02

((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-05 15:16 . 2008-01-05 15:16 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-01-05 15:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-05 14:27 . 2008-01-05 14:27 <DIR> d-------- C:\VundoFix Backups
2008-01-05 12:45 . 2008-01-05 13:35 354 ---hs---- C:\WINDOWS\system32\pdtfijws.ini
2008-01-04 11:16 . 2008-01-04 14:57 474 ---hs---- C:\WINDOWS\system32\uxhkfugi.ini
2008-01-03 17:35 . 2008-01-04 11:11 354 ---hs---- C:\WINDOWS\system32\pathcuto.ini
2008-01-03 13:15 . 2008-01-03 13:15 294 ---hs---- C:\WINDOWS\system32\ftvpqxou.ini
2008-01-02 13:56 . 2008-01-02 13:57 354 ---hs---- C:\WINDOWS\system32\cdkhmcep.ini
2008-01-02 12:57 . 2008-01-02 12:57 294 ---hs---- C:\WINDOWS\system32\rwchxlwj.ini
2008-01-01 19:31 . 2008-01-01 20:01 23 --a------ C:\WINDOWS\popcinfot.dat
2008-01-01 15:01 . 2008-01-01 16:39 414 ---hs---- C:\WINDOWS\system32\smjynmvs.ini
2008-01-01 13:19 . 2008-01-01 13:19 294 ---hs---- C:\WINDOWS\system32\sbspyaht.ini
2007-12-31 12:05 . 2007-12-31 12:13 474 ---hs---- C:\WINDOWS\system32\dsvjhpyc.ini
2007-12-31 11:54 . 2007-12-31 11:54 294 ---hs---- C:\WINDOWS\system32\vugtedko.ini
2007-12-31 00:20 . 2007-12-31 00:20 534 ---hs---- C:\WINDOWS\system32\ggxbkxgv.ini
2007-12-30 23:06 . 2007-12-30 23:14 474 ---hs---- C:\WINDOWS\system32\yrqvrpss.ini
2007-12-30 21:57 . 2007-12-30 21:57 <DIR> d--hs---- C:\FOUND.003
2007-12-30 21:14 . 2007-12-30 21:58 354 ---hs---- C:\WINDOWS\system32\byarxcjr.ini
2007-12-30 16:46 . 2007-12-30 16:47 414 ---hs---- C:\WINDOWS\system32\neenoufh.ini
2007-12-30 12:34 . 2007-12-30 16:39 354 ---hs---- C:\WINDOWS\system32\jeptewdh.ini
2007-12-29 20:39 . 2007-12-29 20:39 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Command and Conquer 3 Tiberium Wars
2007-12-29 17:37 . 2007-12-29 18:45 594 ---hs---- C:\WINDOWS\system32\qmavtwkq.ini
2007-12-29 14:10 . 2007-12-29 17:29 474 ---hs---- C:\WINDOWS\system32\clcgywad.ini
2007-12-29 13:18 . 2007-12-29 14:02 354 ---hs---- C:\WINDOWS\system32\kbpyuujh.ini
2007-12-29 00:06 . 2007-12-29 00:06 <DIR> d-------- C:\Games
2007-12-28 21:36 . 2007-12-28 21:36 294 ---hs---- C:\WINDOWS\system32\kuyokutk.ini
2007-12-28 20:11 . 2007-12-28 20:11 294 ---hs---- C:\WINDOWS\system32\nfxuerye.ini
2007-12-28 13:15 . 2007-12-28 16:35 414 ---hs---- C:\WINDOWS\system32\dflxrnqk.ini
2007-12-28 12:30 . 2007-12-28 12:30 294 ---hs---- C:\WINDOWS\system32\etsgefsd.ini
2007-12-28 11:29 . 2007-12-28 11:29 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Winamp
2007-12-28 11:24 . 2007-12-28 11:24 474 ---hs---- C:\WINDOWS\system32\mypywocv.ini
2007-12-28 11:23 . 2007-12-28 11:23 414 ---hs---- C:\WINDOWS\system32\gicnwgfq.ini
2007-12-27 21:15 . 2007-12-28 11:12 354 ---hs---- C:\WINDOWS\system32\hlagnivr.ini
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\The Chosen demo
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Frater
2007-12-27 09:27 . 2007-12-27 09:27 294 ---hs---- C:\WINDOWS\system32\vkdorxjy.ini
2007-12-26 23:00 . 2007-12-26 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2007-12-26 23:00 . 2007-12-26 23:00 139,008 --a------ C:\WINDOWS\system32\guard32.dll
2007-12-26 23:00 . 2007-12-26 23:00 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-12-26 23:00 . 2007-12-26 23:00 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-12-26 21:34 . 2007-12-26 21:34 294 ---hs---- C:\WINDOWS\system32\nacrmimk.ini
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Program Files\COMODO
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Comodo
2007-12-26 18:26 . 2007-12-26 18:26 <DIR> dr-h----- C:\Documents and Settings\Joel Gibson\Application Data\SecuROM
2007-12-26 17:25 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2007-12-26 17:25 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2007-12-26 17:25 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2007-12-26 17:25 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2007-12-26 17:21 . 2007-12-26 17:21 354 ---hs---- C:\WINDOWS\system32\trhygbxq.ini
2007-12-26 15:45 . 2007-12-26 15:45 294 ---hs---- C:\WINDOWS\system32\ymxvygsb.ini
2007-12-26 12:20 . 2007-12-26 12:20 294 ---hs---- C:\WINDOWS\system32\dhuxinya.ini
2007-12-25 21:45 . 2007-12-25 21:46 354 ---hs---- C:\WINDOWS\system32\qnyxgbjg.ini
2007-12-25 14:28 . 2007-12-25 14:28 294 ---hs---- C:\WINDOWS\system32\djdnjtrs.ini
2007-12-25 12:48 . 2007-12-25 14:22 354 ---hs---- C:\WINDOWS\system32\goqidqfu.ini
2007-12-24 23:28 . 2007-12-24 23:28 294 ---hs---- C:\WINDOWS\system32\wxmyxdjy.ini
2007-12-24 21:54 . 2007-12-24 21:54 534 ---hs---- C:\WINDOWS\system32\pqqagpjp.ini
2007-12-23 21:39 . 2007-12-24 21:46 474 ---hs---- C:\WINDOWS\system32\efavoych.ini
2007-12-23 21:14 . 2007-12-23 21:14 294 ---hs---- C:\WINDOWS\system32\dbjhaybs.ini
2007-12-21 16:51 . 2007-12-21 16:52 474 ---hs---- C:\WINDOWS\system32\htxmkdvb.ini
2007-12-21 15:48 . 2007-12-21 15:48 414 ---hs---- C:\WINDOWS\system32\opjfihwl.ini
2007-12-21 14:56 . 2007-12-21 15:40 354 ---hs---- C:\WINDOWS\system32\rkfqwxnk.ini
2007-12-20 14:54 . 2007-12-20 14:54 354 ---hs---- C:\WINDOWS\system32\wujevtak.ini
2007-12-20 13:52 . 2007-12-20 13:52 294 ---hs---- C:\WINDOWS\system32\bsjbwpfa.ini
2007-12-20 10:15 . 2007-12-20 10:15 294 ---hs---- C:\WINDOWS\system32\eboefsaf.ini
2007-12-19 19:57 . 2007-12-26 21:15 1,365 --a------ C:\WINDOWS\wininit.ini
2007-12-19 17:52 . 2007-12-19 23:13 294 ---hs---- C:\WINDOWS\system32\smrfmhtx.ini
2007-12-19 11:08 . 2007-12-19 11:08 294 ---hs---- C:\WINDOWS\system32\vtacryyr.ini
2007-12-18 17:50 . 2007-12-18 17:50 294 ---hs---- C:\WINDOWS\system32\pfsgxhdh.ini
2007-12-18 10:49 . 2007-12-18 14:37 294 ---hs---- C:\WINDOWS\system32\yselglkf.ini
2007-12-17 18:31 . 2007-12-17 18:32 114 --a------ C:\WINDOWS\system32\jpirvbvj.dat
2007-12-17 18:28 . 2007-12-17 18:28 294 ---hs---- C:\WINDOWS\system32\nlbfduvr.ini
2007-12-17 08:42 . 2007-12-17 08:42 294 ---hs---- C:\WINDOWS\system32\eixqbsef.ini
2007-12-11 21:53 . 2007-12-11 21:53 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\ATI
2007-12-11 12:54 . 2007-12-11 12:54 294 ---hs---- C:\WINDOWS\system32\bhuymcss.ini
2007-12-10 14:26 . 2007-12-10 14:27 <DIR> d-------- C:\Program Files\Aquaria
2007-12-10 12:49 . 2007-12-10 12:49 354 ---hs---- C:\WINDOWS\system32\yrtbkgiw.ini
2007-12-10 12:28 . 2007-12-10 12:28 294 ---hs---- C:\WINDOWS\system32\xknclkxi.ini
2007-12-08 19:02 . 2007-12-08 19:02 354 ---hs---- C:\WINDOWS\system32\dwqjjjkl.ini
2007-12-08 19:00 . 2007-12-08 19:02 294 ---hs---- C:\WINDOWS\system32\jgyhbqod.ini
2007-12-08 17:14 . 2007-12-08 17:14 294 ---hs---- C:\WINDOWS\system32\ixnkmwbo.ini
2007-12-07 16:00 . 2007-12-07 16:00 294 ---hs---- C:\WINDOWS\system32\mvpvgokd.ini
2007-12-07 01:19 . 2007-12-07 01:19 354 ---hs---- C:\WINDOWS\system32\amhnxale.ini
2007-12-06 22:29 . 2007-12-06 22:29 294 ---hs---- C:\WINDOWS\system32\upfydvsg.ini
2007-12-06 16:37 . 2007-12-06 16:38 354 ---hs---- C:\WINDOWS\system32\dfvwjfnu.ini
2007-12-06 16:15 . 2007-12-06 16:15 294 ---hs---- C:\WINDOWS\system32\jhyuhsgj.ini
2007-12-05 18:31 . 2007-12-05 18:32 294 ---hs---- C:\WINDOWS\system32\ipshuhus.ini
2007-12-05 15:56 . 2007-12-05 16:44 294 ---hs---- C:\WINDOWS\system32\tgjxtisy.ini

Llama · Jan 5, 2008

rest of combofix log... whew!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 03:05 122,432 ----a-w C:\WINDOWS\system32\epgtmelk.dll
2007-11-26 06:30 --------- d-----w C:\Program Files\Fredryk Phantasy
2007-11-24 02:23 1,128 ----a-w C:\Program Files\log.dat
2007-11-23 08:30 --------- d-----w C:\Documents and Settings\Joel Gibson\Application Data\mIRC
2007-11-22 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 03:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-11-08 21:14 --------- d-----w C:\Program Files\Synaesthete
2007-10-30 16:12 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-21 14:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-19 22:34 53,880,837 ----a-w C:\Program Files\LastStandInstall.exe
2007-10-19 10:14 10,752 ----a-w C:\WINDOWS\DCEBoot.exe
2007-10-10 23:56 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:56 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:56 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-24 08:18 57,992 ----a-w C:\Documents and Settings\Joel Gibson\Application Data\GDIPFONTCACHEV1.DAT
2006-12-20 01:05 35,511 ----a-w C:\Program Files\ReadMe.txt
2004-11-08 20:22 929,792 ----a-w C:\Program Files\SCZ.exe
2001-11-22 23:08 712,704 ----a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2007-08-18 11:41 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-09-18 04:22 694,076 --sh--w C:\WINDOWS\system32\sewmrqnq.ini2
2007-09-25 07:28 693,472 --sh--w C:\WINDOWS\system32\csvroaew.ini2
2007-08-18 11:41 88 --sh--r C:\WINDOWS\system32\77052A6FA7.sys
2007-09-24 07:28 693,472 --sh--w C:\WINDOWS\system32\orkxndag.ini2
2007-09-22 06:43 693,601 --sh--w C:\WINDOWS\system32\emaflsao.ini2
2007-09-27 09:52 693,481 --sh--w C:\WINDOWS\system32\fsswttnt.ini2
.

