12 replies to this topic

[jonfong]

I have no idea how I got these, but I started to get pop ups in IE when I'm surfing the net on firefox. I ran Spybot, AVG, Hi-Jack This, ATF Cleaner, VundoFix and nothing has helped!!!

EDIT : I just ran AVG again today (Sunday Jan. 19th 2008) and found out that I have Dropper.Agent.dgo as well... PLEASE, any help you can provide would be GREATLY appreciated.

I also get these "error" popups on my screen every now and then. Also, there's a process called "windows" that runs in my task manager which uses up all of my resources and my computer is not operable when it runs. Here are pictures of what it looks like.


"i hid desktop icons for this pic"

"the "windows" process that runs

here's my logs

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:31 PM, on 1/18/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
D:\program files\steam\steam.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Program Files\mIRC\mirc.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jonathan Fong\Desktop\HiJackThis.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "d:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Policies\Explorer\Run: [{104F4FC1-07FB-1033-0522-040310170001}] "C:\Program Files\Common Files\{104F4FC1-07FB-1033-0522-040310170001}\Update.exe" mc-110-12-0000103
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 3585 bytes


VundoFix V6.7.7

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Scan started at 7:38:29 AM 1/18/2008

Listing files found while scanning....

C:\WINDOWS\system32\ddcayvv.dll
C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.ini2
C:\WINDOWS\system32\mlljj.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddcayvv.dll
C:\WINDOWS\system32\ddcayvv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjllm.ini2
C:\WINDOWS\system32\jjllm.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\mlljj.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjllm.ini2
C:\WINDOWS\system32\jjllm.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\mlljj.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Scan started at 9:37:15 AM 1/18/2008

Listing files found while scanning....

C:\windows\system32\gebyw.dll
C:\windows\system32\wybeg.ini
C:\windows\system32\wybeg.ini2

Beginning removal...

Attempting to delete C:\windows\system32\gebyw.dll
C:\windows\system32\gebyw.dll Has been deleted!

Attempting to delete C:\windows\system32\wybeg.ini
C:\windows\system32\wybeg.ini Has been deleted!

Attempting to delete C:\windows\system32\wybeg.ini2
C:\windows\system32\wybeg.ini2 Has been deleted!

Performing Repairs to the registry.
Done!


SmitFraudFix v2.274

Scan done at 10:40:53.37, Fri 01/18/2008
Run from C:\Documents and Settings\Jonathan Fong\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: VIA Networking Velocity Family Giga-bit Ethernet Adapter #2 - Packet Scheduler Miniport
DNS Server Search Order: 63.203.35.55
DNS Server Search Order: 206.13.28.12
DNS Server Search Order: 208.190.30.12

Description: VIA Networking Velocity Family Giga-bit Ethernet Adapter #2 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

Description: VIA Networking Velocity Family Giga-bit Ethernet Adapter #2 - Packet Scheduler Miniport
DNS Server Search Order: 66.75.164.90
DNS Server Search Order: 66.75.164.89

HKLM\SYSTEM\CCS\Services\Tcpip\..\{6AD1837F-8364-4ECA-BD58-C6E45FAF7551}: DhcpNameServer=63.203.35.55 206.13.28.12 208.190.30.12
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7F5BFDCA-F4DF-4B69-A644-0E1086641092}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FBEFFC92-764B-4145-BB96-694686DE0197}: DhcpNameServer=66.75.164.90 66.75.164.89
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6AD1837F-8364-4ECA-BD58-C6E45FAF7551}: DhcpNameServer=63.203.35.55 206.13.28.12 208.190.30.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7F5BFDCA-F4DF-4B69-A644-0E1086641092}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FBEFFC92-764B-4145-BB96-694686DE0197}: DhcpNameServer=66.75.164.90 66.75.164.89
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6AD1837F-8364-4ECA-BD58-C6E45FAF7551}: DhcpNameServer=63.203.35.55 206.13.28.12 208.190.30.12
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7F5BFDCA-F4DF-4B69-A644-0E1086641092}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{FBEFFC92-764B-4145-BB96-694686DE0197}: DhcpNameServer=66.75.164.90 66.75.164.89
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=66.75.164.90 66.75.164.89
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=66.75.164.90 66.75.164.89
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=66.75.164.90 66.75.164.89


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Edited by jonfong, 20 January 2008 - 08:17 AM.

