Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] re:closed thread hijack/vundo/combo/sd logs inside

Started by s.lang , Dec 30 2007 05:15 PM

  • This topic is locked This topic is locked
10 replies to this topic

#1 s.lang

s.lang

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 30 December 2007 - 05:15 PM

This is in response to a previously closed thread from around Nov 30th. I attend college so I posted here and left the instructions for my mom/sister to complete on their computer. However, they were unable to figure them out so here I am again :D
Here are the logs that I was earlier instructed to post a big thank you in advance
ComboFix 07-12-30.3 - Kids 2007-12-30 15:13:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.681 [GMT -6:00]
Running from: C:\Documents and Settings\Kids\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\Administrator\Application Data\WinAntiVirus Pro 2007
C:\Documents and Settings\All Users\Application Data.\hmjyruny.dll
C:\Documents and Settings\All Users\Application Data.\ihavopkp.dll
C:\Documents and Settings\All Users\Application Data.\jcvavefk.dll
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Application Data.\vmdsvkxs.dll
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ActivationCode
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ProductCode
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\Dad\Application Data\WinAntiSpyware 2007
C:\Documents and Settings\Dad\Application Data\WinAntiSpyware 2007\Logs\update.log
C:\Documents and Settings\Dad\Application Data\WinAntiVirus Pro 2007
C:\Documents and Settings\Dad\Application Data\WinAntiVirus Pro 2007\history.db
C:\Documents and Settings\Dad\Application Data\WinAntiVirus Pro 2007\Logs\wa7Support.log
C:\Documents and Settings\Dad\Application Data\WinAntiVirus Pro 2007\Logs\winav.log
C:\Documents and Settings\Dad\Application Data\WinAntiVirus Pro 2007\PGE.dat
C:\Documents and Settings\Dad\err.log
C:\Documents and Settings\Dad\ResErrors.log
C:\Documents and Settings\Dad\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\Kids\Application Data\APPATC~1
C:\Documents and Settings\Kids\Application Data\DOBE~1
C:\Documents and Settings\Kids\Application Data\DOBE~2
C:\Documents and Settings\Kids\Application Data\ICROSO~1
C:\Documents and Settings\Kids\Application Data\SpyGuardPro
C:\Documents and Settings\Kids\Application Data\SpyGuardPro\avtasks.dat
C:\Documents and Settings\Kids\Application Data\SpyGuardPro\Logs\av.log
C:\Documents and Settings\Kids\Application Data\SpyGuardPro\Logs\ga6Support.log
C:\Documents and Settings\Kids\Application Data\SpyGuardPro\Logs\update.log
C:\Documents and Settings\Kids\Application Data\SSTEM3~1
C:\Documents and Settings\Kids\err.log
C:\Documents and Settings\Kids\Favorites\.url
C:\Documents and Settings\Kids\My Documents\ASKS~1
C:\Documents and Settings\Kids\My Documents\MCROSO~1
C:\Documents and Settings\Kids\My Documents\SMBOLS~1
C:\Documents and Settings\Kids\My Documents\SMBOLS~1\?pool32.exe
C:\Documents and Settings\Kids\My Documents\STEM~1
C:\Documents and Settings\Kids\My Documents\WNSXS~1
C:\Documents and Settings\Kids\My Documents\WNSXS~1\c?rss.exe
C:\Documents and Settings\Kids\ResErrors.log
C:\Documents and Settings\Kids\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Kids\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Kids\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Kids\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Mom\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\install.exe
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\mantec~1
C:\Program Files\Common Files\mcroso~1
C:\Program Files\Common Files\ppatch~1
C:\Program Files\Common Files\prohdyx.html
C:\Program Files\Common Files\scurit~1
C:\Program Files\Common Files\stem~1
C:\Program Files\Common Files\stem32~1
C:\Program Files\Common Files\ystem3~1
C:\Program Files\curity~1
C:\Program Files\curity~1\n?pdb.exe
C:\Program Files\Esqpooli
C:\Program Files\Esqpooli\uyiwwtbe.dll
C:\Program Files\Lnoiwmcn
C:\Program Files\Lnoiwmcn\wfrxvpxf.dll
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\qtyvwneh
C:\Program Files\qtyvwneh\mruvmhwn.dll
C:\Program Files\racle~1
C:\Program Files\sstem~1
C:\Program Files\TBONAS
C:\Program Files\TBONAS\bestoffers_icon_01.ico
C:\Program Files\TBONAS\center_wnd.htm
C:\Program Files\TBONAS\comp.htm
C:\Program Files\TBONAS\grb12.rtk
C:\Program Files\TBONAS\TBONcomp.dll
C:\Program Files\Zbnhrqxd
C:\Program Files\Zbnhrqxd\tbogtksk.dll
C:\temp\0c2
C:\temp\0c2\tmpFF.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\abW9
C:\Temp\abW9\tPho.log
C:\temp\brr
C:\temp\brr\tmpZTF.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\temp\tn3
C:\UGA6P
C:\WINDOWS\avp.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\df87173.exe
C:\WINDOWS\dobe~1
C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N99M2908NetInstaller.exe
C:\WINDOWS\hg173.exe
C:\WINDOWS\mcroso~1
C:\WINDOWS\racle~1
C:\WINDOWS\S2lkcw\
C:\WINDOWS\S2lkcw\\mZ54wT.vbs
C:\WINDOWS\stem~1
C:\WINDOWS\system32\acnhfkgo.dll
C:\WINDOWS\system32\aeapdyqa.dll
C:\WINDOWS\system32\arsoqvbc.exe
C:\WINDOWS\system32\athshjii.exe
C:\WINDOWS\SYSTEM32\ayadd.bak1
C:\WINDOWS\SYSTEM32\ayadd.bak2
C:\WINDOWS\SYSTEM32\ayadd.ini
C:\WINDOWS\SYSTEM32\ayadd.ini2
C:\WINDOWS\SYSTEM32\ayadd.tmp
C:\WINDOWS\system32\bhvhytsu.exe
C:\WINDOWS\system32\bnvppljm.dll
C:\WINDOWS\system32\bpfmqobg.exe
C:\WINDOWS\system32\brjjlqyi.exe
C:\WINDOWS\system32\bwpgupao.exe
C:\WINDOWS\system32\bwrkirvo.exe
C:\WINDOWS\system32\bwujtyew.dll
C:\WINDOWS\system32\clivqseh.exe
C:\WINDOWS\system32\crosof~1.net
C:\WINDOWS\system32\curity~1
C:\WINDOWS\system32\curity~1\??curity\
C:\WINDOWS\system32\curity~1\chkdsk.exe
C:\WINDOWS\system32\dbreaviw.exe
C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\system32\dewppmtt.dll
C:\WINDOWS\system32\didaxgoc.exe
C:\WINDOWS\system32\dlwartvm.exe
C:\WINDOWS\system32\dniymatp.dll
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\dvnnmbuk.exe
C:\WINDOWS\system32\ebmpbmqk.dll
C:\WINDOWS\system32\ebnlvoyj.dll
C:\WINDOWS\SYSTEM32\eiyqjiao.ini
C:\WINDOWS\system32\emjgqtlk.dll
C:\WINDOWS\system32\enomionx.dll
C:\WINDOWS\SYSTEM32\eohjxfqe.ini
C:\WINDOWS\system32\eqeobjre.dll
C:\WINDOWS\system32\eqfxjhoe.dll
C:\WINDOWS\SYSTEM32\erjboeqe.ini
C:\WINDOWS\system32\eyvwdoqu.dll
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\system32\fccbxxw.dll