Code:

<pre>
----a-w         5,434,579 2005-01-26 23:28:00  C:\Program Files\STI\SPIRIT_Custom\Media\84fb7ffc-18bf-4c8c-8644-3d20ba784bb8\Programs\SPIRIT 12 .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE4E0AAE-947C-4C6D-A58C-11531F18F615}]
C:\WINDOWS\system32\jkhfd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\WINDOWS\htpatch.exe" [2002-12-19 16:40 28672]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-12-21 04:16 37376]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2007-12-26 23:00 1481472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\120512e4]
rundll32.exe C:\WINDOWS\system32\swjiftdp.dll,b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 11:09 63712 --a------ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imjpmig]
C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe C:\WINDOWS\system32\vwbpbgwi.dll,forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TalkAndWrite]
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshost.exe]
C:\WINDOWS\system32\winshost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"rpcapd"=3 (0x3)
"Pctspk"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Fax"=2 (0x2)

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-12-26 23:00]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-12-26 23:00]
R2 CbmDev1;CbmDev1;C:\WINDOWS\system32\drivers\CbmDev1.sys [1998-01-16 08:43]
R2 CbmDev2;CbmDev2;C:\WINDOWS\system32\drivers\CbmDev2.sys [1998-01-16 08:43]
R2 CbmDev3;CbmDev3;C:\WINDOWS\system32\drivers\CbmDev3.sys [1998-01-16 08:43]
S3 ipw_mdfl;Wireless Broadband Modem Filter;C:\WINDOWS\system32\DRIVERS\ipw_mdfl.sys []
S3 ipw_mdm;Wireless Broadband Modem (WDM);C:\WINDOWS\system32\DRIVERS\ipw_mdm.sys []
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 13:28]
S4 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 22:36]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 16:49:41
Windows 5.1.2600 Service Pack 2 FAT NTAPI

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-01-05 16:50:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-05 03:50:48
.
2008-01-04 23:28:54 --- E O F ---

ken545 · Jan 5, 2008

Llama,

Let me tell you whats going on, a few years ago if you caught a malware program or a virus, we ran a tool, deleted a few files and and you where on your way , BUT THAT'S ALL CHANGED This garbage is becoming more difficult to remove as each day goes by.

Had this for a while now and is more of an annoyance than a problem.

Actually, you have this reversed, THIS IS A MAJOR PROBLEM This infection has also infected one of your programs and could be putting this stuff back as we remove it.
C:\Program Files\STI\SPIRIT_Custom <-- This program is infected and you may have to uninstall it when we are done here.

What I need you to do is to delete the current copy of Combofix and download the new Beta Version.
Download it Here
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

Then do this.

Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
C:\FOUND.003
C:\WINDOWS\popcinfot.dat
C:\WINDOWS\system32\pdtfijws.ini
C:\WINDOWS\system32\uxhkfugi.ini
C:\WINDOWS\system32\pathcuto.ini
C:\WINDOWS\system32\ftvpqxou.ini
C:\WINDOWS\system32\cdkhmcep.ini
C:\WINDOWS\system32\rwchxlwj.ini
C:\WINDOWS\system32\smjynmvs.ini
C:\WINDOWS\system32\sbspyaht.ini
C:\WINDOWS\system32\dsvjhpyc.ini
C:\WINDOWS\system32\vugtedko.ini
C:\WINDOWS\system32\ggxbkxgv.ini
C:\WINDOWS\system32\yrqvrpss.ini
C:\WINDOWS\system32\byarxcjr.ini
C:\WINDOWS\system32\neenoufh.ini
C:\WINDOWS\system32\jeptewdh.ini
C:\WINDOWS\system32\qmavtwkq.ini
C:\WINDOWS\system32\clcgywad.ini
C:\WINDOWS\system32\kbpyuujh.ini
C:\WINDOWS\system32\kuyokutk.ini
C:\WINDOWS\system32\nfxuerye.ini
C:\WINDOWS\system32\dflxrnqk.ini
C:\WINDOWS\system32\etsgefsd.ini
C:\WINDOWS\system32\mypywocv.ini
C:\WINDOWS\system32\gicnwgfq.ini
C:\WINDOWS\system32\hlagnivr.ini
C:\WINDOWS\system32\vkdorxjy.ini
C:\WINDOWS\system32\nacrmimk.ini
C:\WINDOWS\system32\trhygbxq.ini
C:\WINDOWS\system32\ymxvygsb.ini
C:\WINDOWS\system32\dhuxinya.ini
C:\WINDOWS\system32\qnyxgbjg.ini
C:\WINDOWS\system32\djdnjtrs.ini
C:\WINDOWS\system32\goqidqfu.ini
C:\WINDOWS\system32\wxmyxdjy.ini
C:\WINDOWS\system32\pqqagpjp.ini
C:\WINDOWS\system32\efavoych.ini
C:\WINDOWS\system32\dbjhaybs.ini
C:\WINDOWS\system32\htxmkdvb.ini
C:\WINDOWS\system32\opjfihwl.ini
C:\WINDOWS\system32\rkfqwxnk.ini
C:\WINDOWS\system32\wujevtak.ini
C:\WINDOWS\system32\bsjbwpfa.ini
C:\WINDOWS\system32\eboefsaf.ini
C:\WINDOWS\system32\smrfmhtx.ini
C:\WINDOWS\system32\vtacryyr.ini
C:\WINDOWS\system32\pfsgxhdh.ini
C:\WINDOWS\system32\yselglkf.ini
C:\WINDOWS\system32\jpirvbvj.dat
C:\WINDOWS\system32\nlbfduvr.ini
C:\WINDOWS\system32\eixqbsef.ini
C:\WINDOWS\system32\yrtbkgiw.ini
C:\WINDOWS\system32\xknclkxi.ini
C:\WINDOWS\system32\dwqjjjkl.ini
C:\WINDOWS\system32\jgyhbqod.ini
C:\WINDOWS\system32\ixnkmwbo.ini
C:\WINDOWS\system32\mvpvgokd.ini
C:\WINDOWS\system32\amhnxale.ini
C:\WINDOWS\system32\upfydvsg.ini
C:\WINDOWS\system32\dfvwjfnu.ini
C:\WINDOWS\system32\jhyuhsgj.ini
C:\WINDOWS\system32\ipshuhus.ini
C:\WINDOWS\system32\tgjxtisy.ini
C:\WINDOWS\system32\epgtmelk.dll
C:\WINDOWS\system32\sewmrqnq.ini2
C:\WINDOWS\system32\csvroaew.ini2
C:\WINDOWS\system32\77052A6FA7.sys
C:\WINDOWS\system32\orkxndag.ini2
C:\WINDOWS\system32\emaflsao.ini2
C:\WINDOWS\system32\fsswttnt.ini2
C:\WINDOWS\system32\vwbpbgwi.dll
C:\WINDOWS\system32\winshost.exe

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE4E0AAE-947C-4C6D-A58C-11531F18F615}]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\120512e4]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshost.exe]

RenV::
----a-w 5,434,579 2005-01-26 23:28:00 C:\Program Files\STI\SPIRIT_Custom\Media\84fb7ffc-18bf-4c8c-8644-3d20ba784bb8\Programs\SPIRIT 12 .exe

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Then I need you to run this online scanner.

ESET Online Scanner

Please go to the following link ESET Online Scanner Link
Tick the box YES, I accept the Terms Of Use
Click the Start button
Now click the Install button
Click Start

The scanner engine will initialise and update
Do Not tick the box Remove found threats
Click the Scan button

The scan will now run, please be patient
When the scan finishes click the Details tab
Copy and paste the contents of the :\Program Files\EsetOnlineScanner\log.txt back here.

Let me see the New Combofix log, the ESET log and a New HJT log please

Llama · Jan 6, 2008

logs (1st 1/2 of eset online)

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2766 (20080104)
# vers_arch_module=1.060 (20071228)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=079d42dd4cbdd940a103de5ba56b20d0
# end=finished
# remove_checked=false
# unwanted_checked=false
# utc_time=2008-01-06 01:32:53
# local_time=2008-01-06 02:32:53 (+1200, New Zealand Daylight Time)
# country="New Zealand"
# osver=5.1.2600 NT Service Pack 2
# scanned=361535
# found=234
# scan_time=4178
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080105-142537-477.dll Win32/Adware.BHO.V application D7F4745B2162189AEB24EEE6B53AB0F3
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP249\A0099848.DLL Win32/Adware.Virtumonde application 87E1F53F822A401423588A09CF5E923B
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100796.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100797.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100799.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100800.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100807.dll probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100808.dll Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100809.dll Win32/Adware.Virtumonde application 9018245957ACD18A1A6F30401A9D60F2
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100810.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100811.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100812.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100813.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100817.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100818.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100819.dll probably a variant of Win32/Adware.BHO.V application 88DBBE426F0B26335528535562E23200
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100821.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100823.dll Win32/Adware.Virtumonde application 9018245957ACD18A1A6F30401A9D60F2
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100824.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100825.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100826.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100827.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100830.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100831.dll Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100832.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100833.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100834.dll probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100835.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100836.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100838.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100839.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100840.dll probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100841.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100845.dll probably a variant of Win32/Adware.Agent application 76D632B1AA4482D9407CA7B026FC6701
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100847.dll probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100848.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100849.dll Win32/Adware.Virtumonde application 9018245957ACD18A1A6F30401A9D60F2
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100850.dll Win32/Adware.Virtumonde application 6F468B0EC2E9F21DAC962AE00BA71880
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100852.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100854.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100855.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100856.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100857.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100858.dll probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100859.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100860.dll probably a variant of Win32/Adware.BHO.V application 88DBBE426F0B26335528535562E23200
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100861.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100862.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100863.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100864.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100865.dll probably a variant of Win32/Adware.Agent application 76D632B1AA4482D9407CA7B026FC6701
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100867.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100868.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100869.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100870.dll probably a variant of Win32/Adware.BHO.V application A4B6E07148A096E45C5586BFE11738DD
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100871.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100872.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100874.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100876.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100877.dll Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100883.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100884.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100885.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100886.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100891.dll Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100892.dll Win32/Adware.BHO.V application 3ECFCD051382B8060F9AD55619B335B0
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100893.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100894.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100895.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100897.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100898.dll probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100899.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100901.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100903.dll probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100905.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100909.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100910.dll probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100911.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100912.dll Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100913.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100915.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100916.dll probably a variant of Win32/Adware.BHO.V application A4B6E07148A096E45C5586BFE11738DD
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100919.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100920.dll probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100921.dll Win32/Adware.Virtumonde application E9E25FBE4AA26FB6FA462C6D2D40C6F3
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100922.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF

Llama · Jan 6, 2008

2nd 1/2 of eset online scan (minus a bit thats in the next post)

0\A0100923.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100924.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100925.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100926.dll probably a variant of Win32/Adware.Agent application 76D632B1AA4482D9407CA7B026FC6701
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100927.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100928.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100929.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100930.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100931.dll probably a variant of Win32/Adware.Agent application 76D632B1AA4482D9407CA7B026FC6701
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100932.dll Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100934.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100935.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100936.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101087.dll probably a variant of Win32/Adware.BHO.V application 29B3460D91FB2A58C161A8FC18EB18BF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101088.dll Win32/Adware.BHO.V application 942A5909310A5DF0A30112B7C96A3686
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101089.dll probably a variant of Win32/Adware.BHO.V application 63E224097D0D4E3DAD3C762024A83DB1
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101090.dll probably a variant of Win32/Adware.BHO.V application BCCB566A1BABC9041BC6338BC2C4BB80
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101091.dll Win32/Adware.BHO.V application D7F4745B2162189AEB24EEE6B53AB0F3
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101092.dll probably a variant of Win32/Adware.BHO.V application EBEDEEDEA62290C49DCA6B0976861753
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101093.dll Win32/Adware.BHO.V application D7F4745B2162189AEB24EEE6B53AB0F3
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101094.dll probably a variant of Win32/Adware.BHO.V application 63E224097D0D4E3DAD3C762024A83DB1
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101095.dll probably a variant of Win32/Adware.BHO.V application 29B3460D91FB2A58C161A8FC18EB18BF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101096.dll probably a variant of Win32/Adware.BHO.V application 802E6EFC0E5B2A7B3D57DB0C89E2ED20
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101097.dll probably a variant of Win32/Adware.BHO.V application 29B3460D91FB2A58C161A8FC18EB18BF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101098.dll Win32/Adware.BHO.V application 05928220329361095DECA53F58AC67D4
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101099.dll Win32/Adware.BHO.V application D7F4745B2162189AEB24EEE6B53AB0F3
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101100.dll probably a variant of Win32/Adware.BHO.V application 29B3460D91FB2A58C161A8FC18EB18BF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101101.dll probably a variant of Win32/Adware.BHO.V application 802E6EFC0E5B2A7B3D57DB0C89E2ED20
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101102.dll Win32/Adware.BHO.V application D7F4745B2162189AEB24EEE6B53AB0F3
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101103.dll probably a variant of Win32/Adware.BHO.V application 802E6EFC0E5B2A7B3D57DB0C89E2ED20
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101176.exe a variant of Win32/Dialer.ALifeDialer application 35EB365579475048AA24C8D4DD075CD6
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP252\A0101562.dll Win32/Adware.BHO.V application FAAAC92FB9D00BE42EC54816CA943EAB
C:\QooBox\Quarantine\C\WINDOWS\aconti.exe.vir a variant of Win32/Dialer.ALifeDialer application 35EB365579475048AA24C8D4DD075CD6
C:\QooBox\Quarantine\C\WINDOWS\system32\anwvsmqn.dll.vir probably a variant of Win32/Adware.BHO.V application 29B3460D91FB2A58C161A8FC18EB18BF
C:\QooBox\Quarantine\C\WINDOWS\system32\bfxuyhhp.dll.vir Win32/Adware.BHO.V application 942A5909310A5DF0A30112B7C96A3686
C:\QooBox\Quarantine\C\WINDOWS\system32\dgfxsyul.dll.vir probably a variant of Win32/Adware.BHO.V application 63E224097D0D4E3DAD3C762024A83DB1
C:\QooBox\Quarantine\C\WINDOWS\system32\drhvrkpm.dll.vir probably a variant of Win32/Adware.BHO.V application BCCB566A1BABC9041BC6338BC2C4BB80
C:\QooBox\Quarantine\C\WINDOWS\system32\fvjfrqkt.dll.vir Win32/Adware.BHO.V application D7F4745B2162189AEB24EEE6B53AB0F3
C:\QooBox\Quarantine\C\WINDOWS\system32\idjvjvif.dll.vir probably a variant of Win32/Adware.BHO.V application EBEDEEDEA62290C49DCA6B0976861753
C:\QooBox\Quarantine\C\WINDOWS\system32\ijctcdso.dll.vir Win32/Adware.BHO.V application D7F4745B2162189AEB24EEE6B53AB0F3
C:\QooBox\Quarantine\C\WINDOWS\system32\jewvwjoa.dll.vir probably a variant of Win32/Adware.BHO.V application 63E224097D0D4E3DAD3C762024A83DB1
C:\QooBox\Quarantine\C\WINDOWS\system32\jleahhwf.dll.vir probably a variant of Win32/Adware.BHO.V application 29B3460D91FB2A58C161A8FC18EB18BF
C:\QooBox\Quarantine\C\WINDOWS\system32\keotfdcx.dll.vir probably a variant of Win32/Adware.BHO.V application 802E6EFC0E5B2A7B3D57DB0C89E2ED20
C:\QooBox\Quarantine\C\WINDOWS\system32\lbnlvmom.dll.vir probably a variant of Win32/Adware.BHO.V application 29B3460D91FB2A58C161A8FC18EB18BF
C:\QooBox\Quarantine\C\WINDOWS\system32\lrogoxwn.dll.vir Win32/Adware.BHO.V application 05928220329361095DECA53F58AC67D4
C:\QooBox\Quarantine\C\WINDOWS\system32\nwhlehed.dll.vir Win32/Adware.BHO.V application D7F4745B2162189AEB24EEE6B53AB0F3
C:\QooBox\Quarantine\C\WINDOWS\system32\qfprbbeb.dll.vir probably a variant of Win32/Adware.BHO.V application 29B3460D91FB2A58C161A8FC18EB18BF
C:\QooBox\Quarantine\C\WINDOWS\system32\snqiyyfq.dll.vir probably a variant of Win32/Adware.BHO.V application 802E6EFC0E5B2A7B3D57DB0C89E2ED20
C:\QooBox\Quarantine\C\WINDOWS\system32\ucvidior.dll.vir Win32/Adware.BHO.V application D7F4745B2162189AEB24EEE6B53AB0F3
C:\QooBox\Quarantine\C\WINDOWS\system32\wjldnusv.dll.vir probably a variant of Win32/Adware.BHO.V application 802E6EFC0E5B2A7B3D57DB0C89E2ED20
C:\QooBox\Quarantine\C\WINDOWS\system32\epgtmelk.dll.vir Win32/Adware.BHO.V application FAAAC92FB9D00BE42EC54816CA943EAB
C:\QooBox\Quarantine\C\VundoFix Backups\aaknmvjq.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\adlsnobs.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\ajonptpu.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\alhtvotv.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\becwkcjv.dll.bad.vir probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\QooBox\Quarantine\C\VundoFix Backups\bolfucxa.dll.bad.vir Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\QooBox\Quarantine\C\VundoFix Backups\bvdkmxth.dll.bad.vir Win32/Adware.Virtumonde application 9018245957ACD18A1A6F30401A9D60F2
C:\QooBox\Quarantine\C\VundoFix Backups\bvqibiym.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\chglhuof.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\cwetqyra.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\cxokrsci.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\dmogiavb.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\dpqjsxib.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\dvlqgali.dll.bad.vir probably a variant of Win32/Adware.BHO.V application 88DBBE426F0B26335528535562E23200
C:\QooBox\Quarantine\C\VundoFix Backups\elaxnhma.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\fasfeobe.dll.bad.vir Win32/Adware.Virtumonde application 9018245957ACD18A1A6F30401A9D60F2
C:\QooBox\Quarantine\C\VundoFix Backups\fdjnrltd.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\fesbqxie.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\fklglesy.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\fsfcwhtx.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\geqqsquo.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\gjbgxynq.dll.bad.vir Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\QooBox\Quarantine\C\VundoFix Backups\gjifoxau.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\gqvrmqup.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\gykxqafx.dll.bad.vir probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\QooBox\Quarantine\C\VundoFix Backups\hdhxgsfp.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\hfsdbvnc.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\hlmkucft.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\hquvjuap.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\hrollkox.dll.bad.vir probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\QooBox\Quarantine\C\VundoFix Backups\igpibhxt.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\jkkhhhh.dll.bad.vir probably a variant of Win32/Adware.Agent application 76D632B1AA4482D9407CA7B026FC6701
C:\QooBox\Quarantine\C\VundoFix Backups\jrodkada.dll.bad.vir probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\QooBox\Quarantine\C\VundoFix Backups\kacrvcyg.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\katvejuw.dll.bad.vir Win32/Adware.Virtumonde application 9018245957ACD18A1A6F30401A9D60F2
C:\QooBox\Quarantine\C\VundoFix Backups\kmimrcan.dll.bad.vir Win32/Adware.Virtumonde application 6F468B0EC2E9F21DAC962AE00BA71880
C:\QooBox\Quarantine\C\VundoFix Backups\krxrmntp.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\lacfywqk.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\lgwtldka.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\lkjjjqwd.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\lsobirnp.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\lweibfwf.dll.bad.vir probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\QooBox\Quarantine\C\VundoFix Backups\lxglswgq.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\lypgbkip.dll.bad.vir probably a variant of Win32/Adware.BHO.V application 88DBBE426F0B26335528535562E23200
C:\QooBox\Quarantine\C\VundoFix Backups\mecdfdko.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\mfosuqis.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\mrykioey.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\naajkicb.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\nnnolji.dll.bad.vir probably a variant of Win32/Adware.Agent application 76D632B1AA4482D9407CA7B026FC6701
C:\QooBox\Quarantine\C\VundoFix Backups\obwmknxi.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\oddwwhvn.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\oiitldsl.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\oitqnbnw.dll.bad.vir probably a variant of Win32/Adware.BHO.V application A4B6E07148A096E45C5586BFE11738DD
C:\QooBox\Quarantine\C\VundoFix Backups\ojdoqvdx.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\olqtxsad.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\ovgvfrss.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\pflsjqrh.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\pjpgaqqp.dll.bad.vir Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\QooBox\Quarantine\C\VundoFix Backups\prjjbnuj.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\pvbsrogp.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\qbyhnxay.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\qirqllld.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\qxbgyhrt.dll.bad.vir Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\QooBox\Quarantine\C\VundoFix Backups\rdgoqilo.dll.bad.vir Win32/Adware.BHO.V application 3ECFCD051382B8060F9AD55619B335B0
C:\QooBox\Quarantine\C\VundoFix Backups\rhhgbaov.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\rnekbkav.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\rtkugord.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\rvudfbln.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\rxqemcmh.dll.bad.vir probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\QooBox\Quarantine\C\VundoFix Backups\ryyrcatv.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\sscmyuhb.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\stbkhppd.dll.bad.vir probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\QooBox\Quarantine\C\VundoFix Backups\suhuhspi.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\ttlavuqh.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\txdbbppg.dll.bad.vir probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\QooBox\Quarantine\C\VundoFix Backups\uexeygti.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\ufqdiqog.dll.bad.vir Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\QooBox\Quarantine\C\VundoFix Backups\unfjwvfd.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\usqetaxl.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\vaculevs.dll.bad.vir probably a variant of Win32/Adware.BHO.V application A4B6E07148A096E45C5586BFE11738DD
C:\QooBox\Quarantine\C\VundoFix Backups\vieoegty.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\voumqsqp.dll.bad.vir probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\QooBox\Quarantine\C\VundoFix Backups\vtsqq.dll.bad.vir Win32/Adware.Virtumonde application E9E25FBE4AA26FB6FA462C6D2D40C6F3
C:\QooBox\Quarantine\C\VundoFix Backups\vyxejewr.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\wigkbtry.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\wqfutprs.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\wrbcjmtt.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\wvuutts.dll.bad.vir probably a variant of Win32/Adware.Agent application 76D632B1AA4482D9407CA7B026FC6701