[jpshortstuff]

Hi, and Welcome to WhatTheTech

My name is jpshortstuff. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

• I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for the issues on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

As I am still training here, my posts to you will be checked by an Expert member. This will ensure that all advice and instructions I give you are accurate and safe. This may mean that my replies may take a little longer.


Sorry about the delay in responding

If you still need help:

Show all hidden files:

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.

Please do not delete anything unless instructed to.

Next, rename HijackThis.exe to scanner.exe.
Scan again with HijackThis, and "copy/paste" a new log file into this thread.

Then I will analyze your log and sort out a fix for you

Also please describe how your computer behaves at the moment.


jpshortstuff

[jonfong]

Thanks for the reply jpshortstuff. My computer acts slow sometimes while I'm playing games or listening to music. Most of the time it's a program in my Task Manager called "windows" (see picture attached in first post). When I surf the internet on Firefox, I get pop ups constantly in IE. I also ran Vundofix a few times and everytime it would find new things to remove. Spybot also constantly finds new things.

Here is the newest log from HJT. Thanks again for the help.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:00 PM, on 1/23/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
D:\program files\steam\steam.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ejlvwuli.exe
D:\Program Files\mIRC1\mirc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jonathan Fong\Desktop\scanner.exe

F3 - REG:win.ini: load=C:\WINDOWS\System32\gebca.exe
O2 - BHO: (no name) - {1E875E43-DD67-49B5-8FD3-3E04DA3E483C} - C:\WINDOWS\System32\ssttr.dll (file missing)
O2 - BHO: {aa03eddf-5743-e088-33b4-63c001f1db93} - {39bd1f10-0c36-4b33-880e-3475fdde30aa} - C:\WINDOWS\System32\jxwfsslw.dll (file missing)
O2 - BHO: (no name) - {43F60C3A-9920-4A71-BD59-7EE26E4707EF} - C:\WINDOWS\System32\gebca.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {9ABC922F-8516-47BC-92DC-366E5594620B} - C:\WINDOWS\System32\jkhhf.dll (file missing)
O2 - BHO: (no name) - {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} - C:\WINDOWS\system32\qommnll.dll
O2 - BHO: (no name) - {B5C9C33C-3732-4A7E-89B9-A2923225E1E8} - C:\WINDOWS\System32\mljgg.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [104f4f6e] rundll32.exe "C:\WINDOWS\System32\idfutfrf.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\RunOnce: [SpybotDeletingA8935] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1412] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4277] command /c del "C:\WINDOWS\system32\ejlvwuli.exe_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1723] cmd /c del "C:\WINDOWS\system32\ejlvwuli.exe_tobedeleted_old"
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "d:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Policies\Explorer\Run: [{104F4FC1-07FB-1033-0522-040310170001}] "C:\Program Files\Common Files\{104F4FC1-07FB-1033-0522-040310170001}\Update.exe" mc-110-12-0000103
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malw...tup/webinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: pmnnm - C:\WINDOWS\System32\pmnnm.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5265 bytes

[jpshortstuff]

Hi


You don't appear to be running any Anti-Virus software.

Install Anti-Virus software! Without any anti-virus software, your computer is wide open to infection. If you don't have any Anti-Virus software I strongly recommend you download Avast! or AVG Free


Viewpoint Manager is often installed without the users permission. If you didn't install it, or if you did but you no longer use it, I recommend you get rid of it.

Please click Start >> Control Panel >> Add or Remove Programs.
Find the item below on the list and click Remove.
Viewpoint Manager
Let me know how it goes.


You need to disable TeaTimer, so that it doesn't interfere with our fix.

This is a two step process.
First step:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, click once on Resident Protection, then right-click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For both versions :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go to the bottom of the vertical panel on the left, click Tools
• Then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.



