WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Trojan.Virtumonde Removal Help Needed, Please!

Started by cmanutd99 , Dec 25 2007 03:18 PM

This topic is locked

10 replies to this topic

#1 cmanutd99

Authentic Member

Authentic Member
28 posts

Posted 25 December 2007 - 03:18 PM

Hi, Over the past few days i keep getting warnings from my AVG about infected dll's. i remove them to the vault but they keep reappearing. AVG seems to think its something called LOP VIRUS but upon running both Adaware and Spyware Doctor they both state i have Trojan.Virtumonde. I have tried removing them with both the afformentioned apps but the infected dll's keep popping up. Any help you can give me would be greatly appreciated. i have included my HijackThis log.

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:16:48, on 25/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\KService\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\Dit.exe
C:\PROGRA~1\Medion Tools\KeyStat\KeyStat.exe
C:\Program Files\Home Cinema\PowerCinema\PCMService.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris\My Documents\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7BED1F14-57E9-4E35-943F-CE1688F6CB4E} - C:\WINDOWS\system32\wvuuvuv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Keyboard Status] C:\PROGRA~1\Medion Tools\KeyStat\KeyStat.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe -all
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: InterCasino £££ - {03588886-5C50-4645-BD5D-F105F84417DE} - C:\Documents and Settings\Chris\Desktop\InterCasino £££.lnk (file missing)
O9 - Extra 'Tools' menuitem: InterCasino £££ - {03588886-5C50-4645-BD5D-F105F84417DE} - C:\Documents and Settings\Chris\Desktop\InterCasino £££.lnk (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Documents and Settings\Chris\Desktop\WH GBP Casino.lnk (file missing)
O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Documents and Settings\Chris\Desktop\WH GBP Casino.lnk (file missing)
O9 - Extra button: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Chris\Desktop\InterCasino $$$.lnk (file missing)
O9 - Extra 'Tools' menuitem: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Chris\Desktop\InterCasino $$$.lnk (file missing)
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Littlewoods Casino - {BAA37C20-5000-11DB-B0DE-0800200C9A66} - C:\Documents and Settings\Chris\Desktop\Littlewoods Casino.lnk (file missing)
O9 - Extra 'Tools' menuitem: Littlewoods Casino - {BAA37C20-5000-11DB-B0DE-0800200C9A66} - C:\Documents and Settings\Chris\Desktop\Littlewoods Casino.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: InterCasino £££ - {03588886-5C50-4645-BD5D-F105F84417DE} - C:\Documents and Settings\Chris\Desktop\InterCasino £££.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino £££ - {03588886-5C50-4645-BD5D-F105F84417DE} - C:\Documents and Settings\Chris\Desktop\InterCasino £££.lnk (file missing) (HKCU)
O9 - Extra button: Parbet Casino USD - {2B7CD833-1F24-4FA4-BB28-0E2EE80051E8} - C:\Documents and Settings\Chris\Desktop\Parbet Casino USD.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Parbet Casino USD - {2B7CD833-1F24-4FA4-BB28-0E2EE80051E8} - C:\Documents and Settings\Chris\Desktop\Parbet Casino USD.lnk (file missing) (HKCU)
O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Documents and Settings\Chris\Desktop\WH GBP Casino.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Documents and Settings\Chris\Desktop\WH GBP Casino.lnk (file missing) (HKCU)
O9 - Extra button: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Chris\Desktop\InterCasino $$$.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Chris\Desktop\InterCasino $$$.lnk (file missing) (HKCU)
O9 - Extra button: Littlewoods Casino - {BAA37C20-5000-11DB-B0DE-0800200C9A66} - C:\Documents and Settings\Chris\Desktop\Littlewoods Casino.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Littlewoods Casino - {BAA37C20-5000-11DB-B0DE-0800200C9A66} - C:\Documents and Settings\Chris\Desktop\Littlewoods Casino.lnk (file missing) (HKCU)
O9 - Extra button: Playboy Casino GBP - {C8B54920-5DFB-11DB-B0DE-0800200C9A66} - C:\Documents and Settings\Chris\Desktop\Playboy Casino GBP.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Playboy Casino GBP - {C8B54920-5DFB-11DB-B0DE-0800200C9A66} - C:\Documents and Settings\Chris\Desktop\Playboy Casino GBP.lnk (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com/
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {0F42F280-2D6E-4B19-95A9-18D8DADB9309} (BFLauncher Class) - http://www.betfred.c...redlauncher.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {32FA9DC4-8CB0-4849-8A9A-D201F8B21EEE} (TSLauncher Class) - http://www.totesport...ortlauncher.cab
O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.aceshigh....elper/Nyoko.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107963243203
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {7565A160-5C60-4866-A120-F4D5B2BA3AAE} (FSLoaderCtrl Class) - http://www.clickedyc...fsloader_v3.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.micro...n7/DLHelper.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://sunvegas.mic...gas/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BC32987-74D4-4656-8881-09328C262BF7}: NameServer = 192.168.0.1
O20 - Winlogon Notify: wvuuvuv - C:\WINDOWS\SYSTEM32\wvuuvuv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\KService\KService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 13893 bytes