C:\WINDOWS\system32\fccccyv.dll
C:\WINDOWS\system32\fibagbia
C:\WINDOWS\system32\fibagbia\bg1.gif
C:\WINDOWS\system32\fibagbia\bgtop.gif
C:\WINDOWS\system32\fibagbia\bottom1.gif
C:\WINDOWS\system32\fibagbia\essentials.gif
C:\WINDOWS\system32\fibagbia\fibagbia1.exe
C:\WINDOWS\system32\fibagbia\fibagbia2.exe
C:\WINDOWS\system32\fibagbia\fibagbia3.exe
C:\WINDOWS\system32\fibagbia\icon1.ico
C:\WINDOWS\system32\fibagbia\install1.gif
C:\WINDOWS\system32\fibagbia\left1.gif
C:\WINDOWS\system32\fibagbia\li.gif
C:\WINDOWS\system32\fibagbia\logo.gif
C:\WINDOWS\system32\fibagbia\main.htm
C:\WINDOWS\system32\fibagbia\mainframe.htm
C:\WINDOWS\system32\fibagbia\reinstall1.gif
C:\WINDOWS\system32\fibagbia\right1.gif
C:\WINDOWS\system32\fibagbia\s1.htm
C:\WINDOWS\system32\fibagbia\s2.htm
C:\WINDOWS\system32\fibagbia\s3.htm
C:\WINDOWS\system32\fibagbia\SMTop1.gif
C:\WINDOWS\system32\fibagbia\SMTop2.gif
C:\WINDOWS\system32\fibagbia\SMTop3.gif
C:\WINDOWS\system32\fibagbia\SMTop4.gif
C:\WINDOWS\system32\fibagbia\soft1_off.gif
C:\WINDOWS\system32\fibagbia\soft1_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft1_on.gif
C:\WINDOWS\system32\fibagbia\soft1_on_ext.gif
C:\WINDOWS\system32\fibagbia\soft2_off.gif
C:\WINDOWS\system32\fibagbia\soft2_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft2_on.gif
C:\WINDOWS\system32\fibagbia\soft2_on_ext.gif
C:\WINDOWS\system32\fibagbia\soft3_off.gif
C:\WINDOWS\system32\fibagbia\soft3_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft3_on.gif
C:\WINDOWS\system32\fibagbia\soft3_on_ext.gif
C:\WINDOWS\system32\fibagbia\softbottom_off.gif
C:\WINDOWS\system32\fibagbia\softbottom_on.gif
C:\WINDOWS\system32\fibagbia\softleft_off.gif
C:\WINDOWS\system32\fibagbia\softleft_on.gif
C:\WINDOWS\system32\fibagbia\top1.gif
C:\WINDOWS\system32\fibagbia\top2.gif
C:\WINDOWS\system32\fibagbia\turnoff1.gif
C:\WINDOWS\system32\fibagbia\turnon1.gif
C:\WINDOWS\SYSTEM32\foyxtupn.ini
C:\WINDOWS\system32\ftevcfsf.exe
C:\WINDOWS\SYSTEM32\gjtyeaqm.ini
C:\WINDOWS\system32\gmwskqqm.dll
C:\WINDOWS\system32\gqgqvgiw.dll
C:\WINDOWS\SYSTEM32\harxeedm.ini
C:\WINDOWS\SYSTEM32\hauahnsv.ini
C:\WINDOWS\SYSTEM32\hcmpfwtb.ini
C:\WINDOWS\system32\hmiuvgvo.dll
C:\WINDOWS\system32\hptkyyty.exe
C:\WINDOWS\system32\hudppfxn.dll
C:\WINDOWS\system32\hussncrm.dll
C:\WINDOWS\system32\iifcaxw.dll
C:\WINDOWS\SYSTEM32\ipltthyl.ini
C:\WINDOWS\SYSTEM32\ivbwabia.ini
C:\WINDOWS\system32\jbegntaq.dll
C:\WINDOWS\SYSTEM32\jegxksxp.ini
C:\WINDOWS\system32\jhedlsyw.exe
C:\WINDOWS\system32\jisltdnx.dll
C:\WINDOWS\system32\jqjvwfct.exe
C:\WINDOWS\SYSTEM32\jrrsqwvv.ini
C:\WINDOWS\system32\juiwfkbp.exe
C:\WINDOWS\system32\jujgbjso.dll
C:\WINDOWS\system32\jwydacvf.exe
C:\WINDOWS\system32\kdpdpjju.exe
C:\WINDOWS\system32\kernel32.exe
C:\WINDOWS\system32\kjdcamkv.exe
C:\WINDOWS\SYSTEM32\knkdcony.ini
C:\WINDOWS\system32\kqlglbrt.exe
C:\WINDOWS\system32\krvlodxk.exe
C:\WINDOWS\system32\laggmyqh.dll
C:\WINDOWS\system32\lcqgkhtg.exe
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\lmowrndt.dll
C:\WINDOWS\system32\lmtoboyl.exe
C:\WINDOWS\system32\lyhttlpi.dll
C:\WINDOWS\system32\makpfkph.dll
C:\WINDOWS\system32\maucxfob.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\mdadrpvl.ini
C:\WINDOWS\system32\mdeexrah.dll
C:\WINDOWS\system32\mdhrogvu.dll
C:\WINDOWS\system32\mfdfwroy.exe
C:\WINDOWS\system32\mltkrulc.dll
C:\WINDOWS\system32\moxtccyn.dll
C:\WINDOWS\system32\ndjqwsdy.dll
C:\WINDOWS\system32\ngwgdsyl.dll
C:\WINDOWS\system32\njptlrlw.dll
C:\WINDOWS\system32\nmoeeyoa.exe
C:\WINDOWS\system32\nputxyof.dll
C:\WINDOWS\system32\nrmhcxyq.exe
C:\WINDOWS\system32\nypgavrx.exe
C:\WINDOWS\system32\occcvkvv.dll
C:\WINDOWS\system32\ohwdrgdp.dll
C:\WINDOWS\SYSTEM32\olxlorys.ini
C:\WINDOWS\system32\ooauorag.exe
C:\WINDOWS\system32\oohptgkh.exe
C:\WINDOWS\system32\oyxojfpf.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pevqxbhk.dll
C:\WINDOWS\system32\pfkaapjg.exe
C:\WINDOWS\SYSTEM32\phfliyoy.ini
C:\WINDOWS\system32\pmnklml.dll
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\ptuymanr.dll
C:\WINDOWS\system32\qfqfycgh.dll
C:\WINDOWS\SYSTEM32\qmkpmqgt.ini
C:\WINDOWS\SYSTEM32\qrgxbmwf.ini
C:\WINDOWS\SYSTEM32\qybwrnjk.ini
C:\WINDOWS\system32\rdlsedxo.dll
C:\WINDOWS\system32\rimxlhbu.exe
C:\WINDOWS\system32\rMa02yy
C:\WINDOWS\system32\rngfwblt.exe
C:\WINDOWS\system32\rqrpnmk.dll
C:\WINDOWS\SYSTEM32\rrbrnrbc.ini
C:\WINDOWS\system32\RunOnce3.t__
C:\WINDOWS\system32\RunOnce3.tmp
C:\WINDOWS\system32\sjltchhx.exe
C:\WINDOWS\system32\smbols~1
C:\WINDOWS\system32\solmxesa.dll
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\swxaullc.dll
C:\WINDOWS\system32\tchaixsu.dll
C:\WINDOWS\system32\tcpconn.exe
C:\WINDOWS\SYSTEM32\tdnrwoml.ini
C:\WINDOWS\SYSTEM32\teocpbvq.ini
C:\WINDOWS\system32\tibasrgo.dll
C:\WINDOWS\system32\tjsxvnth.exe
C:\WINDOWS\system32\tjwxwmw.dll
C:\WINDOWS\system32\tmp_03.exe
C:\WINDOWS\SYSTEM32\topfrxqg.ini
C:\WINDOWS\system32\tuvurom.dll
C:\WINDOWS\system32\uaneqdpu.dll
C:\WINDOWS\system32\uffyoelq.exe
C:\WINDOWS\system32\update118.exe
C:\WINDOWS\system32\update125.exe
C:\WINDOWS\SYSTEM32\usxiahct.ini
C:\WINDOWS\SYSTEM32\utstv.bak1
C:\WINDOWS\SYSTEM32\utstv.ini
C:\WINDOWS\SYSTEM32\vliocrta.ini
C:\WINDOWS\system32\vsbmugxo.dll
C:\WINDOWS\system32\vtjuwmoy.dll
C:\WINDOWS\system32\vtr.dll
C:\WINDOWS\system32\vtstu.dll
C:\WINDOWS\system32\vtutrpo.dll
C:\WINDOWS\system32\vytveejf.exe
C:\WINDOWS\system32\wbwavqey.exe
C:\WINDOWS\SYSTEM32\wigvqgqg.ini
C:\WINDOWS\system32\win_6x0.dll
C:\WINDOWS\system32\WinAvXX.exe
C:\WINDOWS\system32\wintsvsu32.exe
C:\WINDOWS\system32\witnpncr.dll
C:\WINDOWS\SYSTEM32\wlrltpjn.ini
C:\WINDOWS\system32\wsxrbhpv.dll
C:\WINDOWS\SYSTEM32\wtwevjoj.ini
C:\WINDOWS\system32\wuebhvsx.dll
C:\WINDOWS\system32\wvkioabg.exe
C:\WINDOWS\system32\wvurpop.dll
C:\WINDOWS\system32\wxiabvyr.exe
C:\WINDOWS\system32\xasxxnoo.exe
C:\WINDOWS\SYSTEM32\xnoimone.ini
C:\WINDOWS\system32\xppuojch.dll
C:\WINDOWS\system32\yayyawt.dll
C:\WINDOWS\SYSTEM32\ybxwnuxy.ini
C:\WINDOWS\system32\yemfvanj.exe
C:\WINDOWS\system32\ylfoykjq.exe
C:\WINDOWS\system32\ymante~1
C:\WINDOWS\system32\ypfgkemn.dll
C:\WINDOWS\system32\yrsixdeo.dll
C:\WINDOWS\system32\zcksjni.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_APIMON
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FMTR
-------\LEGACY_FOPN
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-30 )))))))))))))))))))))))))))))))
.