Llama · Jan 6, 2008

last bit of eset online scan + HJT log + combofix log

C:\QooBox\Quarantine\C\VundoFix Backups\wyilrbiv.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\xljkllom.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\xlwfaeiu.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\xthmfrms.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\yayxwxy.dll.bad.vir probably a variant of Win32/Adware.Agent application 76D632B1AA4482D9407CA7B026FC6701
C:\QooBox\Quarantine\C\VundoFix Backups\yjdxymxw.dll.bad.vir Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\QooBox\Quarantine\C\VundoFix Backups\yrdomwof.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\ysitxjgt.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\yyfdfvip.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF

====================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:01:35 p.m., on 6/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera 9\Opera.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Safer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-nz\msntb.dll (file missing)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4913 bytes

Llama · Jan 6, 2008

sorry, This is the combo fix log (rest in next post)

darn that 20K character cap

ComboFix 08-01-06.4 - Joel Gibson 2008-01-06 11:45:17.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1137 [GMT 13:00]
Running from: C:\Documents and Settings\Joel Gibson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Joel Gibson\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\FOUND.003
C:\WINDOWS\popcinfot.dat
C:\WINDOWS\system32\77052A6FA7.sys
C:\WINDOWS\system32\amhnxale.ini
C:\WINDOWS\system32\bsjbwpfa.ini
C:\WINDOWS\system32\byarxcjr.ini
C:\WINDOWS\system32\cdkhmcep.ini
C:\WINDOWS\system32\clcgywad.ini
C:\WINDOWS\system32\csvroaew.ini2
C:\WINDOWS\system32\dbjhaybs.ini
C:\WINDOWS\system32\dflxrnqk.ini
C:\WINDOWS\system32\dfvwjfnu.ini
C:\WINDOWS\system32\dhuxinya.ini
C:\WINDOWS\system32\djdnjtrs.ini
C:\WINDOWS\system32\dsvjhpyc.ini
C:\WINDOWS\system32\dwqjjjkl.ini
C:\WINDOWS\system32\eboefsaf.ini
C:\WINDOWS\system32\efavoych.ini
C:\WINDOWS\system32\eixqbsef.ini
C:\WINDOWS\system32\emaflsao.ini2
C:\WINDOWS\system32\epgtmelk.dll
C:\WINDOWS\system32\etsgefsd.ini
C:\WINDOWS\system32\fsswttnt.ini2
C:\WINDOWS\system32\ftvpqxou.ini
C:\WINDOWS\system32\ggxbkxgv.ini
C:\WINDOWS\system32\gicnwgfq.ini
C:\WINDOWS\system32\goqidqfu.ini
C:\WINDOWS\system32\hlagnivr.ini
C:\WINDOWS\system32\htxmkdvb.ini
C:\WINDOWS\system32\ipshuhus.ini
C:\WINDOWS\system32\ixnkmwbo.ini
C:\WINDOWS\system32\jeptewdh.ini
C:\WINDOWS\system32\jgyhbqod.ini
C:\WINDOWS\system32\jhyuhsgj.ini
C:\WINDOWS\system32\jpirvbvj.dat
C:\WINDOWS\system32\kbpyuujh.ini
C:\WINDOWS\system32\kuyokutk.ini
C:\WINDOWS\system32\mvpvgokd.ini
C:\WINDOWS\system32\mypywocv.ini
C:\WINDOWS\system32\nacrmimk.ini
C:\WINDOWS\system32\neenoufh.ini
C:\WINDOWS\system32\nfxuerye.ini
C:\WINDOWS\system32\nlbfduvr.ini
C:\WINDOWS\system32\opjfihwl.ini
C:\WINDOWS\system32\orkxndag.ini2
C:\WINDOWS\system32\pathcuto.ini
C:\WINDOWS\system32\pdtfijws.ini
C:\WINDOWS\system32\pfsgxhdh.ini
C:\WINDOWS\system32\pqqagpjp.ini
C:\WINDOWS\system32\qmavtwkq.ini
C:\WINDOWS\system32\qnyxgbjg.ini
C:\WINDOWS\system32\rkfqwxnk.ini
C:\WINDOWS\system32\rwchxlwj.ini
C:\WINDOWS\system32\sbspyaht.ini
C:\WINDOWS\system32\sewmrqnq.ini2
C:\WINDOWS\system32\smjynmvs.ini
C:\WINDOWS\system32\smrfmhtx.ini
C:\WINDOWS\system32\tgjxtisy.ini
C:\WINDOWS\system32\trhygbxq.ini
C:\WINDOWS\system32\upfydvsg.ini
C:\WINDOWS\system32\uxhkfugi.ini
C:\WINDOWS\system32\vkdorxjy.ini
C:\WINDOWS\system32\vtacryyr.ini
C:\WINDOWS\system32\vugtedko.ini
C:\WINDOWS\system32\vwbpbgwi.dll
C:\WINDOWS\system32\winshost.exe
C:\WINDOWS\system32\wujevtak.ini
C:\WINDOWS\system32\wxmyxdjy.ini
C:\WINDOWS\system32\xknclkxi.ini
C:\WINDOWS\system32\ymxvygsb.ini
C:\WINDOWS\system32\yrqvrpss.ini
C:\WINDOWS\system32\yrtbkgiw.ini
C:\WINDOWS\system32\yselglkf.ini
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\aaknmvjq.dll.bad
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\adlsnobs.exe.bad
C:\VundoFix Backups\ahdwqato.dll.bad
C:\VundoFix Backups\ajonptpu.exe.bad
C:\VundoFix Backups\alhtvotv.exe.bad
C:\VundoFix Backups\awtsq.dll.bad
C:\VundoFix Backups\awtst.dll.bad
C:\VundoFix Backups\awvtr.dll.bad
C:\VundoFix Backups\awvts.dll.bad
C:\VundoFix Backups\axcuflob.ini.bad
C:\VundoFix Backups\bbsxcuij.dll.bad
C:\VundoFix Backups\becwkcjv.dll.bad
C:\VundoFix Backups\bolfucxa.dll.bad
C:\VundoFix Backups\bvdkmxth.dll.bad
C:\VundoFix Backups\bvqibiym.exe.bad
C:\VundoFix Backups\chglhuof.exe.bad
C:\VundoFix Backups\cwetqyra.exe.bad
C:\VundoFix Backups\cxokrsci.exe.bad
C:\VundoFix Backups\cyphjvsd.dll.bad
C:\VundoFix Backups\ddayv.dll.bad
C:\VundoFix Backups\ddayw.dll.bad
C:\VundoFix Backups\dfhkj.bak1.bad
C:\VundoFix Backups\dfhkj.bak2.bad
C:\VundoFix Backups\dfhkj.ini.bad
C:\VundoFix Backups\dmogiavb.exe.bad
C:\VundoFix Backups\dpqjsxib.exe.bad
C:\VundoFix Backups\dvlqgali.dll.bad
C:\VundoFix Backups\eayswvhm.dll.bad
C:\VundoFix Backups\elaxnhma.dll.bad
C:\VundoFix Backups\eyreuxfn.dll.bad
C:\VundoFix Backups\fasfeobe.dll.bad
C:\VundoFix Backups\fdjnrltd.exe.bad
C:\VundoFix Backups\fesbqxie.dll.bad
C:\VundoFix Backups\fklglesy.dll.bad
C:\VundoFix Backups\fsfcwhtx.exe.bad
C:\VundoFix Backups\gebcd.dll.bad
C:\VundoFix Backups\geeba.dll.bad
C:\VundoFix Backups\geqqsquo.exe.bad
C:\VundoFix Backups\gjbgxynq.dll.bad
C:\VundoFix Backups\gjifoxau.exe.bad
C:\VundoFix Backups\gqvrmqup.exe.bad
C:\VundoFix Backups\gykxqafx.dll.bad
C:\VundoFix Backups\hdhxgsfp.dll.bad
C:\VundoFix Backups\hfsdbvnc.exe.bad
C:\VundoFix Backups\hfuoneen.dll.bad
C:\VundoFix Backups\hlmkucft.exe.bad
C:\VundoFix Backups\hquvjuap.exe.bad
C:\VundoFix Backups\hrollkox.dll.bad
C:\VundoFix Backups\igpibhxt.exe.bad
C:\VundoFix Backups\igufkhxu.dll.bad
C:\VundoFix Backups\jjkmp.bak1.bad
C:\VundoFix Backups\jjkmp.bak2.bad
C:\VundoFix Backups\jjkmp.ini.bad
C:\VundoFix Backups\jkhfd.dll.bad
C:\VundoFix Backups\jkkhhhh.dll.bad
C:\VundoFix Backups\jmjefleo.dll.bad
C:\VundoFix Backups\jrodkada.dll.bad
C:\VundoFix Backups\kacrvcyg.exe.bad
C:\VundoFix Backups\katvejuw.dll.bad
C:\VundoFix Backups\kmimrcan.dll.bad
C:\VundoFix Backups\kqnrxlfd.dll.bad
C:\VundoFix Backups\krxrmntp.exe.bad
C:\VundoFix Backups\ktukoyuk.dll.bad
C:\VundoFix Backups\lacfywqk.exe.bad
C:\VundoFix Backups\lgwtldka.exe.bad
C:\VundoFix Backups\lkjjjqwd.dll.bad
C:\VundoFix Backups\lsobirnp.exe.bad
C:\VundoFix Backups\lweibfwf.dll.bad
C:\VundoFix Backups\lxglswgq.exe.bad
C:\VundoFix Backups\lypgbkip.dll.bad
C:\VundoFix Backups\mecdfdko.exe.bad
C:\VundoFix Backups\mfosuqis.exe.bad
C:\VundoFix Backups\mrykioey.exe.bad
C:\VundoFix Backups\naajkicb.exe.bad
C:\VundoFix Backups\nnnolji.dll.bad
C:\VundoFix Backups\nukbqfth.dll.bad
C:\VundoFix Backups\obwmknxi.dll.bad
C:\VundoFix Backups\oddwwhvn.exe.bad
C:\VundoFix Backups\oiitldsl.exe.bad
C:\VundoFix Backups\oitqnbnw.dll.bad
C:\VundoFix Backups\ojdoqvdx.exe.bad
C:\VundoFix Backups\olqtxsad.exe.bad
C:\VundoFix Backups\otaqwdha.ini.bad
C:\VundoFix Backups\ovgvfrss.exe.bad
C:\VundoFix Backups\pecmhkdc.dll.bad
C:\VundoFix Backups\pflsjqrh.exe.bad
C:\VundoFix Backups\pjpgaqqp.dll.bad
C:\VundoFix Backups\pmkjj.dll.bad
C:\VundoFix Backups\pmnlj.dll.bad
C:\VundoFix Backups\pmnnn.dll.bad
C:\VundoFix Backups\pmnno.dll.bad
C:\VundoFix Backups\pmnyjecn.dll.bad
C:\VundoFix Backups\prjjbnuj.exe.bad
C:\VundoFix Backups\pvbsrogp.exe.bad
C:\VundoFix Backups\qbyhnxay.exe.bad
C:\VundoFix Backups\qirqllld.exe.bad
C:\VundoFix Backups\qjvmnkaa.ini.bad