Advertisements

Register to Remove

#2 cmanutd99

Authentic Member

Authentic Member
28 posts

Posted 26 December 2007 - 08:20 AM

Hi, just to add i have run the Vundofix found in the faq but it stated files were unable to be removed and after rebooting and doing another scan it found more files!

#3 Simon V.

MRU Emeritus

Authentic Member
897 posts

Posted 29 December 2007 - 11:15 AM

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Step 1

Please download and install CCleaner.

Open CCleaner. On the Windows tab, leave the default options alone.

On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
Click on the Run Cleaner button at the bottom right hand corner.
Close CCleaner.

Step 2

Please download Combofix:

Double-click on combofix.exe and follow the prompts.
When finished, it will produce a log for you. Save it to a convenient location.

Note: Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.

Step 3

Open CCleaner. In the Left Pane, click Tools.

Verify that Uninstall is highlighted in color, or click on it.
In the lower right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt.
Click Save, then exit Ccleaner.

Step 4

In your next reply, please post:

the Combofix log (C:\Combofix.txt)
the CCleaner Uninstall List
a new HijackThis log

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#4 cmanutd99

Authentic Member

Authentic Member
28 posts

Posted 30 December 2007 - 03:42 AM

Hi Simon,

Thanks for your reply, i have done everything you suggested and the things you asked for are below!

COMBOFIX:

ComboFix 07-12-21.4 - Chris 2007-12-30 9:17:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.481 [GMT 0:00]
Running from: C:\Documents and Settings\Chris\My Documents\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awvvs.dll
C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\ddccd.dll
C:\WINDOWS\system32\gebcb.dll
C:\WINDOWS\system32\gebcy.dll
C:\WINDOWS\system32\jkkjh.dll
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\pmkhf.dll
C:\WINDOWS\system32\pmkhh.dll
C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\pmkjg.dll
C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\pmnli.dll
C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\ssqpp.dll
C:\WINDOWS\system32\sstqq.dll
C:\WINDOWS\system32\ssttq.dll
C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\wvuuvuv.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-30 )))))))))))))))))))))))))))))))
.