2007-12-30 14:22 . 2007-12-30 14:22 <DIR> d-------- C:\Documents and Settings\Kids\Application Data\U3
2007-12-30 14:21 . 2007-12-30 14:21 <DIR> d-------- C:\Documents and Settings\Kids\Application Data\Downloaded Installations
2007-12-28 19:07 . 2007-12-30 13:37 1,957,306 --ahs---- C:\WINDOWS\SYSTEM32\hedbvqcf.ini
2007-12-28 12:28 . 2007-12-28 19:01 1,960,903 --ahs---- C:\WINDOWS\SYSTEM32\bfikrole.ini
2007-12-27 16:05 . 2007-12-28 12:25 1,962,496 --ahs---- C:\WINDOWS\SYSTEM32\qdcjecsb.ini
2007-12-20 22:20 . 2007-12-27 16:05 1,965,090 --ahs---- C:\WINDOWS\SYSTEM32\ximgmxuw.ini
2007-12-20 06:43 . 2007-12-20 22:13 1,672,434 --ahs---- C:\WINDOWS\SYSTEM32\ylidfnwh.ini
2007-12-19 06:43 . 2007-12-20 13:53 1,663,902 --ahs---- C:\WINDOWS\SYSTEM32\kvludivx.ini
2007-12-18 06:40 . 2007-12-19 06:40 1,544,929 --ahs---- C:\WINDOWS\SYSTEM32\gjonrfck.ini
2007-12-17 11:13 . 2007-12-18 06:31 1,526,923 --ahs---- C:\WINDOWS\SYSTEM32\aabeynod.ini
2007-12-16 11:10 . 2007-12-17 11:11 1,528,558 --ahs---- C:\WINDOWS\SYSTEM32\chjpvbdb.ini
2007-12-15 11:10 . 2007-12-17 16:34 1,601,831 --ahs---- C:\WINDOWS\SYSTEM32\rgfknelu.ini
2007-12-15 08:47 . 2007-12-15 11:04 1,555,692 --ahs---- C:\WINDOWS\SYSTEM32\iwlxvyep.ini
2007-12-15 07:51 . 2007-12-15 08:41 1,595,819 --ahs---- C:\WINDOWS\SYSTEM32\sawlcetv.ini
2007-12-14 07:54 . 2007-12-14 07:55 1,566,441 --ahs---- C:\WINDOWS\SYSTEM32\mspnqsuu.ini
2007-12-13 18:19 . 2007-12-14 07:46 1,587,419 --ahs---- C:\WINDOWS\SYSTEM32\nxabciyb.ini
2007-11-29 18:10 . 2007-11-29 15:42 834 --ahs---- C:\WINDOWS\SYSTEM32\tjidbhrt.ini
2007-11-29 15:41 . 2007-11-29 15:42 834 --ahs---- C:\WINDOWS\SYSTEM32\tjidbhrt.tmp
2007-11-28 15:47 . 2007-11-29 03:56 1,967,575 --ahs---- C:\WINDOWS\SYSTEM32\xppntnvj.ini
2007-11-27 15:41 . 2007-11-28 15:47 2,001,066 --ahs---- C:\WINDOWS\SYSTEM32\fcntsqec.ini
2007-11-27 15:32 . 2007-11-27 15:32 0 --a------ C:\WINDOWS\SYSTEM32\poobcpdd.tmp
2007-11-26 11:13 . 2007-11-26 11:13 4,286 --a------ C:\WINDOWS\SYSTEM32\everybodybets.32x32.4.ico
2007-11-26 11:02 . 2007-11-27 15:32 2,066,501 --ahs---- C:\WINDOWS\SYSTEM32\poobcpdd.ini
2007-11-24 03:00 . 2007-12-30 14:20 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-23 06:34 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-11-23 06:34 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-11-23 06:34 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2007-11-22 18:22 . 2007-12-30 14:20 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-22 18:21 . 2007-11-22 18:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-18 23:24 . 2007-11-18 23:24 20,480 --a------ C:\WINDOWS\quit.exe
2007-11-18 21:18 . 2007-11-18 21:18 <DIR> d-------- C:\Program Files\E404DHelper
2007-11-18 21:18 . 2007-11-18 21:21 <DIR> d-------- C:\Program Files\Cool
2007-11-18 21:18 . 2007-11-18 21:18 115 --a------ C:\mit.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 20:44 --------- d-----w C:\Program Files\Warcraft III
2007-12-30 20:21 --------- d-----w C:\Program Files\Common Files\zuzk
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-14 15:42 246 ----a-w C:\Program Files\Common Files\laxuk
2007-10-05 15:00 16,896 ----a-w C:\Documents and Settings\Kids\wn10077.exe
2007-10-05 15:00 1,577 ----a-w C:\Documents and Settings\Kids\xl10077.exe
2007-10-05 12:21 246 ----a-w C:\Program Files\Common Files\laxuk475
2007-09-20 16:49 246 ----a-w C:\Program Files\Common Files\laxuk437
2007-07-17 18:46 6,365 --sha-w C:\WINDOWS\SYSTEM32\mlnmp.bak1
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2007-11-29 18:10 1266936]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 09:29 50736]
"Bkrlduz"="C:\Program Files\Common Files\F?nts\j?vaw.exe" [ ]
"Ccc"="C:\Documents and Settings\Kids\My Documents\M?crosoft\?srss.exe" [ ]
"Ljhgo"="C:\Documents and Settings\Kids\My Documents\s?mbols\?pool32.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"Ncao"="C:\WINDOWS\system32\CURITY~1\chkdsk.exe" [ ]
"Wxtvbzi"="C:\Documents and Settings\Kids\My Documents\W?nSxS\c?rss.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkljki]
jkkljki.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzzd32]
winzzd32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, append.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-05-25 21:35 335872 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\DellSupport\DSAgnt.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-03-15 00:04 122933 --a------ C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-04-11 10:43 53248 --------- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hotyger]
C:\Program Files\Internet Explorer\hotyger22011.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2004-03-23 11:16 135168 --a------ C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-03 19:12 221184 --a------ C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-07-31 17:44 271672 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWFX5LP_0001_0715]
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0715NetInstaller.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-11 19:15 290816 --------- C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer]
C:\WINDOWS\system32\printer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINDOWS\system32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2003-11-19 16:48 32881 --a------ C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAVX]
C:\WINDOWS\system32\WinAvXX.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-17 21:00:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-30 21:24:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-30 15:21:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-30 15:25:51 - machine was rebooted
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-30 21:25:43
.
2007-12-28 09:00:40 --- E O F ---

undoFix V6.7.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 3:29:46 PM 12/30/2007