C:\VundoFix Backups\qkwtvamq.dll.bad
C:\VundoFix Backups\qqstv.bak1.bad
C:\VundoFix Backups\qqstv.bak2.bad
C:\VundoFix Backups\qqstv.ini.bad
C:\VundoFix Backups\qstwa.bak1.bad
C:\VundoFix Backups\qstwa.ini.bad
C:\VundoFix Backups\qxbgyhrt.dll.bad
C:\VundoFix Backups\rdgoqilo.dll.bad
C:\VundoFix Backups\rhhgbaov.exe.bad
C:\VundoFix Backups\rnekbkav.exe.bad
C:\VundoFix Backups\rtkugord.exe.bad
C:\VundoFix Backups\rtvwa.bak1.bad
C:\VundoFix Backups\rtvwa.bak2.bad
C:\VundoFix Backups\rtvwa.ini.bad
C:\VundoFix Backups\rvudfbln.dll.bad
C:\VundoFix Backups\rxqemcmh.dll.bad
C:\VundoFix Backups\ryyrcatv.dll.bad
C:\VundoFix Backups\sniifkxi.dll.bad
C:\VundoFix Backups\sscmyuhb.dll.bad
C:\VundoFix Backups\ssqrq.dll.bad
C:\VundoFix Backups\stbkhppd.dll.bad
C:\VundoFix Backups\stvwa.bak1.bad
C:\VundoFix Backups\stvwa.ini.bad
C:\VundoFix Backups\suhuhspi.dll.bad
C:\VundoFix Backups\svmnyjms.dll.bad
C:\VundoFix Backups\swjiftdp.dll.bad
C:\VundoFix Backups\tstwa.bak1.bad
C:\VundoFix Backups\tstwa.ini.bad
C:\VundoFix Backups\ttlavuqh.exe.bad
C:\VundoFix Backups\txdbbppg.dll.bad
C:\VundoFix Backups\uexeygti.exe.bad
C:\VundoFix Backups\ufqdiqog.dll.bad
C:\VundoFix Backups\unfjwvfd.dll.bad
C:\VundoFix Backups\uoxqpvtf.dll.bad
C:\VundoFix Backups\usqetaxl.exe.bad
C:\VundoFix Backups\vaculevs.dll.bad
C:\VundoFix Backups\vcowypym.dll.bad
C:\VundoFix Backups\vgxkbxgg.dll.bad
C:\VundoFix Backups\vieoegty.exe.bad
C:\VundoFix Backups\voumqsqp.dll.bad
C:\VundoFix Backups\vtsqq.dll.bad
C:\VundoFix Backups\vyxejewr.exe.bad
C:\VundoFix Backups\wigkbtry.dll.bad
C:\VundoFix Backups\wqfutprs.exe.bad
C:\VundoFix Backups\wrbcjmtt.exe.bad
C:\VundoFix Backups\wvuutts.dll.bad
C:\VundoFix Backups\wyilrbiv.exe.bad
C:\VundoFix Backups\xljkllom.exe.bad
C:\VundoFix Backups\xlwfaeiu.exe.bad
C:\VundoFix Backups\xthmfrms.dll.bad
C:\VundoFix Backups\yayxwxy.dll.bad
C:\VundoFix Backups\yjdxymxw.dll.bad
C:\VundoFix Backups\yjxrodkv.dll.bad
C:\VundoFix Backups\yrdomwof.exe.bad
C:\VundoFix Backups\ysitxjgt.dll.bad
C:\VundoFix Backups\yyfdfvip.exe.bad
C:\WINDOWS\popcinfot.dat
C:\WINDOWS\system32\77052A6FA7.sys
C:\WINDOWS\system32\amhnxale.ini
C:\WINDOWS\system32\bsjbwpfa.ini
C:\WINDOWS\system32\byarxcjr.ini
C:\WINDOWS\system32\cdkhmcep.ini
C:\WINDOWS\system32\clcgywad.ini
C:\WINDOWS\system32\csvroaew.ini2
C:\WINDOWS\system32\dbjhaybs.ini
C:\WINDOWS\system32\dflxrnqk.ini
C:\WINDOWS\system32\dfvwjfnu.ini
C:\WINDOWS\system32\dhuxinya.ini
C:\WINDOWS\system32\djdnjtrs.ini
C:\WINDOWS\system32\dsvjhpyc.ini
C:\WINDOWS\system32\dwqjjjkl.ini
C:\WINDOWS\system32\eboefsaf.ini
C:\WINDOWS\system32\efavoych.ini
C:\WINDOWS\system32\eixqbsef.ini
C:\WINDOWS\system32\emaflsao.ini2
C:\WINDOWS\system32\epgtmelk.dll
C:\WINDOWS\system32\etsgefsd.ini
C:\WINDOWS\system32\fsswttnt.ini2
C:\WINDOWS\system32\ftvpqxou.ini
C:\WINDOWS\system32\ggxbkxgv.ini
C:\WINDOWS\system32\gicnwgfq.ini
C:\WINDOWS\system32\goqidqfu.ini
C:\WINDOWS\system32\hlagnivr.ini
C:\WINDOWS\system32\htxmkdvb.ini
C:\WINDOWS\system32\ipshuhus.ini
C:\WINDOWS\system32\ixnkmwbo.ini
C:\WINDOWS\system32\jeptewdh.ini
C:\WINDOWS\system32\jgyhbqod.ini
C:\WINDOWS\system32\jhyuhsgj.ini
C:\WINDOWS\system32\jpirvbvj.dat
C:\WINDOWS\system32\kbpyuujh.ini
C:\WINDOWS\system32\kuyokutk.ini
C:\WINDOWS\system32\mvpvgokd.ini
C:\WINDOWS\system32\mypywocv.ini
C:\WINDOWS\system32\nacrmimk.ini
C:\WINDOWS\system32\neenoufh.ini
C:\WINDOWS\system32\nfxuerye.ini
C:\WINDOWS\system32\nlbfduvr.ini
C:\WINDOWS\system32\opjfihwl.ini
C:\WINDOWS\system32\orkxndag.ini2
C:\WINDOWS\system32\pathcuto.ini
C:\WINDOWS\system32\pdtfijws.ini
C:\WINDOWS\system32\pfsgxhdh.ini
C:\WINDOWS\system32\pqqagpjp.ini
C:\WINDOWS\system32\qmavtwkq.ini
C:\WINDOWS\system32\qnyxgbjg.ini
C:\WINDOWS\system32\rkfqwxnk.ini
C:\WINDOWS\system32\rwchxlwj.ini
C:\WINDOWS\system32\sbspyaht.ini
C:\WINDOWS\system32\sewmrqnq.ini2
C:\WINDOWS\system32\smjynmvs.ini
C:\WINDOWS\system32\smrfmhtx.ini
C:\WINDOWS\system32\tgjxtisy.ini
C:\WINDOWS\system32\trhygbxq.ini
C:\WINDOWS\system32\upfydvsg.ini
C:\WINDOWS\system32\uxhkfugi.ini
C:\WINDOWS\system32\vkdorxjy.ini
C:\WINDOWS\system32\vtacryyr.ini
C:\WINDOWS\system32\vugtedko.ini
C:\WINDOWS\system32\wujevtak.ini
C:\WINDOWS\system32\wxmyxdjy.ini
C:\WINDOWS\system32\xknclkxi.ini
C:\WINDOWS\system32\ymxvygsb.ini
C:\WINDOWS\system32\yrqvrpss.ini
C:\WINDOWS\system32\yrtbkgiw.ini
C:\WINDOWS\system32\yselglkf.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-05 15:16 . 2008-01-06 11:45 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-01-05 15:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 21:57 . 2007-12-30 21:57 <DIR> d--hs---- C:\FOUND.003
2007-12-29 20:39 . 2007-12-29 20:39 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Command and Conquer 3 Tiberium Wars
2007-12-29 00:06 . 2007-12-29 00:06 <DIR> d-------- C:\Games
2007-12-28 11:29 . 2007-12-28 11:29 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Winamp
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\The Chosen demo
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Frater
2007-12-26 23:00 . 2007-12-26 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2007-12-26 23:00 . 2007-12-26 23:00 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2007-12-26 23:00 . 2007-12-26 23:00 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-12-26 23:00 . 2007-12-26 23:00 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Program Files\COMODO
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Comodo
2007-12-26 18:26 . 2007-12-26 18:26 <DIR> dr-h----- C:\Documents and Settings\Joel Gibson\Application Data\SecuROM
2007-12-26 17:25 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2007-12-26 17:25 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2007-12-26 17:25 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2007-12-26 17:25 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2007-12-19 19:57 . 2007-12-26 21:15 1,365 --a------ C:\WINDOWS\wininit.ini
2007-12-11 21:53 . 2007-12-11 21:53 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\ATI
2007-12-11 12:54 . 2007-12-11 12:54 294 ---hs---- C:\WINDOWS\system32\bhuymcss.ini
2007-12-10 14:26 . 2007-12-10 14:27 <DIR> d-------- C:\Program Files\Aquaria

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-26 06:30 --------- d-----w C:\Program Files\Fredryk Phantasy
2007-11-24 02:23 1,128 ----a-w C:\Program Files\log.dat
2007-11-23 08:30 --------- d-----w C:\Documents and Settings\Joel Gibson\Application Data\mIRC
2007-11-22 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 03:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-11-08 21:14 --------- d-----w C:\Program Files\Synaesthete
2007-10-30 16:12 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-21 14:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-19 22:34 53,880,837 ----a-w C:\Program Files\LastStandInstall.exe
2007-10-19 10:14 10,752 ----a-w C:\WINDOWS\DCEBoot.exe
2007-10-10 23:56 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:56 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:56 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-24 08:18 57,992 ----a-w C:\Documents and Settings\Joel Gibson\Application Data\GDIPFONTCACHEV1.DAT
2006-12-20 01:05 35,511 ----a-w C:\Program Files\ReadMe.txt
2004-11-08 20:22 929,792 ----a-w C:\Program Files\SCZ.exe
2001-11-22 23:08 712,704 ----a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2007-08-18 11:41 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-05_16.50.18.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-30 19:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE

Llama · Jan 6, 2008

rest of logs

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\WINDOWS\htpatch.exe" [2002-12-19 16:40 28672]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-12-21 04:16 37376]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2007-12-26 23:00 1481472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
--a------ 2002-10-15 18:00 1818624 C:\WINDOWS\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imjpmig]
--a------ 2003-02-10 14:48 192542 C:\IME\IMJP\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-05 00:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-11 14:30 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 14:30 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-05 00:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
--a------ 2001-08-17 22:36 86016 C:\WINDOWS\system32\pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-05 00:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-05 00:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TalkAndWrite]
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"rpcapd"=3 (0x3)
"Pctspk"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Fax"=2 (0x2)

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-12-26 23:00]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-12-26 23:00]
R2 CbmDev1;CbmDev1;C:\WINDOWS\system32\drivers\CbmDev1.sys [1998-01-16 08:43]
R2 CbmDev2;CbmDev2;C:\WINDOWS\system32\drivers\CbmDev2.sys [1998-01-16 08:43]
R2 CbmDev3;CbmDev3;C:\WINDOWS\system32\drivers\CbmDev3.sys [1998-01-16 08:43]
S3 ipw_mdfl;Wireless Broadband Modem Filter;C:\WINDOWS\system32\DRIVERS\ipw_mdfl.sys []
S3 ipw_mdm;Wireless Broadband Modem (WDM);C:\WINDOWS\system32\DRIVERS\ipw_mdm.sys []
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 13:28]
S4 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 22:36]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 12:10:18
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-01-06 12:11:00
ComboFix-quarantined-files.txt 2008-01-05 23:10:58
ComboFix2.txt 2008-01-05 03:50:52
.
2008-01-04 23:28:54 --- E O F ---

ken545 · Jan 6, 2008

Llama Good Morning,

It looks like the File Infector is gone and your HJT log looks fine :bigthumb:

But we still need to do a few things to clean up the leftovers.

Please download ATF Cleaner by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up

Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:

Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems and install the update
Java Runtime Environment Version 6 Update 3 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify

I like to to do the offline installation and save the setup file in case I may need it in the future

Please download SuperAntiSpyware
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:

Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log

It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.

Don't be alarmed when SAS finds Vundo, it will be just leftover reg entries and such that it will remove.

Let me see the SAS log and one final HJT log and let me know how you feel your system is running now??

Llama · Jan 6, 2008

Morning, I spose 1am here in NZ can count as morning...

:

however, Java is now updated (the online link promped me with a save location?!?!), ATF cleaner did what ever it was sposted to do, SAS can wait untill daytime because itll take long and I wont be awake till your probably asleep anyway, HJT log as folows

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:06:33 a.m., on 7/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera 9\Opera.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\Safer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-nz\msntb.dll (file missing)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5142 bytes

Ive also re-enabled teatimer cause that usually gives me warnings when something is doing something I probably wont like (in this case it did but just couldn't do anything about it)

As far as I can tell, there are no randomly-named .dlls or .exes or registry entries that HJT can find so that must be a good thing right?

:

I also found it funny when one anti-spyware exe found "malicious entitys" which were the back-ups an other anti-spyware programme had made before deleting them.

ken545 · Jan 6, 2008

I also found it funny when one anti-spyware exe found "malicious entitys" which were the back-ups an other anti-spyware programme had made before deleting them.

Yep, this happens.

I will wait for the SAS log and if all is ok you will be good to go.

Llama · Jan 6, 2008

SAS log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/07/2008 at 11:56 AM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 00:38:43

Memory items scanned : 446
Memory threats detected : 0
Registry items scanned : 6018
Registry threats detected : 141
File items scanned : 33642
File threats detected : 105

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{0040C830-13D7-439C-B4F7-DC7EED3FB64D}
HKCR\CLSID\{0040C830-13D7-439C-B4F7-DC7EED3FB64D}
HKCR\CLSID\{0040C830-13D7-439C-B4F7-DC7EED3FB64D}\InprocServer32
HKCR\CLSID\{0040C830-13D7-439C-B4F7-DC7EED3FB64D}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWVTQ.DLL
HKLM\Software\Classes\CLSID\{1626FC60-560E-48AA-9416-E288721D27B0}
HKCR\CLSID\{1626FC60-560E-48AA-9416-E288721D27B0}
HKCR\CLSID\{1626FC60-560E-48AA-9416-E288721D27B0}\InprocServer32
HKCR\CLSID\{1626FC60-560E-48AA-9416-E288721D27B0}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JKHFG.DLL
HKLM\Software\Classes\CLSID\{1B019667-19E4-4EBF-92D6-A96427EBC5F6}
HKCR\CLSID\{1B019667-19E4-4EBF-92D6-A96427EBC5F6}
HKCR\CLSID\{1B019667-19E4-4EBF-92D6-A96427EBC5F6}\InprocServer32
HKCR\CLSID\{1B019667-19E4-4EBF-92D6-A96427EBC5F6}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEEDB.DLL
HKLM\Software\Classes\CLSID\{23B565CE-1C4D-4D24-9773-BEE90C69D20C}
HKCR\CLSID\{23B565CE-1C4D-4D24-9773-BEE90C69D20C}
HKCR\CLSID\{23B565CE-1C4D-4D24-9773-BEE90C69D20C}\InprocServer32
HKCR\CLSID\{23B565CE-1C4D-4D24-9773-BEE90C69D20C}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SSTTS.DLL
HKLM\Software\Classes\CLSID\{3C62BEA8-5055-46E0-AABC-9EB694DAB9C6}
HKCR\CLSID\{3C62BEA8-5055-46E0-AABC-9EB694DAB9C6}
HKCR\CLSID\{3C62BEA8-5055-46E0-AABC-9EB694DAB9C6}\InprocServer32
HKCR\CLSID\{3C62BEA8-5055-46E0-AABC-9EB694DAB9C6}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{4E953311-1240-4E21-965D-9CD09CE7FD23}
HKCR\CLSID\{4E953311-1240-4E21-965D-9CD09CE7FD23}
HKCR\CLSID\{4E953311-1240-4E21-965D-9CD09CE7FD23}\InprocServer32
HKCR\CLSID\{4E953311-1240-4E21-965D-9CD09CE7FD23}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTUTS.DLL
HKLM\Software\Classes\CLSID\{5B9B73C3-1ADE-4B4F-AA6B-AFB87DB93DFE}
HKCR\CLSID\{5B9B73C3-1ADE-4B4F-AA6B-AFB87DB93DFE}
HKCR\CLSID\{5B9B73C3-1ADE-4B4F-AA6B-AFB87DB93DFE}\InprocServer32
HKCR\CLSID\{5B9B73C3-1ADE-4B4F-AA6B-AFB87DB93DFE}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDABB.DLL
HKLM\Software\Classes\CLSID\{5C3F0ED5-9D70-4112-A34D-1B0A87559E2A}
HKCR\CLSID\{5C3F0ED5-9D70-4112-A34D-1B0A87559E2A}
HKCR\CLSID\{5C3F0ED5-9D70-4112-A34D-1B0A87559E2A}\InprocServer32
HKCR\CLSID\{5C3F0ED5-9D70-4112-A34D-1B0A87559E2A}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEEBX.DLL
HKLM\Software\Classes\CLSID\{6794FE3E-E6EC-49FE-B308-DF3206BC46D9}
HKCR\CLSID\{6794FE3E-E6EC-49FE-B308-DF3206BC46D9}
HKCR\CLSID\{6794FE3E-E6EC-49FE-B308-DF3206BC46D9}\InprocServer32
HKCR\CLSID\{6794FE3E-E6EC-49FE-B308-DF3206BC46D9}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEBCD.DLL
HKLM\Software\Classes\CLSID\{74435086-2553-4863-8124-7899D709B090}
HKCR\CLSID\{74435086-2553-4863-8124-7899D709B090}
HKCR\CLSID\{74435086-2553-4863-8124-7899D709B090}\InprocServer32
HKCR\CLSID\{74435086-2553-4863-8124-7899D709B090}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWVVS.DLL
HKLM\Software\Classes\CLSID\{7BD67659-54F7-420A-A9F2-8E94C7F69DC4}
HKCR\CLSID\{7BD67659-54F7-420A-A9F2-8E94C7F69DC4}
HKCR\CLSID\{7BD67659-54F7-420A-A9F2-8E94C7F69DC4}\InprocServer32
HKCR\CLSID\{7BD67659-54F7-420A-A9F2-8E94C7F69DC4}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMNLM.DLL
HKLM\Software\Classes\CLSID\{8052EF7D-5E2E-4822-AA0F-0BE37505543E}
HKCR\CLSID\{8052EF7D-5E2E-4822-AA0F-0BE37505543E}
HKCR\CLSID\{8052EF7D-5E2E-4822-AA0F-0BE37505543E}\InprocServer32
HKCR\CLSID\{8052EF7D-5E2E-4822-AA0F-0BE37505543E}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\MLLJH.DLL
HKLM\Software\Classes\CLSID\{8172212E-1678-4294-BB9C-BDE619CA9E22}
HKCR\CLSID\{8172212E-1678-4294-BB9C-BDE619CA9E22}
HKCR\CLSID\{8172212E-1678-4294-BB9C-BDE619CA9E22}\InprocServer32
HKCR\CLSID\{8172212E-1678-4294-BB9C-BDE619CA9E22}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDCCA.DLL
HKLM\Software\Classes\CLSID\{8273E79E-772E-4D6B-9050-FAB12B654A6C}
HKCR\CLSID\{8273E79E-772E-4D6B-9050-FAB12B654A6C}
HKCR\CLSID\{8273E79E-772E-4D6B-9050-FAB12B654A6C}\InprocServer32
HKCR\CLSID\{8273E79E-772E-4D6B-9050-FAB12B654A6C}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWTQP.DLL
HKLM\Software\Classes\CLSID\{83A75906-9763-4B73-B965-FCC4AC87965E}
HKCR\CLSID\{83A75906-9763-4B73-B965-FCC4AC87965E}
HKCR\CLSID\{83A75906-9763-4B73-B965-FCC4AC87965E}\InprocServer32
HKCR\CLSID\{83A75906-9763-4B73-B965-FCC4AC87965E}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JKKJH.DLL
HKLM\Software\Classes\CLSID\{96DABAFC-CCD9-4F4B-8621-81F03C689BD4}
HKCR\CLSID\{96DABAFC-CCD9-4F4B-8621-81F03C689BD4}
HKCR\CLSID\{96DABAFC-CCD9-4F4B-8621-81F03C689BD4}\InprocServer32
HKCR\CLSID\{96DABAFC-CCD9-4F4B-8621-81F03C689BD4}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTSQO.DLL
HKLM\Software\Classes\CLSID\{B8320F23-74C6-4BBF-AB48-FBD37B7BEA9E}
HKCR\CLSID\{B8320F23-74C6-4BBF-AB48-FBD37B7BEA9E}
HKCR\CLSID\{B8320F23-74C6-4BBF-AB48-FBD37B7BEA9E}\InprocServer32
HKCR\CLSID\{B8320F23-74C6-4BBF-AB48-FBD37B7BEA9E}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SSQPM.DLL
HKLM\Software\Classes\CLSID\{E496DC02-1001-4CAD-B0CB-776900BEA2A2}
HKCR\CLSID\{E496DC02-1001-4CAD-B0CB-776900BEA2A2}
HKCR\CLSID\{E496DC02-1001-4CAD-B0CB-776900BEA2A2}\InprocServer32
HKCR\CLSID\{E496DC02-1001-4CAD-B0CB-776900BEA2A2}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTUTT.DLL
HKLM\Software\Classes\CLSID\{F669E745-24CE-41E9-9165-360D1F86D26B}
HKCR\CLSID\{F669E745-24CE-41E9-9165-360D1F86D26B}
HKCR\CLSID\{F669E745-24CE-41E9-9165-360D1F86D26B}\InprocServer32
HKCR\CLSID\{F669E745-24CE-41E9-9165-360D1F86D26B}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\MLJGF.DLL