2007-12-30 09:07 . 2007-12-30 09:07 <DIR> d-------- C:\Program Files\CCleaner
2007-12-26 09:47 . 2007-12-27 11:45 <DIR> d-------- C:\VundoFix Backups
2007-12-25 20:32 . 2007-12-25 20:32 106 --a------ C:\delete.bat
2007-12-24 08:39 . 2007-12-25 21:15 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-24 08:39 . 2007-12-26 10:10 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-24 08:39 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-24 08:39 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-24 08:39 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-24 08:39 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-12-22 14:33 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-18 09:43 . 2007-12-22 11:11 <DIR> d-------- C:\Program Files\Imperial Casino
2007-11-20 20:11 . 2007-11-20 20:11 <DIR> d-------- C:\Program Files\Orb Networks
2007-11-20 20:11 . 2007-11-20 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OrbNetworks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 09:32 17,408 ----a-w C:\WINDOWS\system32\drivers\USBCRFT.SYS
2007-12-26 15:00 --------- d-----w C:\Documents and Settings\Chris\Application Data\SopCast
2007-12-26 10:09 --------- d-----w C:\Documents and Settings\Chris\Application Data\AVG7
2007-12-25 09:28 --------- d-----w C:\Program Files\Google
2007-12-24 15:50 --------- d-----w C:\Documents and Settings\Chris\Application Data\.BitTornado
2007-12-24 08:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-14 23:59 --------- d-----w C:\Program Files\Littlewoods Casino
2007-12-13 16:13 --------- d-----w C:\Program Files\PhotoRescue
2007-12-09 12:54 16,320 ----a-w C:\Documents and Settings\Chris\Application Data\wklnhst.dat
2007-12-07 00:01 --------- d-----w C:\Program Files\InterCasino £££
2007-12-05 15:31 --------- d-----w C:\Program Files\InterCasino $$$
2007-11-20 18:57 --------- d-----w C:\Program Files\Soulseek
2007-11-14 22:07 --------- d-----w C:\Program Files\Parbet Casino USD
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 10:41 --------- d-----w C:\Documents and Settings\Chris\Application Data\Image Zone Express
2007-11-05 12:48 --------- d-----w C:\Program Files\spinpalace
2007-11-05 12:48 --------- d-----w C:\Program Files\rubyfortune
2007-11-05 12:48 --------- d-----w C:\Program Files\MummysGold
2007-11-04 21:36 --------- d-----w C:\Program Files\riverbelle
2007-10-25 07:50 282 ----a-w C:\Documents and Settings\Nic\Application Data\wklnhst.dat
2006-02-13 16:43 64,528 ----a-w C:\Documents and Settings\Chris\Application Data\GDIPFONTCACHEV1.DAT
2005-02-09 14:13 8 --sh--r C:\WINDOWS\system32\14E4D0A500.sys
2006-11-06 19:12 56 --sh--r C:\WINDOWS\system32\D1C67D2685.sys
2006-11-06 19:12 12,100 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2004-12-09 15:38]
"kdx"="C:\WINDOWS\kdx\KHost.exe" [2005-12-12 11:23]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 15:53]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-01-12 21:05]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 C:\WINDOWS\AGRSMMSG.exe]
"Dit"="Dit.exe" [2004-07-20 18:18 C:\WINDOWS\Dit.exe]
"Keyboard Status"="C:\PROGRA~1\Medion Tools\KeyStat\KeyStat.exe" [2005-01-25 11:03]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"PCMService"="C:\Program Files\Home Cinema\PowerCinema\PCMService.exe" [2005-02-04 11:48]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 08:58]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-08-13 18:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 09:54]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 20:52]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 07:57]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 06:05:26]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2005-02-09 13:31:04]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 20:40:10]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2005-02-01 00:33]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2004-10-01 12:58]
R3 wbscr;Winbond Smartcard Reader for I/O;C:\WINDOWS\system32\drivers\wbscr.sys [2002-04-24 12:07]
S3 BTNetFilter;Bluetooth Network Filter;C:\WINDOWS\system32\drivers\BTNetFilter.sys [2004-12-16 16:32]
S3 CardReaderFilter;Card Reader Filter;C:\WINDOWS\system32\Drivers\USBCRFT.SYS [2007-12-30 09:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2007-12-29 12:09:17 C:\WINDOWS\Tasks\User_Feed_Synchronization-{F539353E-C340-418C-B580-0C16FE343CCB}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-30 09:32:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-30 9:34:55 - machine was rebooted
.
2007-12-12 22:02:55 --- E O F ---

CCleaner Uninstall List:

32 Bit HP CIO Components Installer
32Red Casino
AC-3 ACM Decompressor
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.7
Agere Systems PCI Soft Modem
AIO_Scan
AOL UK (Choose which version to remove)
Archos MPG4 Translator V3.0.9
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AutoUpdate
AVG Free Edition
bet365casino
BetDirect Casino
Betfred Casino
BitTornado 0.3.7
BitTorrent complete dir 1.1
Blackjack Wager Tracker
BlueSoleil
BufferChm
bwin Casino
CCleaner (remove only)
CloneCD
C-Media High Definition Audio Driver
CoolStreaming
Copy
CoverPro
CoverPro (C:\Program Files\CoverPro\)
Creative Mass Storage Drivers
Creatix V.92 Data Fax Modem
CustomerResearchQFolder
Dash Casino
Destinations
DeviceControl
DeviceManagementQFolder
DivX Player
DivX Pro
DivX Web Player
DJ_AIO_ProductContext
DJ_AIO_Software
DJ_AIO_Software_min
eMule
eSupportQFolder
F4100
F4100_Help
Generic USB CardReader 2.0
Golden Palace Casino
Google Earth
GSpot Codec Information Appliance
High Definition Audio Driver Package - KB835221
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB926239)
HP Customer Participation Program 8.0
HP Deskjet All-In-One Software 8.0
HP Imaging Device Functions 8.0
HP Photosmart Essential
HP Solution Center 8.0
HP Update
HPProductAssistant
HPSSupply
Imperial Casino (Remove Only)
Information about your PC
InterCasino
InterCasino £££
J2SE Runtime Environment 5.0 Update 1
Jackpots In A Flash
Java™ 6 Update 2
KeyStat
Ladbrokes Casino
Learn2 Player (Uninstall Only)
Littlewoods Casino
Macromedia Shockwave Player
MarketResearch
MediaShow 3.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft AutoRoute 2005
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 9 - Blocker
Microsoft Encarta Encyclopedia Standard 2005
Microsoft Money
Microsoft Office XP Professional with FrontPage
Microsoft Photo Premium 10
Microsoft Picture It! Library 10
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Journal Viewer
Microsoft Word 2002
Microsoft Works
Microsoft Works 2005 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Mozilla Firefox (2.0.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Mummys Gold Casino
Musicmatch® Jukebox
Nero Suite
oggcodecs 0.69.8924
Omni Casino
Orb
Paint Shop Pro 7
Parbet Casino USD
PhotoNow! 1.0
PhotoRescue 2.1 Demo Version (build 679)
Piggs Peak Casino
Playboy Casino GBP
PowerCinema 4.0
PowerDirector
PowerDVD
PowerProducer
PPLive 1.2.35
QuickTime
RealPlayer
Red Lounge Casino
River Belle Online Casino
RT2500 USB Wireless LAN Card
Ruby Fortune Casino
Sands of the Caribbean®
Scan
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Shockwave
Sky Anytime
Smart Manager
SolutionCenter
Sony Ericsson PC Suite 1.20.224
SopCast 1.1.1
SoulSeek Client 156c
Spin Palace Casino
SportingOdds Casino
Spyware Doctor 5.1
Status
Sygate Personal Firewall
The Gaming Club
Toolbox
TrayApp
Trident Lounge Casino
TVAnts 1.0
UnloadSupport
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
videon
Viewpoint Media Player
VIP Casino
W83L518D
WebFldrs XP
WebReg
WH GBP Casino
Windows Backup Utility
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinRAR archiver
WinZip
Works Upgrade
X10 Hardware™