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\atjakylb.exe
C:\WINDOWS\SYSTEM32\awdkabgl.exe
C:\WINDOWS\SYSTEM32\fmqfwewb.exe
C:\WINDOWS\SYSTEM32\fveefdyl.exe
C:\WINDOWS\SYSTEM32\lvoedplp.exe
C:\WINDOWS\SYSTEM32\pfooglac.exe
C:\WINDOWS\SYSTEM32\pyhxedys.exe
C:\WINDOWS\SYSTEM32\sowcavyc.exe
C:\WINDOWS\SYSTEM32\upecqpoj.exe
C:\WINDOWS\SYSTEM32\wnfgqmpf.exe

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\atjakylb.exe
C:\WINDOWS\SYSTEM32\atjakylb.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\awdkabgl.exe
C:\WINDOWS\SYSTEM32\awdkabgl.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\fmqfwewb.exe
C:\WINDOWS\SYSTEM32\fmqfwewb.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\fveefdyl.exe
C:\WINDOWS\SYSTEM32\fveefdyl.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\lvoedplp.exe
C:\WINDOWS\SYSTEM32\lvoedplp.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\pfooglac.exe
C:\WINDOWS\SYSTEM32\pfooglac.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\pyhxedys.exe
C:\WINDOWS\SYSTEM32\pyhxedys.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\sowcavyc.exe
C:\WINDOWS\SYSTEM32\sowcavyc.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\upecqpoj.exe
C:\WINDOWS\SYSTEM32\upecqpoj.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\wnfgqmpf.exe
C:\WINDOWS\SYSTEM32\wnfgqmpf.exe Has been deleted!

Performing Repairs to the registry.
Done!

SDFix: Version 1.120

Run by Kids on Sun 12/30/2007 at 04:14 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\2F6.TMP - Deleted
C:\2F7.TMP - Deleted
C:\2F8.TMP - Deleted
C:\2F9.TMP - Deleted
C:\PROGRA~1\COMMON~1\LAXUK - Deleted
C:\PROGRA~1\COMMON~1\LAXUK437 - Deleted
C:\PROGRA~1\COMMON~1\LAXUK475 - Deleted
C:\Program Files\E404DHelper\e404d.v1.dll - Deleted
C:\WINDOWS\tcb.pmw - Deleted



Folder C:\Program Files\E404DHelper - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-30 16:20:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 12 Dec 2007 848 A.SH. --- "C:\WINDOWS\SYSTEM32\KGyGaAvL.sys"
Tue 17 Jul 2007 6,365 A.SH. --- "C:\WINDOWS\SYSTEM32\mlnmp.bak1"
Thu 29 Nov 2007 834 A.SH. --- "C:\WINDOWS\SYSTEM32\tjidbhrt.tmp"
Sat 15 Oct 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 14 Apr 2005 76,056 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Thu 14 Apr 2005 5,632 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Sun 15 Jul 2007 40,183 A.SH. --- "C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP816\A0177801.exe"
Fri 29 Jun 2007 146,944 A.SH. --- "C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP816\A0177802.exe"
Tue 17 Jul 2007 40,183 A.SH. --- "C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP819\A0178928.exe"
Fri 29 Jun 2007 146,944 A.SH. --- "C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP819\A0178929.exe"
Wed 20 Jun 2007 229,888 A.SH. --- "C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP822\A0182025.exe"
Tue 17 Jul 2007 72,704 A.SH. --- "C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP822\A0182027.exe"
Tue 12 Dec 1989 246,352 A.SH. --- "C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP822\A0182057.exe"
Tue 17 Jul 2007 32,177 A.SH. --- "C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP822\A0182081.exe"
Sun 5 Aug 2007 40,183 A.SH. --- "C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP840\A0184541.exe"
Fri 29 Jun 2007 146,944 A.SH. --- "C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP840\A0184542.exe"
Fri 29 Jun 2007 146,944 A.SH. --- "C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP873\A0188759.exe"
Sun 9 Sep 2007 40,183 A.SH. --- "C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP873\A0188761.exe"
Mon 10 Sep 2007 40,183 A.SH. --- "C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP881\A0196815.exe"
Fri 29 Jun 2007 146,944 A.SH. --- "C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP881\A0196816.exe"
Tue 28 Aug 2007 32,177 A.SH. --- "C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP882\A0196855.exe"
Sun 18 Nov 2007 41,723 A.SH. --- "C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP913\A0204693.exe"
Fri 21 Sep 2007 146,432 A.SH. --- "C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP913\A0204694.exe"
Tue 22 May 2007 848 A.SH. --- "C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP934\A0209381.sys"
Thu 22 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6efcd3506d8bb09b521fd2ab4ee258bc\BITAF.tmp"
Thu 22 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b0bbf9bad2a96231d750c48395570f92\BITAE.tmp"
Thu 22 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c212d67be1f86f86c36e82bc3c8d87df\BITB0.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Kids\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Kids\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Kids\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Kids\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Thu 19 Apr 2007 8 A..H. --- "C:\Documents and Settings\Mom\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Thu 19 Apr 2007 8 A..H. --- "C:\Documents and Settings\Mom\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Thu 19 Apr 2007 8 A..H. --- "C:\Documents and Settings\Mom\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Thu 19 Apr 2007 8 A..H. --- "C:\Documents and Settings\Mom\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!

Logfile of HijackThis v1.99.1
Scan saved at 4:39:48 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Cool\X_cool.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Kids\Desktop\Killer.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gophersearch.com/
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Bkrlduz] "C:\Program Files\Common Files\F?nts\j?vaw.exe"
O4 - HKCU\..\Run: [Ccc] "C:\Documents and Settings\Kids\My Documents\M?crosoft\?srss.exe"
O4 - HKCU\..\Run: [Ljhgo] "C:\Documents and Settings\Kids\My Documents\s?mbols\?pool32.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ncao] "C:\WINDOWS\system32\CURITY~1\chkdsk.exe" -vt ndrv
O4 - HKCU\..\Run: [Wxtvbzi] "C:\Documents and Settings\Kids\My Documents\W?nSxS\c?rss.exe"
O4 - Startup: Cool - Auto Update.lnk = C:\Program Files\Cool\cool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c15.cab
O16 - DPF: {1C960AA3-FAEE-11D0-9262-00A0243D2412} (TegoSoft SmartLoader ActiveX Control) - http://www.hondapowe...eX/TegoLoad.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner....leanerstart.cab
O20 - Winlogon Notify: jkkljki - jkkljki.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winzzd32 - winzzd32.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)

    Advertisements

Register to Remove

#2 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 30 December 2007 - 08:17 PM

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. You have 2 choices:

1. Format your system and reinstall all applications.
2. Proceed with cleaning your system.

In the event that you decide to not format your system, please complete the following procedures as soon as possible:


A. Please RUN HijackThis B. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\SYSTEM32\hedbvqcf.ini
C:\WINDOWS\SYSTEM32\bfikrole.ini
C:\WINDOWS\SYSTEM32\qdcjecsb.ini
C:\WINDOWS\SYSTEM32\ximgmxuw.ini
C:\WINDOWS\SYSTEM32\ylidfnwh.ini
C:\WINDOWS\SYSTEM32\kvludivx.ini
C:\WINDOWS\SYSTEM32\gjonrfck.ini
C:\WINDOWS\SYSTEM32\aabeynod.ini
C:\WINDOWS\SYSTEM32\chjpvbdb.ini
C:\WINDOWS\SYSTEM32\rgfknelu.ini
C:\WINDOWS\SYSTEM32\iwlxvyep.ini
C:\WINDOWS\SYSTEM32\sawlcetv.ini
C:\WINDOWS\SYSTEM32\mspnqsuu.ini
C:\WINDOWS\SYSTEM32\nxabciyb.ini
C:\WINDOWS\SYSTEM32\tjidbhrt.ini
C:\WINDOWS\SYSTEM32\tjidbhrt.tmp
C:\WINDOWS\SYSTEM32\xppntnvj.ini
C:\WINDOWS\SYSTEM32\fcntsqec.ini
C:\WINDOWS\SYSTEM32\poobcpdd.tmp
C:\WINDOWS\SYSTEM32\everybodybets.32x32.4.ico
C:\WINDOWS\SYSTEM32\poobcpdd.ini
C:\WINDOWS\SYSTEM32\mucltui.dll.mui
C:\mit.bat
C:\Documents and Settings\Kids\wn10077.exe
C:\Documents and Settings\Kids\xl10077.exe
C:\WINDOWS\SYSTEM32\mlnmp.bak1
C:\Windows\System32\append.dll