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{10763139-E829-43E8-921F-3CCA0D0C0BD7}
HKCR\CLSID\{10763139-E829-43E8-921F-3CCA0D0C0BD7}
HKCR\CLSID\{10763139-E829-43E8-921F-3CCA0D0C0BD7}\InprocServer32
HKCR\CLSID\{10763139-E829-43E8-921F-3CCA0D0C0BD7}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWTQR.DLL
HKLM\Software\Classes\CLSID\{2CF56A97-7837-41E3-BBFF-73E2D3C02303}
HKCR\CLSID\{2CF56A97-7837-41E3-BBFF-73E2D3C02303}
HKCR\CLSID\{2CF56A97-7837-41E3-BBFF-73E2D3C02303}\InprocServer32
HKCR\CLSID\{2CF56A97-7837-41E3-BBFF-73E2D3C02303}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JKHFC.DLL
HKLM\Software\Classes\CLSID\{3D53C87B-A100-4BF4-936D-8F74E1EDEE89}
HKCR\CLSID\{3D53C87B-A100-4BF4-936D-8F74E1EDEE89}
HKCR\CLSID\{3D53C87B-A100-4BF4-936D-8F74E1EDEE89}\InprocServer32
HKCR\CLSID\{3D53C87B-A100-4BF4-936D-8F74E1EDEE89}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMKHI.DLL
HKLM\Software\Classes\CLSID\{4E27F2AD-C95D-4DED-8324-410C7A24FE65}
HKCR\CLSID\{4E27F2AD-C95D-4DED-8324-410C7A24FE65}
HKCR\CLSID\{4E27F2AD-C95D-4DED-8324-410C7A24FE65}\InprocServer32
HKCR\CLSID\{4E27F2AD-C95D-4DED-8324-410C7A24FE65}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDCCB.DLL
HKLM\Software\Classes\CLSID\{549C7839-AE42-427A-9FE2-DE8D2ADED5C9}
HKCR\CLSID\{549C7839-AE42-427A-9FE2-DE8D2ADED5C9}
HKCR\CLSID\{549C7839-AE42-427A-9FE2-DE8D2ADED5C9}\InprocServer32
HKCR\CLSID\{549C7839-AE42-427A-9FE2-DE8D2ADED5C9}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMKJH.DLL
HKLM\Software\Classes\CLSID\{70E0BDB3-2986-4807-99ED-B3D91913AF26}
HKCR\CLSID\{70E0BDB3-2986-4807-99ED-B3D91913AF26}
HKCR\CLSID\{70E0BDB3-2986-4807-99ED-B3D91913AF26}\InprocServer32
HKCR\CLSID\{70E0BDB3-2986-4807-99ED-B3D91913AF26}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDAYW.DLL
HKLM\Software\Classes\CLSID\{710F47D7-611F-45A1-81E2-EFB469E5B37C}
HKCR\CLSID\{710F47D7-611F-45A1-81E2-EFB469E5B37C}
HKCR\CLSID\{710F47D7-611F-45A1-81E2-EFB469E5B37C}\InprocServer32
HKCR\CLSID\{710F47D7-611F-45A1-81E2-EFB469E5B37C}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEEDC.DLL
HKLM\Software\Classes\CLSID\{714D3CD9-D791-4841-BAFC-AE244DD4BACE}
HKCR\CLSID\{714D3CD9-D791-4841-BAFC-AE244DD4BACE}
HKCR\CLSID\{714D3CD9-D791-4841-BAFC-AE244DD4BACE}\InprocServer32
HKCR\CLSID\{714D3CD9-D791-4841-BAFC-AE244DD4BACE}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SSTQP.DLL
HKLM\Software\Classes\CLSID\{8708BC28-1CE4-4B2D-A513-C5C16E50AE1F}
HKCR\CLSID\{8708BC28-1CE4-4B2D-A513-C5C16E50AE1F}
HKCR\CLSID\{8708BC28-1CE4-4B2D-A513-C5C16E50AE1F}\InprocServer32
HKCR\CLSID\{8708BC28-1CE4-4B2D-A513-C5C16E50AE1F}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\MLJGG.DLL
HKLM\Software\Classes\CLSID\{A8AB2466-FB23-45EE-88D3-8171BA00FC50}
HKCR\CLSID\{A8AB2466-FB23-45EE-88D3-8171BA00FC50}
HKCR\CLSID\{A8AB2466-FB23-45EE-88D3-8171BA00FC50}\InprocServer32
HKCR\CLSID\{A8AB2466-FB23-45EE-88D3-8171BA00FC50}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SSQRQ.DLL
HKLM\Software\Classes\CLSID\{A8F74992-CED4-4CC6-918B-862AE92AFEA3}
HKCR\CLSID\{A8F74992-CED4-4CC6-918B-862AE92AFEA3}
HKCR\CLSID\{A8F74992-CED4-4CC6-918B-862AE92AFEA3}\InprocServer32
HKCR\CLSID\{A8F74992-CED4-4CC6-918B-862AE92AFEA3}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDAYV.DLL
HKLM\Software\Classes\CLSID\{A90B98F0-E8CF-440E-B967-7332EB9B5ED3}
HKCR\CLSID\{A90B98F0-E8CF-440E-B967-7332EB9B5ED3}
HKCR\CLSID\{A90B98F0-E8CF-440E-B967-7332EB9B5ED3}\InprocServer32
HKCR\CLSID\{A90B98F0-E8CF-440E-B967-7332EB9B5ED3}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JKKJI.DLL
HKLM\Software\Classes\CLSID\{B0D1F516-8C1B-4E71-8926-F017EDF3D4F7}
HKCR\CLSID\{B0D1F516-8C1B-4E71-8926-F017EDF3D4F7}
HKCR\CLSID\{B0D1F516-8C1B-4E71-8926-F017EDF3D4F7}\InprocServer32
HKCR\CLSID\{B0D1F516-8C1B-4E71-8926-F017EDF3D4F7}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMNNM.DLL
HKLM\Software\Classes\CLSID\{C99B63D6-10F3-4C85-B884-B2FDD19C7470}
HKCR\CLSID\{C99B63D6-10F3-4C85-B884-B2FDD19C7470}
HKCR\CLSID\{C99B63D6-10F3-4C85-B884-B2FDD19C7470}\InprocServer32
HKCR\CLSID\{C99B63D6-10F3-4C85-B884-B2FDD19C7470}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\MLJGE.DLL
HKLM\Software\Classes\CLSID\{D2089606-6D10-432A-BCD1-448136D0319C}
HKCR\CLSID\{D2089606-6D10-432A-BCD1-448136D0319C}
HKCR\CLSID\{D2089606-6D10-432A-BCD1-448136D0319C}\InprocServer32
HKCR\CLSID\{D2089606-6D10-432A-BCD1-448136D0319C}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{FB96AF35-EFA6-4FD0-8588-4DA83D74F501}
HKCR\CLSID\{FB96AF35-EFA6-4FD0-8588-4DA83D74F501}
HKCR\CLSID\{FB96AF35-EFA6-4FD0-8588-4DA83D74F501}\InprocServer32
HKCR\CLSID\{FB96AF35-EFA6-4FD0-8588-4DA83D74F501}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEBCY.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Joel Gibson\Cookies\joel_gibson@doubleclick[1].txt

Adware.IEPlugin
HKCR\Remove

Trojan.Downloader-CREW
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20080105-142537-477.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100807.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100819.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100834.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100840.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100847.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100858.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100860.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100870.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100892.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100898.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100903.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100910.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100916.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100920.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101087.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101088.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101089.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101090.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101091.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101092.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101093.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101094.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101095.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101096.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101097.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101098.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101099.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101100.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101101.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101102.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101103.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP252\A0101562.DLL
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\ANWVSMQN.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\BFXUYHHP.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DGFXSYUL.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRHVRKPM.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\FVJFRQKT.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\IDJVJVIF.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\IJCTCDSO.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\JEWVWJOA.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\JLEAHHWF.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\KEOTFDCX.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LBNLVMOM.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LROGOXWN.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\NWHLEHED.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\QFPRBBEB.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\SNQIYYFQ.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\UCVIDIOR.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WJLDNUSV.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\EPGTMELK.DLL.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\BECWKCJV.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\DVLQGALI.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\GYKXQAFX.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\HROLLKOX.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\JRODKADA.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\LWEIBFWF.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\LYPGBKIP.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\OITQNBNW.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\RDGOQILO.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\RXQEMCMH.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\STBKHPPD.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\TXDBBPPG.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\VACULEVS.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\VOUMQSQP.DLL.BAD.VIR

Adware.WhenU
C:\PROGRAM FILES\DAEMON TOOLS\SETUPDTSB.EXE

Trojan.Downloader-Gen/HitItQuitIt
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP249\A0099848.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100845.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100865.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100926.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100931.DLL

Cheers! :bigthumb:

ken545 · Jan 6, 2008

WOW !! You had a ton of bad stuff it removed. You have to be careful of what you download and the sites you go in, the threats out there now are real nasty, some going around that can't be cleaned, a reformat of windows is the only option, so watch yourself.

All the entries we removed are backed up in System Restore, we need to flush it all out.
System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.

Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.

Reboot your computer

Turn ON System Restore.

Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.

Create a new Restore Point <-- Very Important

Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point

System Restore Tutorial <-- If you need it

Post one last HJT log for review and let me know how your system is running now ???