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:37:52, on 30/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\KService\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\Dit.exe
C:\PROGRA~1\Medion Tools\KeyStat\KeyStat.exe
C:\Program Files\Home Cinema\PowerCinema\PCMService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Chris\My Documents\Virus Removal\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Keyboard Status] C:\PROGRA~1\Medion Tools\KeyStat\KeyStat.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe -all
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: InterCasino £££ - {03588886-5C50-4645-BD5D-F105F84417DE} - C:\Documents and Settings\Chris\Desktop\InterCasino £££.lnk (file missing)
O9 - Extra 'Tools' menuitem: InterCasino £££ - {03588886-5C50-4645-BD5D-F105F84417DE} - C:\Documents and Settings\Chris\Desktop\InterCasino £££.lnk (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Documents and Settings\Chris\Desktop\WH GBP Casino.lnk (file missing)
O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Documents and Settings\Chris\Desktop\WH GBP Casino.lnk (file missing)
O9 - Extra button: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Chris\Desktop\InterCasino $$$.lnk (file missing)
O9 - Extra 'Tools' menuitem: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Chris\Desktop\InterCasino $$$.lnk (file missing)
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Littlewoods Casino - {BAA37C20-5000-11DB-B0DE-0800200C9A66} - C:\Documents and Settings\Chris\Desktop\Littlewoods Casino.lnk (file missing)
O9 - Extra 'Tools' menuitem: Littlewoods Casino - {BAA37C20-5000-11DB-B0DE-0800200C9A66} - C:\Documents and Settings\Chris\Desktop\Littlewoods Casino.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: InterCasino £££ - {03588886-5C50-4645-BD5D-F105F84417DE} - C:\Documents and Settings\Chris\Desktop\InterCasino £££.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino £££ - {03588886-5C50-4645-BD5D-F105F84417DE} - C:\Documents and Settings\Chris\Desktop\InterCasino £££.lnk (file missing) (HKCU)
O9 - Extra button: Parbet Casino USD - {2B7CD833-1F24-4FA4-BB28-0E2EE80051E8} - C:\Documents and Settings\Chris\Desktop\Parbet Casino USD.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Parbet Casino USD - {2B7CD833-1F24-4FA4-BB28-0E2EE80051E8} - C:\Documents and Settings\Chris\Desktop\Parbet Casino USD.lnk (file missing) (HKCU)
O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Documents and Settings\Chris\Desktop\WH GBP Casino.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Documents and Settings\Chris\Desktop\WH GBP Casino.lnk (file missing) (HKCU)
O9 - Extra button: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Chris\Desktop\InterCasino $$$.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Chris\Desktop\InterCasino $$$.lnk (file missing) (HKCU)
O9 - Extra button: Littlewoods Casino - {BAA37C20-5000-11DB-B0DE-0800200C9A66} - C:\Documents and Settings\Chris\Desktop\Littlewoods Casino.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Littlewoods Casino - {BAA37C20-5000-11DB-B0DE-0800200C9A66} - C:\Documents and Settings\Chris\Desktop\Littlewoods Casino.lnk (file missing) (HKCU)
O9 - Extra button: Playboy Casino GBP - {C8B54920-5DFB-11DB-B0DE-0800200C9A66} - C:\Documents and Settings\Chris\Desktop\Playboy Casino GBP.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Playboy Casino GBP - {C8B54920-5DFB-11DB-B0DE-0800200C9A66} - C:\Documents and Settings\Chris\Desktop\Playboy Casino GBP.lnk (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com/
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {0F42F280-2D6E-4B19-95A9-18D8DADB9309} (BFLauncher Class) - http://www.betfred.c...redlauncher.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {32FA9DC4-8CB0-4849-8A9A-D201F8B21EEE} (TSLauncher Class) - http://www.totesport...ortlauncher.cab
O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.aceshigh....elper/Nyoko.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107963243203
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {7565A160-5C60-4866-A120-F4D5B2BA3AAE} (FSLoaderCtrl Class) - http://www.clickedyc...fsloader_v3.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.micro...n7/DLHelper.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://sunvegas.mic...gas/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BC32987-74D4-4656-8881-09328C262BF7}: NameServer = 192.168.0.1
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\KService\KService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 13469 bytes

#5 Simon V.

MRU Emeritus

Authentic Member
897 posts

Posted 30 December 2007 - 05:09 AM

I understand that downloading music and other files may be important to you; however, the Peer-to-Peer programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection all over the internet, so your computer becomes a part of the malware problem.

Remember that no matter how clean the program you're using for Peer-to-Peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via Peer-to-Peer filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., pirated software and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.

Here is some information that looks at the rates of infection:

http://www.benedelman.org/spyware/p2p/

With that being said, I recommend that you remove the following Peer-to-Peer program(s):

BitTornado 0.3.7
BitTorrent complete dir 1.1
eMule

Step 1

Click on Start, then Control Panel. Double click on Add or Remove Programs.

Please remove the following program(s):

Note: You seem to have a lot of Poker programs installed. A lot of these programs bring malware on your computer and I strongly suggest you remove them.