Folder::
C:\Program Files\E404DHelper
C:\Program Files\Cool
C:\Program Files\Common Files\zuzk
C:\Program Files\Common Files\laxuk
C:\Program Files\Common Files\laxuk475
C:\Program Files\Common Files\laxuk437

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"=-
"Bkrlduz"=-
"Ccc"=-
"Ljhgo"=-
"Ncao"=-
"Wxtvbzi"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=-
"AllowUnhashedWebView"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkljki]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzzd32]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hotyger]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWFX5LP_0001_0715]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAVX]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


Note: Do not run HijackThis until you have completed the following steps:

You don't appear to be running any anti-virus software

Anti-virus software are programs that detect, clean, and/or erase harmful virus files on a computer. Unchecked, virus files can unintentionally be forwarded to others, and thereby spread infection. Keeping your anti-virus updated is essential.

Please download a free anti-virus software from one these excellent vendors NOW:
It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.


You don't appear to have a software firewall running

It is important that you use a software firewall, to prevent unauthorized traffic both out of and into your computer.
If you have disabled it, please re-enable it.
If you do not have a firewall installed, please download and install one of these excellent (and free) products:
It is important to note that you should only have one firewall installed at a time.
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#3 s.lang

s.lang

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 31 December 2007 - 11:46 AM

Here is the combofix:
ComboFix 07-12-30.3 - Kids 2007-12-31 9:50:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.648 [GMT -6:00]
Running from: C:\Documents and Settings\Kids\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kids\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Kids\wn10077.exe
C:\Documents and Settings\Kids\xl10077.exe
C:\mit.bat
C:\WINDOWS\SYSTEM32\aabeynod.ini
C:\Windows\System32\append.dll
C:\WINDOWS\SYSTEM32\bfikrole.ini
C:\WINDOWS\SYSTEM32\chjpvbdb.ini
C:\WINDOWS\SYSTEM32\everybodybets.32x32.4.ico
C:\WINDOWS\SYSTEM32\fcntsqec.ini
C:\WINDOWS\SYSTEM32\gjonrfck.ini
C:\WINDOWS\SYSTEM32\hedbvqcf.ini
C:\WINDOWS\SYSTEM32\iwlxvyep.ini
C:\WINDOWS\SYSTEM32\kvludivx.ini
C:\WINDOWS\SYSTEM32\mlnmp.bak1
C:\WINDOWS\SYSTEM32\mspnqsuu.ini
C:\WINDOWS\SYSTEM32\mucltui.dll.mui
C:\WINDOWS\SYSTEM32\nxabciyb.ini
C:\WINDOWS\SYSTEM32\poobcpdd.ini
C:\WINDOWS\SYSTEM32\poobcpdd.tmp
C:\WINDOWS\SYSTEM32\qdcjecsb.ini
C:\WINDOWS\SYSTEM32\rgfknelu.ini
C:\WINDOWS\SYSTEM32\sawlcetv.ini
C:\WINDOWS\SYSTEM32\tjidbhrt.ini
C:\WINDOWS\SYSTEM32\tjidbhrt.tmp
C:\WINDOWS\SYSTEM32\ximgmxuw.ini
C:\WINDOWS\SYSTEM32\xppntnvj.ini
C:\WINDOWS\SYSTEM32\ylidfnwh.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Kids\wn10077.exe
C:\Documents and Settings\Kids\xl10077.exe
C:\mit.bat
C:\Program Files\Common Files\zuzk
C:\Program Files\Common Files\zuzk\zuzka.lck
C:\Program Files\Common Files\zuzk\zuzkd\class-barrel
C:\Program Files\Common Files\zuzk\zuzkd\vocabulary
C:\Program Files\Common Files\zuzk\zuzkh
C:\Program Files\Common Files\zuzk\zuzkl.lck
C:\Program Files\Common Files\zuzk\zuzkm.lck
C:\Program Files\Cool
C:\Program Files\Cool\Cool.dll
C:\Program Files\Cool\Cool.dll.intermediate.manifest
C:\Program Files\Cool\cool.exe
C:\Program Files\Cool\cool.info
C:\Program Files\Cool\cool.original
C:\Program Files\Cool\info.dll
C:\Program Files\Cool\un_CoolSetup_15849.exe
C:\Program Files\Cool\un_CoolSetup_15849.txt
C:\Program Files\Cool\X_Cool.dll
C:\Program Files\Cool\X_cool.exe
C:\Program Files\Cool\X_cool.log
C:\WINDOWS\SYSTEM32\aabeynod.ini
C:\WINDOWS\SYSTEM32\bfikrole.ini
C:\WINDOWS\SYSTEM32\chjpvbdb.ini
C:\WINDOWS\SYSTEM32\everybodybets.32x32.4.ico
C:\WINDOWS\SYSTEM32\fcntsqec.ini
C:\WINDOWS\SYSTEM32\gjonrfck.ini
C:\WINDOWS\SYSTEM32\hedbvqcf.ini
C:\WINDOWS\SYSTEM32\iwlxvyep.ini
C:\WINDOWS\SYSTEM32\kvludivx.ini
C:\WINDOWS\SYSTEM32\mlnmp.bak1
C:\WINDOWS\SYSTEM32\mspnqsuu.ini
C:\WINDOWS\SYSTEM32\mucltui.dll.mui
C:\WINDOWS\SYSTEM32\nxabciyb.ini
C:\WINDOWS\SYSTEM32\poobcpdd.ini
C:\WINDOWS\SYSTEM32\poobcpdd.tmp
C:\WINDOWS\SYSTEM32\qdcjecsb.ini
C:\WINDOWS\SYSTEM32\rgfknelu.ini
C:\WINDOWS\SYSTEM32\sawlcetv.ini
C:\WINDOWS\SYSTEM32\tjidbhrt.ini
C:\WINDOWS\SYSTEM32\tjidbhrt.tmp
C:\WINDOWS\SYSTEM32\ximgmxuw.ini
C:\WINDOWS\SYSTEM32\xppntnvj.ini
C:\WINDOWS\SYSTEM32\ylidfnwh.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-31 )))))))))))))))))))))))))))))))
.

2007-12-30 16:13 . 2007-12-30 16:13 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-30 15:29 . 2007-12-30 15:29 <DIR> d-------- C:\VundoFix Backups
2007-12-30 14:22 . 2007-12-30 14:22 <DIR> d-------- C:\Documents and Settings\Kids\Application Data\U3
2007-12-30 14:21 . 2007-12-30 14:21 <DIR> d-------- C:\Documents and Settings\Kids\Application Data\Downloaded Installations
2007-11-24 03:00 . 2007-12-30 14:20 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-23 06:34 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-11-23 06:34 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-11-22 18:22 . 2007-12-30 14:20 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-22 18:21 . 2007-11-22 18:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-18 23:24 . 2007-11-18 23:24 20,480 --a------ C:\WINDOWS\quit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 15:45 --------- d-----w C:\Program Files\Warcraft III
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-30_15.25.28.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-29 13:04:43 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-12-30 22:13:41 5,324,800 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-12-30 22:13:41 12,288 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-29 13:04:43 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-12-30 22:13:40 5,324,800 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2007-12-30 22:13:40 12,288 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2007-11-29 18:10 1266936]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 09:29 50736]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-05-25 21:35 335872 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\DellSupport\DSAgnt.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-03-15 00:04 122933 --a------ C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-04-11 10:43 53248 --------- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2004-03-23 11:16 135168 --a------ C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-03 19:12 221184 --a------ C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-07-31 17:44 271672 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-11 19:15 290816 --------- C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2003-11-19 16:48 32881 --a------ C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-17 21:00:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-31 15:59:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 09:54:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-31 9:59:17 - machine was rebooted
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-31 15:59:09
C:\qoobox\ComboFix2.txt 2007-12-30 21:25:51
.
2007-12-28 09:00:40 --- E O F ---

After an AntiVir scan..
Logfile of HijackThis v1.99.1
Scan saved at 11:45:01 AM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kids\Desktop\Killer.exe.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Cool - Auto Update.lnk = C:\QooBox\Quarantine\C\Program Files\Cool\cool.exe.vir
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1C960AA3-FAEE-11D0-9262-00A0243D2412} (TegoSoft SmartLoader ActiveX Control) - http://www.hondapowe...eX/TegoLoad.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Should I delete the files from the antivir quarantine?