Download ComboFix by sUBs from here or here

**Save it to your desktop**

Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please save that log to post in your next reply along with a fresh HJT log

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Thanks,

jpshortstuff

[jonfong]

I already had AVG downloaded but it wasn't running at the time I posted my first log. I also used ATF Cleaner again as well as disabled Spybot as requested. Viewpoint Media Player was also removed from Add/Remove Programs. I tried posting my ComboFix log here but it is WAY too long and I can't post it as an attachment because the file is 768kb. Posted below is the newest HJT log. Please let me know how you would like to view my ComboFix log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:40, on 2008-01-23
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
D:\program files\steam\steam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Documents and Settings\Jonathan Fong\Desktop\scanner.exe

O2 - BHO: (no name) - {1E875E43-DD67-49B5-8FD3-3E04DA3E483C} - C:\WINDOWS\System32\ssttr.dll (file missing)
O2 - BHO: {aa03eddf-5743-e088-33b4-63c001f1db93} - {39bd1f10-0c36-4b33-880e-3475fdde30aa} - C:\WINDOWS\System32\jxwfsslw.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9ABC922F-8516-47BC-92DC-366E5594620B} - C:\WINDOWS\System32\jkhhf.dll (file missing)
O2 - BHO: (no name) - {B5C9C33C-3732-4A7E-89B9-A2923225E1E8} - C:\WINDOWS\System32\mljgg.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "d:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Policies\Explorer\Run: [{104F4FC1-07FB-1033-0522-040310170001}] "C:\Program Files\Common Files\{104F4FC1-07FB-1033-0522-040310170001}\Update.exe" mc-110-12-0000103
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malw...tup/webinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: pmnnm - C:\WINDOWS\System32\pmnnm.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe (file missing)

--
End of file - 4013 bytes

[jpshortstuff]

Hi

Please go to this site:
Yousendit

In the left hand box titled "Send a file now", please type your email in both the to and from addresses. Click "Browse" and navigate to the combofix log (C:\ComboFix.txt). Click "SEND IT".

This should send you an email (check your spam folder if you cant see it), containing a link for the file. Please post that link here.

Thanks.

[jonfong]

Here is the link to the ComboFix.txt file. I am also going to post another HJT log so that you have the most updated log.

ComboFix.txt Link
http://download.yous...D1A08233CB65852


most recent HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03, on 2008-01-24
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
D:\program files\steam\steam.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jonathan Fong\Desktop\scanner.exe

O2 - BHO: (no name) - {1E875E43-DD67-49B5-8FD3-3E04DA3E483C} - C:\WINDOWS\System32\ssttr.dll (file missing)
O2 - BHO: {aa03eddf-5743-e088-33b4-63c001f1db93} - {39bd1f10-0c36-4b33-880e-3475fdde30aa} - C:\WINDOWS\System32\jxwfsslw.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9ABC922F-8516-47BC-92DC-366E5594620B} - C:\WINDOWS\System32\jkhhf.dll (file missing)
O2 - BHO: (no name) - {B5C9C33C-3732-4A7E-89B9-A2923225E1E8} - C:\WINDOWS\System32\mljgg.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "d:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Policies\Explorer\Run: [{104F4FC1-07FB-1033-0522-040310170001}] "C:\Program Files\Common Files\{104F4FC1-07FB-1033-0522-040310170001}\Update.exe" mc-110-12-0000103
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malw...tup/webinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: pmnnm - C:\WINDOWS\System32\pmnnm.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe (file missing)

--
End of file - 4013 bytes

[jpshortstuff]

Hi

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\System32\ssttr.dll
C:\WINDOWS\System32\jkhhf.dll
C:\WINDOWS\System32\jxwfsslw.dll
C:\WINDOWS\System32\mljgg.dll
C:\WINDOWS\System32\drivers\ndistapii.sys
C:\WINDOWS\System32\pmnnm.dll
C:\WINDOWS\system32\mnnmp.bak1
C:\WINDOWS\system32\mnnmp.bak2
C:\WINDOWS\system32\mnnmp.ini2
C:\WINDOWS\IFinst26.exe
C:\WINDOWS\System32\cmdnddc.exe
C:\WINDOWS\system32\dbuskfqy.ini
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\mlfcache.dat
C:\WINDOWS\system32\drivers\core.cache.dsk