32Red Casino
]bet365casino
BetDirect Casino
Betfred Casino
Blackjack Wager Tracker
bwin Casino
Dash Casino
Imperial Casino (Remove Only)
InterCasino
InterCasino £££
J2SE Runtime Environment 5.0 Update 1
Jackpots In A Flash
Java™ 6 Update 2
Ladbrokes Casino
Learn2 Player (Uninstall Only)
Littlewoods Casino
Mummys Gold Casino
Omni Casino
Piggs Peak Casino
Playboy Casino GBP
Red Lounge Casino
River Belle Online Casino
Ruby Fortune Casino
Spin Palace Casino
SportingOdds Casino
Trident Lounge Casino
VIP Casino[/list]
Then download and install Java Runtime Environment (JRE) 6 Update 3.

Step 2

Please do an online scan with Kaspersky WebScanner.

Click on Kaspersky Online Scanner. On the welcome screen, click Accept.

You will be promted to install an ActiveX component from Kaspersky, click Install.

The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded click on Next.
Now click on Scan Settings.
In the scan settings make sure that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available, otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK.
Now under Select a Target to Scan:

Select My Computer.

The program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button and save the file to your desktop.

Step 3

In your next reply, please post:

the Kaspersky Online Scan report
a new HijackThis log

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#6 cmanutd99

Authentic Member

Authentic Member
28 posts

Posted 30 December 2007 - 09:54 AM

Hi,

I will seriously consider removing my peer to peer apps and some of my casino apps. In the meantime i have done the other things you suggested and the results are below:

Kaspersky Online Scan report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, December 30, 2007 3:45:56 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/12/2007
Kaspersky Anti-Virus database records: 500302
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
J:\
K:\
L:\
M:\

Scan Statistics:
Total number of scanned objects: 308935
Number of viruses found: 1
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 01:50:17

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AVG7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0237\0192\values Object is locked skipped
C:\Documents and Settings\Chris\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\History\History.IE5\MSHist012007123020071231\index.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temp\~DF58BE.tmp Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temp\~DF891D.tmp Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temp\~DF8A72.tmp Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temp\~DFBBD6.tmp Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temp\~DFBBE1.tmp Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\YI3UA15B\altea[1].swf Object is locked skipped
C:\Documents and Settings\Chris\ntuser.dat Object is locked skipped
C:\Documents and Settings\Chris\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_AGENT_LOG1.txt Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_AUDIO\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_AUDIO\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_BINARY\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_BLOB\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_BLOB\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_GLOBAL\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_GLOBAL\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_IMAGE\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_IMAGE\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_MAIN\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_MAIN\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_TV\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_TV\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_VIDEO\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_VIDEO\CLML.db-journal Object is locked skipped
C:\Program Files\KService\data\error.log Object is locked skipped
C:\Program Files\Sygate\SPF\debug.log Object is locked skipped
C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
C:\qoobox\Quarantine\catchme2007-12-30_ 93206.15.zip/wvuuvuv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bxg skipped
C:\qoobox\Quarantine\catchme2007-12-30_ 93206.15.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP671\A0101070.exe Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP674\A0102314.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP675\A0102353.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP675\A0102452.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP675\A0102453.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP675\A0102454.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP675\A0102455.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP675\A0102456.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP675\A0102457.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP675\A0102458.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP675\A0102459.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP675\A0102460.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP675\A0102461.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP675\A0102462.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP675\A0102463.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP675\A0102464.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP675\A0102465.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP675\A0102466.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP675\A0102467.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP675\A0102468.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP675\A0102469.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP675\A0102471.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP676\A0102492.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP676\A0102494.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP676\A0102528.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP676\A0102589.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP676\A0102590.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP676\A0102591.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP676\A0102592.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP676\A0102593.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP676\A0102594.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP676\A0102595.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP676\A0102596.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP676\A0102597.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102697.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102698.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102699.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102700.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102701.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102702.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102703.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102704.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102705.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102706.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102707.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102712.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102713.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102714.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102715.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102716.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102717.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102718.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102719.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102720.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102770.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102791.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102792.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102793.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102794.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102795.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP678\A0102796.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP680\A0102812.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP680\A0102813.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP680\A0102814.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP680\A0102836.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP680\A0102848.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP680\A0102851.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bxg skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP682\A0104010.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104551.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104552.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104553.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104554.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104555.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104556.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104557.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104558.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104559.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104560.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104561.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104562.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104563.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104564.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104565.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104566.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104567.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104568.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104569.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104570.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104571.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104572.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104573.dll Object is locked skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP683\A0104577.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bxg skipped
C:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP685\change.log Object is locked skipped
C:\VundoFix Backups\fccawww.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.bxg skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{B5CD121F-D197-4943-91FB-48C14AB76C9A}\RP671\A0101071.exe Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
J:\Casino Profit.xls Object is locked skipped
J:\Casinos.xls Object is locked skipped

Scan process completed.