#4 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 31 December 2007 - 01:58 PM

A. Yes, please DELETE any files that may be in the Antivir quarantine.

B. Please RUN HijackThis
  • Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    O4 - Startup: Cool - Auto Update.lnk = C:\QooBox\Quarantine\C\Program Files\Cool\cool.exe.vir

  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.


C. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 3 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u3...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel > Add/Remove Programs, double-click on and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

Now to Clean out the Java cache:

Go into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    • Downloaded Applets
      Downloaded Applications
      Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.


D. Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply, along with a fresh HijackThis log


E. Finally, please let me know how things are now running. If all seems to be OK and the logs are clean give me the :thumbup: and we will proceed with the final cleanup procedures and recommendations.


Trevuren
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#5 s.lang

s.lang

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 01 January 2008 - 07:44 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:32:07 PM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Documents and Settings\Kids\Desktop\Killer.exe.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1C960AA3-FAEE-11D0-9262-00A0243D2412} (TegoSoft SmartLoader ActiveX Control) - http://www.hondapowe...eX/TegoLoad.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, January 01, 2008 6:37:01 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/01/2008
Kaspersky Anti-Virus database records: 501220
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 81285
Number of viruses found: 41
Number of infected objects: 182
Number of suspicious objects: 0
Duration of the scan process: 01:12:16

Infected Object Name / Virus Name / Last Action
C:\8EA.tmp/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\8EA.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\8EA.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\8EA.tmp NSIS: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d953eda3e26304d35e06e3f99844845b_9192d17a-9a72-4204-823a-85ab53b53cd0 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NetworkMonitor.zip/netmon.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NetworkMonitor.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NetworkMonitor7.zip/netmon.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NetworkMonitor7.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PestTrap.zip/heur000.dll Infected: not-a-virus:FraudTool.Win32.BraveSentry.b skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PestTrap.zip/heur002.dll Infected: not-a-virus:FraudTool.Win32.BraveSentry.b skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PestTrap.zip/heur003.dll Infected: not-a-virus:FraudTool.Win32.BraveSentry.b skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PestTrap.zip/PestTrap.exe Infected: not-a-virus:FraudTool.Win32.SpySheriff.g skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PestTrap.zip ZIP: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PWSLDPinchIE.zip/partnership.dll Infected: Trojan-Proxy.Win32.Xorpix.bt skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PWSLDPinchIE.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip/svcproc.exe Infected: Trojan.Win32.Stervis.d skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver.zip/tsinstall_4_0_4_0_b4.exe/WISE0009.BIN Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver.zip/tsinstall_4_0_4_0_b4.exe/WISE0010.BIN Infected: Trojan-Downloader.Win32.TSUpdate.p skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver.zip/tsinstall_4_0_4_0_b4.exe/WISE0011.BIN Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver.zip/tsinstall_4_0_4_0_b4.exe/WISE0012.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver.zip/tsinstall_4_0_4_0_b4.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver.zip ZIP: infected - 5 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver1.zip/tsupdate_4_0_4_1_b3.exe/WISE0009.BIN Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver1.zip/tsupdate_4_0_4_1_b3.exe/WISE0010.BIN Infected: Trojan-Downloader.Win32.TSUpdate.r skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver1.zip/tsupdate_4_0_4_1_b3.exe/WISE0011.BIN Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver1.zip/tsupdate_4_0_4_1_b3.exe/WISE0012.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver1.zip/tsupdate_4_0_4_1_b3.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver1.zip ZIP: infected - 5 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeWinPop.zip/UnInstall.exe Infected: Trojan.Win32.Small.oa skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeWinPop.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeWinPop1.zip/winpop.exe Infected: not-a-virus:AdWare.Win32.Rond.a skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeWinPop1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeWinPop5.zip/UnInstall.exe Infected: Trojan.Win32.Small.oa skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeWinPop5.zip/winpop.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeWinPop5.zip ZIP: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloff.zip/runtime2.sys Infected: Rootkit.Win32.Agent.jp skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloff.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinsoftwareWinAntiVirusPro7.zip/WAPChk.dll Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.2006 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinsoftwareWinAntiVirusPro7.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Kids\Application Data\Mozilla\Firefox\Profiles\ubgjg8ig.default\cert8.db Object is locked skipped
C:\Documents and Settings\Kids\Application Data\Mozilla\Firefox\Profiles\ubgjg8ig.default\history.dat Object is locked skipped
C:\Documents and Settings\Kids\Application Data\Mozilla\Firefox\Profiles\ubgjg8ig.default\key3.db Object is locked skipped
C:\Documents and Settings\Kids\Application Data\Mozilla\Firefox\Profiles\ubgjg8ig.default\parent.lock Object is locked skipped
C:\Documents and Settings\Kids\Application Data\Mozilla\Firefox\Profiles\ubgjg8ig.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Kids\Application Data\Mozilla\Firefox\Profiles\ubgjg8ig.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0d96-51fbd409.zip/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0d96-51fbd409.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-4c0629e6.zip/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-4c0629e6.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Kids\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Kids\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kids\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kids\Local Settings\Application Data\Mozilla\Firefox\Profiles\ubgjg8ig.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Kids\Local Settings\Application Data\Mozilla\Firefox\Profiles\ubgjg8ig.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Kids\Local Settings\Application Data\Mozilla\Firefox\Profiles\ubgjg8ig.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Kids\Local Settings\Application Data\Mozilla\Firefox\Profiles\ubgjg8ig.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Kids\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Kids\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kids\ntuser.dat Object is locked skipped
C:\Documents and Settings\Kids\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\QooBox\Quarantine\C\Documents and Settings\Kids\My Documents\SMBOLS~1\ѕpool32.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\QooBox\Quarantine\C\Documents and Settings\Kids\My Documents\WNSXS~1\cѕrss.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\QooBox\Quarantine\C\Program Files\CURITY~1\nοpdb.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gg skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\Program Files\TBONAS\TBONcomp.dll.vir Infected: not-a-virus:AdWare.Win32.ActivShopper.d skipped
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\aeapdyqa.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dewppmtt.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dniymatp.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ebnlvoyj.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\eyvwdoqu.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fccbxxw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fccccyv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.arf skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gmwskqqm.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hudppfxn.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mdhrogvu.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mltkrulc.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\moxtccyn.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\oyxojfpf.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pevqxbhk.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pmnklml.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qfqfycgh.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rdlsedxo.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.af skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rqrpnmk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\swxaullc.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tuvurom.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vsbmugxo.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vtjuwmoy.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vtutrpo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wsxrbhpv.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wvurpop.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xppuojch.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yayyawt.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\zcksjni.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP816\A0177797.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP822\A0182025.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP822\A0182026.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP847\A0185485.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gd skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP871\A0188672.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fz skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP873\A0188681.exe Infected: Trojan.Win32.DNSChanger.abm skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP876\A0191661.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fz skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP876\A0192691.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fz skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP881\A0196806.exe Infected: Trojan.Win32.DNSChanger.abm skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP883\A0196891.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fz skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP892\A0196963.exe Infected: Trojan.Win32.DNSChanger.abm skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP892\A0196971.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fz skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP904\A0202075.exe/file01 Infected: Trojan-Downloader.Win32.Agent.alr skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP904\A0202075.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP905\A0202290.dll Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.2006 skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP908\A0203434.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP913\A0204693.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP913\A0204693.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP922\A0207065.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP923\A0208037.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP933\A0209348.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP935\A0209462.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP942\A0212547.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP944\A0212585.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP945\A0213603.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP945\A0215604.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP945\A0216593.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP945\A0216593.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP945\A0216593.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0216662.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0216662.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0216662.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0216711.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0216748.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0216754.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0216756.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0216762.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0216765.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0216767.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0216770.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0216773.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0216779.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0216789.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0217034.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0217037.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0217040.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0217044.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0217046.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0217055.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0217058.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0217067.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.af skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0217517.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0217517.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP947\A0217517.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217611.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217613.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217616.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217617.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217619.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217626.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217627.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217628.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.arf skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217629.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217632.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217644.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217645.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217646.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217653.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217654.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217655.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217657.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217658.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.af skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217659.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217661.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217664.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217666.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217667.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217669.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217671.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217673.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217674.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217675.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217711.dll Infected: not-a-virus:AdWare.Win32.ActivShopper.d skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217713.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217713.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217713.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217922.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217922.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP949\A0217922.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP958\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5LP_0001_0715NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.e skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5LP_0001_0715NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.e skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWFX5LP_0001_0715NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.e skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWFX5LP_0001_0715NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.e skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWFX5LP_0001_0715NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.e skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UWFX5LP_0001_0715NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.e skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UWFX5LP_0001_0715NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.e skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\UWFX5LP_0001_0715NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.e skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\UWFX5LP_0001_0715NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.e skipped
C:\WINDOWS\Internet Logs\DD035D51.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\pjsswtttp.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.bd skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20071230-141349.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\ZLT05f4d.TMP Object is locked skipped
C:\WINDOWS\TEMP\ZLT05f50.TMP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