Folder::
C:\WINDOWS\system32\re9
C:\WINDOWS\system32\kt8
C:\WINDOWS\system32\gz4
C:\WINDOWS\system32\edcA01
C:\WINDOWS\system32\dp2
C:\Program Files\Viewpoint
C:\Temp
C:\Program Files\altnet

DirLook::
C:\WINDOWS\system32\windows_tobedeleted_old

Driver::
ndistapii

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E875E43-DD67-49B5-8FD3-3E04DA3E483C}]		
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39bd1f10-0c36-4b33-880e-3475fdde30aa}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9ABC922F-8516-47BC-92DC-366E5594620B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5C9C33C-3732-4A7E-89B9-A2923225E1E8}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnm]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\20dd85c1-8014-410e-b88a-ffd7633003cb]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{104F4FC1-07FB-1033-0522-040310170001}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt.

We need to upload a file to Jotti

1. Click HERE to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

C:\WINDOWS\system32\DLLDEV32i.dll

3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.

5. Please repeat steps 2-4 for the following files:
C:\WINDOWS\mgxoschk.ini


Please do an online scan with Kaspersky WebScanner

Follow this link in Internet Explorer (Note: You must use Internet explorer to use Kaspersky): Kaspersky WebScanner

You will be prompted to install an ActiveX component from Kaspersky,
Click Yes.

• The program will launch and then begin downloading the latest definition files:
  
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
  
• In the scan settings make sure that the following are selected:
  o Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  o Scan Options:
  Scan Archives Scan Mail Bases
  
• Click OK
  
• Now under select a target to scan:
  Select My Computer
  
• The program will start and scan your system.
  
• The scan will take a while so be patient and let it run.
  
• Once the scan is complete it will display if your system has been infected.
  o Now click on the Save as Text button:
  
• Save the file to your desktop.

Please post the results of the Kaspersky scan in your next reply, along with a fresh HijackThis log.

Thanks,

jpshortstuff

[jonfong]

The 2 files I scanned on the Jotti website were both OK as nothing was found.

Here are all the logs from Kaspersky and HJT. I am also going to post a link again for the ComboFix because it is too long to post in multiple replies.

ComboFix.txt
http://download.yous...951323E0372C0EA

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-01-25 18:28
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/01/2008
Kaspersky Anti-Virus database records: 532950
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: false
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 88900
Number of viruses found: 25
Number of infected objects: 91
Number of suspicious objects: 0
Duration of the scan process: 00:46:41