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:51:03, on 30/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\KService\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\Dit.exe
C:\PROGRA~1\Medion Tools\KeyStat\KeyStat.exe
C:\Program Files\Home Cinema\PowerCinema\PCMService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Chris\My Documents\Virus Removal\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Keyboard Status] C:\PROGRA~1\Medion Tools\KeyStat\KeyStat.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe -all
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: InterCasino £££ - {03588886-5C50-4645-BD5D-F105F84417DE} - C:\Documents and Settings\Chris\Desktop\InterCasino £££.lnk (file missing)
O9 - Extra 'Tools' menuitem: InterCasino £££ - {03588886-5C50-4645-BD5D-F105F84417DE} - C:\Documents and Settings\Chris\Desktop\InterCasino £££.lnk (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Documents and Settings\Chris\Desktop\WH GBP Casino.lnk (file missing)
O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Documents and Settings\Chris\Desktop\WH GBP Casino.lnk (file missing)
O9 - Extra button: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Chris\Desktop\InterCasino $$$.lnk (file missing)
O9 - Extra 'Tools' menuitem: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Chris\Desktop\InterCasino $$$.lnk (file missing)
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Littlewoods Casino - {BAA37C20-5000-11DB-B0DE-0800200C9A66} - C:\Documents and Settings\Chris\Desktop\Littlewoods Casino.lnk (file missing)
O9 - Extra 'Tools' menuitem: Littlewoods Casino - {BAA37C20-5000-11DB-B0DE-0800200C9A66} - C:\Documents and Settings\Chris\Desktop\Littlewoods Casino.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: InterCasino £££ - {03588886-5C50-4645-BD5D-F105F84417DE} - C:\Documents and Settings\Chris\Desktop\InterCasino £££.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino £££ - {03588886-5C50-4645-BD5D-F105F84417DE} - C:\Documents and Settings\Chris\Desktop\InterCasino £££.lnk (file missing) (HKCU)
O9 - Extra button: Parbet Casino USD - {2B7CD833-1F24-4FA4-BB28-0E2EE80051E8} - C:\Documents and Settings\Chris\Desktop\Parbet Casino USD.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Parbet Casino USD - {2B7CD833-1F24-4FA4-BB28-0E2EE80051E8} - C:\Documents and Settings\Chris\Desktop\Parbet Casino USD.lnk (file missing) (HKCU)
O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Documents and Settings\Chris\Desktop\WH GBP Casino.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Documents and Settings\Chris\Desktop\WH GBP Casino.lnk (file missing) (HKCU)
O9 - Extra button: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Chris\Desktop\InterCasino $$$.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Chris\Desktop\InterCasino $$$.lnk (file missing) (HKCU)
O9 - Extra button: Littlewoods Casino - {BAA37C20-5000-11DB-B0DE-0800200C9A66} - C:\Documents and Settings\Chris\Desktop\Littlewoods Casino.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Littlewoods Casino - {BAA37C20-5000-11DB-B0DE-0800200C9A66} - C:\Documents and Settings\Chris\Desktop\Littlewoods Casino.lnk (file missing) (HKCU)
O9 - Extra button: Playboy Casino GBP - {C8B54920-5DFB-11DB-B0DE-0800200C9A66} - C:\Documents and Settings\Chris\Desktop\Playboy Casino GBP.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Playboy Casino GBP - {C8B54920-5DFB-11DB-B0DE-0800200C9A66} - C:\Documents and Settings\Chris\Desktop\Playboy Casino GBP.lnk (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com/
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {0F42F280-2D6E-4B19-95A9-18D8DADB9309} (BFLauncher Class) - http://www.betfred.c...redlauncher.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {32FA9DC4-8CB0-4849-8A9A-D201F8B21EEE} (TSLauncher Class) - http://www.totesport...ortlauncher.cab
O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.aceshigh....elper/Nyoko.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107963243203
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {7565A160-5C60-4866-A120-F4D5B2BA3AAE} (FSLoaderCtrl Class) - http://www.clickedyc...fsloader_v3.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.micro...n7/DLHelper.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://sunvegas.mic...gas/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BC32987-74D4-4656-8881-09328C262BF7}: NameServer = 192.168.0.1
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\KService\KService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 13512 bytes