The computer itself is running faster and I have not had any problems with popups or agressive programs

#6 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 01 January 2008 - 08:03 PM

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\8EA.tmp
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NetworkMonitor.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NetworkMonitor7.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PestTrap.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PWSLDPinchIE.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeWinPop.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeWinPop1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeWinPop5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloff.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinsoftwareWinAntiVirusPro7.zip
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0d96-51fbd409.zip
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-4c0629e6.zip
C:\WINDOWS\pjsswtttp.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20071230-141349.backup

Folder::
C:\WINDOWS\Downloaded Program Files\CONFLICT.1
C:\WINDOWS\Downloaded Program Files\CONFLICT.2
C:\WINDOWS\Downloaded Program Files\CONFLICT.3
C:\WINDOWS\Downloaded Program Files\CONFLICT.4
C:\WINDOWS\Downloaded Program Files\CONFLICT.5
C:\WINDOWS\Downloaded Program Files\CONFLICT.6
C:\WINDOWS\Downloaded Program Files\CONFLICT.7
C:\WINDOWS\Downloaded Program Files\CONFLICT.8
C:\WINDOWS\Downloaded Program Files\CONFLICT.9
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

6. ComboFix will automatically REBOOT your machine when the KillAll:: switch is used..

7. Next, re-enable all the programs that you disabled prior to running ComboFix.

8. Post the following logs/Reports:
  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#7 s.lang

s.lang

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 01 January 2008 - 09:45 PM

ComboFix 07-12-30.3 - Kids 2008-01-01 20:34:54.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.656 [GMT -6:00]
Running from: C:\Documents and Settings\Kids\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kids\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\8EA.tmp
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NetworkMonitor.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NetworkMonitor7.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PestTrap.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PWSLDPinchIE.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeWinPop.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeWinPop1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeWinPop5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloff.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinsoftwareWinAntiVirusPro7.zip
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0d96-51fbd409.zip
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-4c0629e6.zip
C:\WINDOWS\pjsswtttp.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20071230-141349.backup
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\8EA.tmp
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NetworkMonitor.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NetworkMonitor7.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PestTrap.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PWSLDPinchIE.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeWinPop.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeWinPop1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeWinPop5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloff.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinsoftwareWinAntiVirusPro7.zip
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0d96-51fbd409.zip
C:\Documents and Settings\Kids\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-4c0629e6.zip
C:\WINDOWS\Downloaded Program Files\CONFLICT.1
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UDC6_0001_D19M1908NetInstaller.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA7P_0001_N91M0809NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5LP_0001_0715NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.2
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5LP_0001_0715NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.3
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWFX5LP_0001_0715NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.4
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWFX5LP_0001_0715NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.5
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWFX5LP_0001_0715NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.6
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UWFX5LP_0001_0715NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.7
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UWFX5LP_0001_0715NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.8
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\UWFX5LP_0001_0715NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.9
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\UWFX5LP_0001_0715NetInstaller.exe
C:\WINDOWS\pjsswtttp.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20071230-141349.backup

.
((((((((((((((((((((((((( Files Created from 2007-12-02 to 2008-01-02 )))))))))))))))))))))))))))))))
.