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Jonathan Fong\.housecall\Quarantine\delprot.sys.bac_a03168 Infected: Trojan.Win32.Delprot.a skipped
C:\Documents and Settings\Jonathan Fong\.housecall\Quarantine\UWFX5NetInstaller.exe.bac_a03168 Infected: not-a-virus:Downloader.Win32.Agent.d skipped
C:\Documents and Settings\Jonathan Fong\.housecall6.6\Quarantine\delprot.sys.bac_a03168 Infected: Trojan.Win32.Delprot.a skipped
C:\Documents and Settings\Jonathan Fong\.housecall6.6\Quarantine\MirarSetup_876075.exe.bac_a02632 Infected: not-a-virus:AdWare.Win32.SaveNow.bj skipped
C:\Documents and Settings\Jonathan Fong\.housecall6.6\Quarantine\mmxsnet.exe.bac_a01068 Infected: not-a-virus:AdWare.Win32.MediaMotor.q skipped
C:\Documents and Settings\Jonathan Fong\.housecall6.6\Quarantine\NNBar_VCSetup_876075.exe.bac_a01068 Infected: not-a-virus:AdWare.Win32.Mirar.a skipped
C:\Documents and Settings\Jonathan Fong\.housecall6.6\Quarantine\UWA5PNetInstaller.exe.bac_a01068 Infected: not-a-virus:Downloader.Win32.Agent.e skipped
C:\Documents and Settings\Jonathan Fong\.housecall6.6\Quarantine\UWFX5NetInstaller.exe.bac_a03168 Infected: not-a-virus:Downloader.Win32.Agent.d skipped
C:\Documents and Settings\Jonathan Fong\Application Data\mIRC\logs\status.log Object is locked skipped
C:\Documents and Settings\Jonathan Fong\Application Data\Mozilla\Firefox\Profiles\zqk5i52n.default\cert8.db Object is locked skipped
C:\Documents and Settings\Jonathan Fong\Application Data\Mozilla\Firefox\Profiles\zqk5i52n.default\history.dat Object is locked skipped
C:\Documents and Settings\Jonathan Fong\Application Data\Mozilla\Firefox\Profiles\zqk5i52n.default\key3.db Object is locked skipped
C:\Documents and Settings\Jonathan Fong\Application Data\Mozilla\Firefox\Profiles\zqk5i52n.default\parent.lock Object is locked skipped
C:\Documents and Settings\Jonathan Fong\Application Data\Mozilla\Firefox\Profiles\zqk5i52n.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Jonathan Fong\Application Data\Mozilla\Firefox\Profiles\zqk5i52n.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Jonathan Fong\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jonathan Fong\Desktop\Anti Virus\backups\backup-20080118-095457-227.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped
C:\Documents and Settings\Jonathan Fong\Desktop\Anti Virus\backups\backup-20080118-095457-448.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gt skipped
C:\Documents and Settings\Jonathan Fong\Desktop\Anti Virus\backups\backup-20080118-112938-471.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped
C:\Documents and Settings\Jonathan Fong\Desktop\Anti Virus\backups\backup-20080118-112938-699.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dyx skipped
C:\Documents and Settings\Jonathan Fong\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Jonathan Fong\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jonathan Fong\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jonathan Fong\Local Settings\Application Data\Mozilla\Firefox\Profiles\zqk5i52n.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Jonathan Fong\Local Settings\Application Data\Mozilla\Firefox\Profiles\zqk5i52n.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Jonathan Fong\Local Settings\Application Data\Mozilla\Firefox\Profiles\zqk5i52n.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Jonathan Fong\Local Settings\Application Data\Mozilla\Firefox\Profiles\zqk5i52n.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Jonathan Fong\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jonathan Fong\Local Settings\History\History.IE5\MSHist012008012520080126\index.dat Object is locked skipped
C:\Documents and Settings\Jonathan Fong\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jonathan Fong\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jonathan Fong\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\root\Application Data\Aim\oikfqrqj\n1njafong\cert8.db Object is locked skipped
C:\Documents and Settings\root\Application Data\Aim\oikfqrqj\n1njafong\key3.db Object is locked skipped
C:\Documents and Settings\root\Application Data\Aim\oikfqrqj\n1njafong\Resources\CurrentSettings.xml Object is locked skipped
C:\Documents and Settings\root\Application Data\Aim\oikfqrqj\n1njafong\secmod.db Object is locked skipped
C:\Documents and Settings\root\Application Data\Aim\oikfqrqj\Resources\CurrentSettings.xml Object is locked skipped
C:\Documents and Settings\root\Application Data\desktop.ini Object is locked skipped
C:\Documents and Settings\root\Application Data\Microsoft\Internet Explorer\brndlog.bak Object is locked skipped
C:\Documents and Settings\root\Application Data\Microsoft\Internet Explorer\brndlog.txt Object is locked skipped
C:\Documents and Settings\root\Application Data\Microsoft\Internet Explorer\Desktop.htt Object is locked skipped