Llama · Jan 7, 2008

System restore turned off, then on the created a restore point:Check

HJT log: Check

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:11 p.m., on 7/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Opera 9\Opera.exe
C:\Program Files\Trend Micro\HijackThis\Safer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089BB353-5ED8-4C9B-866C-31605CFD2EFF} - (no file)
O2 - BHO: (no name) - {0F13071E-0B38-4324-839C-CA20E1C8C27C} - (no file)
O2 - BHO: (no name) - {153E1C77-992C-47A7-884D-04C89AF8E73F} - (no file)
O2 - BHO: (no name) - {203f3bcc-2e8e-4b41-ba05-16210261dcfd} - (no file)
O2 - BHO: (no name) - {2B380D9A-61A6-4D9F-97C0-4916CC7003EA} - (no file)
O2 - BHO: (no name) - {2F626105-5DC9-4623-A85B-67E64503249B} - (no file)
O2 - BHO: (no name) - {2F7A9AF9-2277-4C31-B19E-7B09931AC99F} - (no file)
O2 - BHO: (no name) - {31B2E6EC-2CAF-42F2-8A69-D5208B13D3A4} - (no file)
O2 - BHO: (no name) - {3496AEAA-BD5E-4FC9-8E9E-66725F6A545B} - (no file)
O2 - BHO: (no name) - {36330830-6053-4E17-9B59-B55CF7101A19} - (no file)
O2 - BHO: (no name) - {37024FFE-F851-45A4-81DE-372AE57056C3} - (no file)
O2 - BHO: (no name) - {46782F63-2C18-4B43-90EC-C63E8AF6166B} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59DFAEF9-71AB-44D0-ACE5-065317A0B614} - (no file)
O2 - BHO: (no name) - {6AE40AC7-A7FB-4077-B271-5A156B9D980D} - (no file)
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {77C5A4AE-A217-4EF2-A70A-2A41D7D75B0A} - (no file)
O2 - BHO: (no name) - {81FC19CA-4C54-4AB6-8952-341345BB8E7C} - (no file)
O2 - BHO: (no name) - {A204BC7D-6B84-4915-A629-76F790E96751} - (no file)
O2 - BHO: (no name) - {ACD52C84-DCCD-4A64-ACF3-478DA69B95CF} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-nz\msntb.dll (file missing)
O2 - BHO: (no name) - {C4D3D881-5B72-4966-8418-4B1C3C6D8D5B} - (no file)
O2 - BHO: (no name) - {C744ED46-F576-4C63-B383-8A80CFCBC5F5} - (no file)
O2 - BHO: (no name) - {CA3EA2D9-48F5-4012-8C1A-10274F99A3FD} - (no file)
O2 - BHO: (no name) - {E5C5FC47-A373-4535-94A4-D37D93300479} - (no file)
O2 - BHO: (no name) - {E735962A-4C19-4447-BE6F-0BA3CE6EAE44} - (no file)
O2 - BHO: (no name) - {E96D4F03-E048-46DD-98D7-B15530AF90EC} - (no file)
O2 - BHO: (no name) - {EE403AD3-4C0A-48D4-9618-BC8D5838CD9E} - (no file)
O2 - BHO: (no name) - {EFD2D48C-972D-48F3-BD00-089DFB39DAEC} - (no file)
O2 - BHO: (no name) - {F5CB5F68-091E-4F25-8998-40B75CF3D268} - (no file)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byxyvut - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7519 bytes

im a tad supicious of the many 02 Browser Help Objects with no name or file because thats what most of the vundo ones were, albit, spybot nor comodo firewall came up with anything so im going to assume thats alright. Can I now remove SAS, vundofix.exe etc.. (i will keep spybot, comodo and find my self an anti-virus programme)?

Otherwise, thanks for all the help!

ken545 · Jan 7, 2008

Not sure why all that came back, do this as there all related to Vundo, although there are no files but those entries should be gone.

Keep this disabled until I give you the all clear. Its possible that it prevented SAS from removing those entries
You need to disable the Tea Timer in Spybot Search and Destroy or it may prevent the fixes from taking.

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer for it to take effect.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {089BB353-5ED8-4C9B-866C-31605CFD2EFF} - (no file)
O2 - BHO: (no name) - {0F13071E-0B38-4324-839C-CA20E1C8C27C} - (no file)
O2 - BHO: (no name) - {153E1C77-992C-47A7-884D-04C89AF8E73F} - (no file)
O2 - BHO: (no name) - {203f3bcc-2e8e-4b41-ba05-16210261dcfd} - (no file)
O2 - BHO: (no name) - {2B380D9A-61A6-4D9F-97C0-4916CC7003EA} - (no file)
O2 - BHO: (no name) - {2F626105-5DC9-4623-A85B-67E64503249B} - (no file)
O2 - BHO: (no name) - {2F7A9AF9-2277-4C31-B19E-7B09931AC99F} - (no file)
O2 - BHO: (no name) - {31B2E6EC-2CAF-42F2-8A69-D5208B13D3A4} - (no file)
O2 - BHO: (no name) - {3496AEAA-BD5E-4FC9-8E9E-66725F6A545B} - (no file)
O2 - BHO: (no name) - {36330830-6053-4E17-9B59-B55CF7101A19} - (no file)
O2 - BHO: (no name) - {37024FFE-F851-45A4-81DE-372AE57056C3} - (no file)
O2 - BHO: (no name) - {46782F63-2C18-4B43-90EC-C63E8AF6166B} - (no file)
O2 - BHO: (no name) - {59DFAEF9-71AB-44D0-ACE5-065317A0B614} - (no file)
O2 - BHO: (no name) - {6AE40AC7-A7FB-4077-B271-5A156B9D980D} - (no file)
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - (no file)
O2 - BHO: (no name) - {C4D3D881-5B72-4966-8418-4B1C3C6D8D5B} - (no file)
O2 - BHO: (no name) - {C744ED46-F576-4C63-B383-8A80CFCBC5F5} - (no file)
O2 - BHO: (no name) - {CA3EA2D9-48F5-4012-8C1A-10274F99A3FD} - (no file)
O2 - BHO: (no name) - {E5C5FC47-A373-4535-94A4-D37D93300479} - (no file)
O2 - BHO: (no name) - {E735962A-4C19-4447-BE6F-0BA3CE6EAE44} - (no file)
O2 - BHO: (no name) - {E96D4F03-E048-46DD-98D7-B15530AF90EC} - (no file)
O2 - BHO: (no name) - {EE403AD3-4C0A-48D4-9618-BC8D5838CD9E} - (no file)
O2 - BHO: (no name) - {EFD2D48C-972D-48F3-BD00-089DFB39DAEC} - (no file)
O2 - BHO: (no name) - {F5CB5F68-091E-4F25-8998-40B75CF3D268} - (no file)

O20 - Winlogon Notify: byxyvut - C:\WINDOWS\

Drag Combofix to the trash and download and run the newest version that was just posted yesterday.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the New Combofix log and a New HJT log

Llama · Jan 7, 2008

combofix log

ComboFix 08-01-04.1 - Joel Gibson 2008-01-07 23:40:12.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.668 [GMT 13:00]
Running from: C:\Documents and Settings\Joel Gibson\Desktop\ComboFix.exe
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll

((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.

2008-01-07 00:54 . 2008-01-07 00:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-07 00:54 . 2008-01-07 00:54 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\SUPERAntiSpyware.com
2008-01-07 00:54 . 2008-01-07 00:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-07 00:48 . 2008-01-07 00:48 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-07 00:48 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-06 12:57 . 2008-01-06 12:57 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-05 15:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 21:57 . 2007-12-30 21:57 <DIR> d--hs---- C:\FOUND.003
2007-12-29 20:39 . 2007-12-29 20:39 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Command and Conquer 3 Tiberium Wars
2007-12-29 00:06 . 2007-12-29 00:06 <DIR> d-------- C:\Games
2007-12-28 11:29 . 2007-12-28 11:29 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Winamp
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\The Chosen demo
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Frater
2007-12-26 23:00 . 2007-12-26 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2007-12-26 23:00 . 2007-12-26 23:00 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2007-12-26 23:00 . 2007-12-26 23:00 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-12-26 23:00 . 2007-12-26 23:00 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Program Files\COMODO
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Comodo
2007-12-26 18:26 . 2007-12-26 18:26 <DIR> dr-h----- C:\Documents and Settings\Joel Gibson\Application Data\SecuROM
2007-12-26 17:25 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2007-12-26 17:25 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2007-12-26 17:25 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2007-12-26 17:25 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2007-12-19 19:57 . 2007-12-26 21:15 1,365 --a------ C:\WINDOWS\wininit.ini
2007-12-11 21:53 . 2007-12-11 21:53 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\ATI
2007-12-11 12:54 . 2007-12-11 12:54 294 ---hs---- C:\WINDOWS\system32\bhuymcss.ini
2007-12-10 14:26 . 2007-12-10 14:27 <DIR> d-------- C:\Program Files\Aquaria

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-26 06:30 --------- d-----w C:\Program Files\Fredryk Phantasy
2007-11-24 02:23 1,128 ----a-w C:\Program Files\log.dat
2007-11-23 08:30 --------- d-----w C:\Documents and Settings\Joel Gibson\Application Data\mIRC
2007-11-22 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 03:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-11-08 21:14 --------- d-----w C:\Program Files\Synaesthete
2007-10-30 16:12 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-21 14:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-19 22:34 53,880,837 ----a-w C:\Program Files\LastStandInstall.exe
2007-10-19 10:14 10,752 ----a-w C:\WINDOWS\DCEBoot.exe
2007-10-10 23:56 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:56 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:56 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-24 08:18 57,992 ----a-w C:\Documents and Settings\Joel Gibson\Application Data\GDIPFONTCACHEV1.DAT
2006-12-20 01:05 35,511 ----a-w C:\Program Files\ReadMe.txt
2004-11-08 20:22 929,792 ----a-w C:\Program Files\SCZ.exe
2001-11-22 23:08 712,704 ----a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2007-08-18 11:41 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-05_16.50.18.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-30 19:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
+ 2008-01-06 11:54:08 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2008-01-06 11:54:08 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-01-06 11:54:08 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2007-07-11 12:22:00 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-24 09:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-07-11 12:22:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-24 09:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-07-11 13:22:38 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-24 10:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-07-27 02:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 02:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-05 07:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 00:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2007-08-02 05:11:28 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2007-08-02 05:11:14 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2007-08-08 03:30:12 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2007-06-12 22:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
+ 2004-12-06 22:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77C5A4AE-A217-4EF2-A70A-2A41D7D75B0A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81FC19CA-4C54-4AB6-8952-341345BB8E7C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A204BC7D-6B84-4915-A629-76F790E96751}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ACD52C84-DCCD-4A64-ACF3-478DA69B95CF}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\WINDOWS\htpatch.exe" [2002-12-19 16:40 28672]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-12-21 04:16 37376]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2007-12-26 23:00 1481472]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 11:09 63712 --a------ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imjpmig]
C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TalkAndWrite]
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"rpcapd"=3 (0x3)
"Pctspk"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Fax"=2 (0x2)

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-12-26 23:00]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-12-26 23:00]
R2 CbmDev1;CbmDev1;C:\WINDOWS\system32\drivers\CbmDev1.sys [1998-01-16 08:43]
R2 CbmDev2;CbmDev2;C:\WINDOWS\system32\drivers\CbmDev2.sys [1998-01-16 08:43]
R2 CbmDev3;CbmDev3;C:\WINDOWS\system32\drivers\CbmDev3.sys [1998-01-16 08:43]
S3 ipw_mdfl;Wireless Broadband Modem Filter;C:\WINDOWS\system32\DRIVERS\ipw_mdfl.sys []
S3 ipw_mdm;Wireless Broadband Modem (WDM);C:\WINDOWS\system32\DRIVERS\ipw_mdm.sys []
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 13:28]
S4 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 22:36]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 23:59:53
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-01-08 0:00:45
ComboFix-quarantined-files.txt 2008-01-07 11:00:42
ComboFix3.txt 2008-01-05 03:50:52
ComboFix2.txt 2008-01-05 23:11:02
.
2008-01-04 23:28:54 --- E O F ---

Vitumonde

New member

Emeritus-Security Expert

New member

New member

New member

New member

Emeritus-Security Expert

New member

New member

New member

New member

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member