2008-01-01 16:38 . 2008-01-01 16:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-01-01 16:38 . 2008-01-01 16:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-01 16:33 . 2008-01-01 16:33 <DIR> d-------- C:\Program Files\Sun
2008-01-01 16:33 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-01-01 16:31 . 2008-01-01 16:31 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-01 05:47 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2007-12-31 10:19 . 2008-01-01 20:40 4,679,712 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2007-12-31 10:19 . 2008-01-01 20:40 11,300 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2007-12-31 10:16 . 2007-12-31 10:16 <DIR> d-------- C:\Program Files\Avira
2007-12-31 10:16 . 2007-12-31 10:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-31 10:10 . 2007-12-31 10:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-30 16:13 . 2007-12-30 16:13 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-30 15:29 . 2007-12-31 11:04 <DIR> d-------- C:\VundoFix Backups
2007-12-30 14:22 . 2007-12-30 14:22 <DIR> d-------- C:\Documents and Settings\Kids\Application Data\U3
2007-12-30 14:21 . 2007-12-30 14:21 <DIR> d-------- C:\Documents and Settings\Kids\Application Data\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 02:21 --------- d-----w C:\Program Files\Warcraft III
2008-01-01 22:33 --------- d-----w C:\Program Files\Java
2007-12-31 16:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 16:57 --------- d-----w C:\Program Files\Dell
2007-12-31 16:53 --------- d-----w C:\Program Files\Sonic
2007-12-30 20:20 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-30 20:20 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-23 00:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-19 05:24 20,480 ----a-w C:\WINDOWS\quit.exe
2007-11-14 22:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-30_15.25.28.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-29 13:04:43 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-12-30 22:13:41 5,324,800 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-12-30 22:13:41 12,288 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-29 13:04:43 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-12-30 22:13:40 5,324,800 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2007-12-30 22:13:40 12,288 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2007-08-09 19:04:11 40,768 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgntdd.sys
+ 2007-07-18 20:22:19 21,312 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgntmgr.sys
+ 2007-12-31 16:18:15 61,632 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avipbb.sys
+ 2007-07-19 21:10:28 127,768 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\klif.sys
+ 2007-03-01 16:34:36 28,352 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\ssmdrv.sys
- 2003-11-19 21:36:26 24,681 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2007-09-25 04:30:28 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2003-11-19 21:36:30 28,779 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2007-09-25 04:30:30 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2007-09-25 05:31:42 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-11-14 22:04:46 796,048 ----a-w C:\WINDOWS\SYSTEM32\libeay32_0.9.6l.dll
+ 2004-04-27 10:40:52 11,264 ----a-w C:\WINDOWS\SYSTEM32\SpOrder.dll
+ 2007-11-14 22:04:52 83,432 ----a-w C:\WINDOWS\SYSTEM32\vsdata.dll
+ 2007-11-14 22:05:16 394,952 ----a-w C:\WINDOWS\SYSTEM32\vsdatant.sys
+ 2007-11-14 22:04:52 157,160 ----a-w C:\WINDOWS\SYSTEM32\vsinit.dll
+ 2007-11-14 22:04:52 103,912 ----a-w C:\WINDOWS\SYSTEM32\vsmonapi.dll
+ 2007-11-14 22:04:52 275,944 ----a-w C:\WINDOWS\SYSTEM32\vspubapi.dll
+ 2007-11-14 22:04:52 71,144 ----a-w C:\WINDOWS\SYSTEM32\vsregexp.dll
+ 2007-11-14 22:04:54 472,552 ----a-w C:\WINDOWS\SYSTEM32\vsutil.dll
+ 2007-11-14 22:04:54 46,568 ----a-w C:\WINDOWS\SYSTEM32\vswmi.dll
+ 2007-11-14 22:04:54 99,816 ----a-w C:\WINDOWS\SYSTEM32\vsxml.dll
+ 2007-11-14 22:04:56 83,432 ----a-w C:\WINDOWS\SYSTEM32\zlcomm.dll
+ 2007-11-14 22:04:56 71,144 ----a-w C:\WINDOWS\SYSTEM32\zlcommdb.dll
+ 2007-12-31 16:13:06 4,212 ---h--w C:\WINDOWS\SYSTEM32\zllictbl.dat
+ 2007-11-14 22:04:44 370,208 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\av.dll
+ 2007-05-31 06:03:30 65,248 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\bases\aphish.dat
+ 2006-06-30 20:47:36 21,568 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\bases\avcmhk4.dll
+ 2007-05-31 06:03:16 77,824 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\CKAHComm.dll
+ 2007-05-31 06:03:16 110,592 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\CKAHrule.dll
+ 2007-05-31 06:03:16 331,776 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\CKAHUM.dll
+ 2007-05-31 06:03:16 38,400 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\FSSync.dll
+ 2007-07-19 21:10:32 110,360 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\instdrivers\w2kxp32\kl1.sys
+ 2007-07-19 21:10:32 186,128 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\instdrivers\w2kxp32\klif.sys
+ 2007-05-31 06:03:48 110,360 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\instdrivers\x32\kl1.sys
+ 2007-07-19 21:10:28 127,768 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\instdrivers\x32\klif.sys
+ 2007-05-31 06:03:50 45,056 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\instdrivers\x32\regcat.exe
+ 2006-09-20 05:12:14 208,960 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\inv.dll
+ 2007-09-12 03:09:16 274,432 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\kave.dll
+ 2006-12-20 00:13:52 1,093,632 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\libeay32.dll
+ 2007-05-31 06:03:20 548,864 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\msvcp80.dll
+ 2007-05-31 06:03:20 626,688 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\msvcr80.dll
+ 2007-05-31 06:03:18 184,320 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\prloader.dll
+ 2007-05-31 06:03:22 90,112 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\prremote.dll
+ 2007-09-12 03:09:16 135,168 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\ScanningProcess.exe
+ 2006-12-20 00:13:52 200,704 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\ssleay32.dll
+ 2007-11-14 22:04:44 99,816 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\camupd.dll
+ 2004-01-30 18:35:08 813,568 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\dbghelp.dll
+ 2007-11-14 22:04:46 128,480 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\fbl.dll
+ 2007-11-14 22:04:46 38,376 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\featuremap.dll
+ 2007-11-14 22:04:46 321,016 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\imsecure.dll
+ 2007-11-14 22:05:18 288,144 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2007-11-14 22:05:18 152,976 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\licenseui.zip.dll
+ 2007-11-14 22:05:18 26,000 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\zlsvc.zip.dll
+ 2007-11-14 22:05:18 1,361,296 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\zpy.zip.dll
+ 2007-11-14 22:05:20 71,056 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\zui.zip.dll
+ 2007-11-14 22:06:34 30,184 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\plugins\rpc_server\rpc_server.dll
+ 2007-11-14 22:06:36 30,216 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
+ 2007-10-19 02:18:38 714,208 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\qrbase.dll
+ 2007-10-19 02:18:38 787,936 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\qrsrecl.dll
+ 2007-11-14 22:04:48 173,544 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\scheduler.dll
+ 2007-01-11 17:12:08 2,432,259 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\spyware.dat
+ 2007-10-19 02:18:40 1,500,640 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\srescan.dll
+ 2007-10-19 02:18:44 51,176 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\srescan.sys
+ 2007-11-14 22:04:50 456,168 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\ssleay32.dll
+ 2007-11-14 22:06:36 214,528 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
+ 2007-11-14 22:06:36 3,266,040 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\streamapi\imslsp\imslsp.dll
+ 2006-09-05 02:59:14 503,875 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\upd_core.dll
+ 2007-10-11 22:50:32 832,984 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\updating.dll
+ 2007-11-14 22:05:06 144,936 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\updclient.exe
+ 2007-01-11 23:31:06 286,787 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\updtrsdk.dll
+ 2007-11-14 22:04:52 108,008 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsavpro.dll
+ 2007-11-14 22:04:52 83,432 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsdb.dll
+ 2007-11-14 22:05:06 75,304 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
+ 2007-11-14 22:04:52 2,029,032 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsmondll.dll
+ 2007-11-14 22:04:54 1,361,384 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsruledb.dll
+ 2007-11-14 22:04:54 239,080 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsvault.dll
+ 2007-01-11 17:12:08 2,432,259 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlasdbup.dat
+ 2007-11-14 22:04:56 177,640 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlparser.dll
+ 2007-11-14 22:04:56 79,344 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlquarantine.dll
+ 2007-11-14 22:04:58 382,440 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlsre.dll
+ 2007-11-14 22:04:58 120,296 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlupdate.dll
+ 2007-11-14 22:05:00 1,086,952 ----a-w C:\WINDOWS\SYSTEM32\zpeng24.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2007-11-29 18:10 1266936]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 09:29 50736]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-12-31 10:18 249896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-05-25 21:35 335872 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\DellSupport\DSAgnt.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-03-15 00:04 122933 --a------ C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-04-11 10:43 53248 --------- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2004-03-23 11:16 135168 --a------ C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-03 19:12 221184 --a------ C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-07-31 17:44 271672 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 21:00:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-02 03:04:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-01 21:00:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
After spybot s&d

Logfile of HijackThis v1.99.1
Scan saved at 21:44, on 2008-01-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kids\Desktop\Killer.exe.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1C960AA3-FAEE-11D0-9262-00A0243D2412} (TegoSoft SmartLoader ActiveX Control) - http://www.hondapowe...eX/TegoLoad.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#8 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 01 January 2008 - 09:53 PM

Congratulations, your logs look CLEAN

There are a few things you must do once you system is completely clean:

Time for some housekeeping
  • First DELETE Vunfofix.exe (if still present) and uninstall SDFix.exe
  • Then, click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

  • When shown the disclaimer, Select "2"

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.


Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer More Secure
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.

    • Change the Download signed ActiveX controls to Prompt.
    • Change the Download unsigned ActiveX controls to Disable.
    • Change the Initialise and script ActiveX controls not marked as safe to Disable.
    • Change the Installation of desktop items to Prompt.
    • Change the Launching programs and files in an IFRAME to Prompt.
    • Change the Navigate sub-frames across different domains to Prompt.
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
2. Update your Anti-Virus Software - I can not overemphasize the need for you to update your Anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

3. Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. Without these you are leaving the back door open.

4. Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

5. Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

6. Install Spybot - Search and Destroy - Download and install Spybot - Search and Destroy with its TeaTimer option. This will provide real time spyware and hijacker protection on your computer alongside your virus protection. You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here:
Instructions for - Spybot S & D and Ad-aware

7. Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#9 s.lang

s.lang

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 01 January 2008 - 10:50 PM

Thank you so much I'm sure my mother/sister will be happy to have one less thing to worry about, I will pass the info on.

#10 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 01 January 2008 - 10:57 PM

My pleasure, Trevuren
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#11 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 01 January 2008 - 10:57 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·