Thanks!!

#7 Simon V.

MRU Emeritus

Authentic Member
897 posts

Posted 30 December 2007 - 02:47 PM

Step 1

Open HijackThis, perform a scan and put a check next to the following items (if present):

O16 - DPF: {0F42F280-2D6E-4B19-95A9-18D8DADB9309} (BFLauncher Class) - http://www.betfred.c...redlauncher.cab
O16 - DPF: {32FA9DC4-8CB0-4849-8A9A-D201F8B21EEE} (TSLauncher Class) - http://www.totesport...ortlauncher.cab
O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.aceshigh....elper/Nyoko.cab
O16 - DPF: {7565A160-5C60-4866-A120-F4D5B2BA3AAE} (FSLoaderCtrl Class) - http://www.clickedyc...fsloader_v3.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.micro...n7/DLHelper.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://sunvegas.mic...gas/FlashAX.cab

Close all programs except HijackThis and click on Fix checked.

Step 2

Click Start then Run....

Type Combofix /u in the runbox and click OK. (Note: The space between the x and the /u needs to be there)
This will uninstall Combofix.

In your next reply, please let me know how your computer is currently running.

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#8 cmanutd99

Authentic Member

Authentic Member
28 posts

Posted 31 December 2007 - 06:02 AM

Hi Simon, my pc seems to be running fine now, i have had no infections pop up and a scan with my avg and spyware docotor show no infections so it looks like i am clean! many thanks for your help with this i really appreciate it! Chris.

#9 Simon V.

MRU Emeritus

Authentic Member
897 posts

Posted 31 December 2007 - 07:03 AM

I'm glad to hear everything is running fine now. Here are some tips to stay clean in the future:

Disable and Enable System Restore - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

Step 1: Turn off System Restore:

On the desktop, right-click My Computer
Click Properties
Click the System Restore tab
Check Turn off System Restore
Click Apply, and then click OK

Step 2: Reboot your computer.

Step 3: Turn on System Restore:

On the desktop, right-click My Computer
Click Properties
Click the System Restore tab
Uncheck Turn off System Restore
Click Apply, and then click OK

Note: Only do this once, NOT on a regular basis!

Make your Internet Explorer More Secure

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab.
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt.
Change the Download unsigned ActiveX controls to Disable.
Change the Initialise and script ActiveX controls not marked as safe to Disable.
Change the Installation of desktop items to Prompt.
Change the Launching programs and files in an IFRAME to Prompt.
Change the Navigate sub-frames across different domains to Prompt.
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Update your Anti-Virus Software - It is very imprtant that you update your anti-virus software at least once a week (even more if you wish). If you do not update your anti-virus software then it will not be able to catch any of the new variants that will come out.

Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Spybot - Search and Destroy - Download and install Spybot - Search and Destroy with its TeaTimer option. This will provide real time spyware and hijacker protection on your computer alongside your virus protection. You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here:
Instructions for - Spybot S & D and Ad-aware

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Stand Up and Be Counted! - Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. You have to be registered to post. After registering just find your country room and register your complaint. The infection you had was Vundo (Virtumundo).

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#10 cmanutd99

Authentic Member

Authentic Member
28 posts

Posted 31 December 2007 - 08:47 AM

Hi, many thanks for all your help & advice! Chris.

#11 Simon V.

MRU Emeritus

Authentic Member
897 posts

Posted 31 December 2007 - 08:51 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

Body Background

skin color theme