C:\Documents and Settings\root\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini Object is locked skipped
C:\Documents and Settings\root\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk Object is locked skipped
C:\Documents and Settings\root\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf Object is locked skipped
C:\Documents and Settings\root\Application Data\Microsoft\Protect\CREDHIST Object is locked skipped
C:\Documents and Settings\root\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\root\Favorites\Desktop.ini Object is locked skipped
C:\Documents and Settings\root\Favorites\Links\Customize Links.url Object is locked skipped
C:\Documents and Settings\root\Favorites\Links\Free Hotmail.url Object is locked skipped
C:\Documents and Settings\root\Favorites\Links\Windows Media.url Object is locked skipped
C:\Documents and Settings\root\Favorites\Links\Windows.url Object is locked skipped
C:\Documents and Settings\root\Favorites\MSN.com.url Object is locked skipped
C:\Documents and Settings\root\Favorites\Radio Station Guide.url Object is locked skipped
C:\Documents and Settings\root\Local Settings\Application Data\IconCache.db Object is locked skipped
C:\Documents and Settings\root\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Documents and Settings\root\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\root\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\root\Local Settings\desktop.ini Object is locked skipped
C:\Documents and Settings\root\Local Settings\History\desktop.ini Object is locked skipped
C:\Documents and Settings\root\Local Settings\History\History.IE5\desktop.ini Object is locked skipped
C:\Documents and Settings\root\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\root\Local Settings\Temp\PerfectNavBHOLog.tmp Object is locked skipped
C:\Documents and Settings\root\Local Settings\Temporary Internet Files\Content.IE5\09MR0L67\desktop.ini Object is locked skipped
C:\Documents and Settings\root\Local Settings\Temporary Internet Files\Content.IE5\49Q30TQZ\desktop.ini Object is locked skipped
C:\Documents and Settings\root\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini Object is locked skipped
C:\Documents and Settings\root\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\root\Local Settings\Temporary Internet Files\Content.IE5\IPPVNE62\desktop.ini Object is locked skipped
C:\Documents and Settings\root\Local Settings\Temporary Internet Files\Content.IE5\OTT0RG2I\desktop.ini Object is locked skipped
C:\Documents and Settings\root\Local Settings\Temporary Internet Files\desktop.ini Object is locked skipped
C:\Documents and Settings\root\My Documents\desktop.ini Object is locked skipped
C:\Documents and Settings\root\My Documents\My Music\Desktop.ini Object is locked skipped
C:\Documents and Settings\root\My Documents\My Music\Sample Music.lnk Object is locked skipped
C:\Documents and Settings\root\My Documents\My Pictures\Desktop.ini Object is locked skipped
C:\Documents and Settings\root\My Documents\My Pictures\Sample Pictures.lnk Object is locked skipped
C:\Documents and Settings\root\NetHood\familyPhotos on computer in master study room (Masterstudy)\Desktop.ini Object is locked skipped
C:\Documents and Settings\root\NetHood\familyPhotos on computer in master study room (Masterstudy)\target.lnk Object is locked skipped
C:\Documents and Settings\root\NetHood\My Pictures on computer in master study room (Masterstudy)\Desktop.ini Object is locked skipped
C:\Documents and Settings\root\NetHood\My Pictures on computer in master study room (Masterstudy)\target.lnk Object is locked skipped
C:\Documents and Settings\root\NetHood\SharedDocs on computer in master study room (Masterstudy)\Desktop.ini Object is locked skipped
C:\Documents and Settings\root\NetHood\SharedDocs on computer in master study room (Masterstudy)\target.lnk Object is locked skipped
C:\Documents and Settings\root\NetHood\SharedDocs on Jon's computer (Jfong)\Desktop.ini Object is locked skipped
C:\Documents and Settings\root\NetHood\SharedDocs on Jon's computer (Jfong)\target.lnk Object is locked skipped
C:\Documents and Settings\root\NetHood\SharedDocs on selfBuildInStudy (Public)\Desktop.ini Object is locked skipped
C:\Documents and Settings\root\NetHood\SharedDocs on selfBuildInStudy (Public)\target.lnk Object is locked skipped
C:\Documents and Settings\root\NetHood\SharedDocs on Sony vaio computer in bo's room (Boboroom)\Desktop.ini Object is locked skipped
C:\Documents and Settings\root\NetHood\SharedDocs on Sony vaio computer in bo's room (Boboroom)\target.lnk Object is locked skipped
C:\Documents and Settings\root\NetHood\wow on Jon's computer (Jfong)\Desktop.ini Object is locked skipped
C:\Documents and Settings\root\NetHood\wow on Jon's computer (Jfong)\target.lnk Object is locked skipped
C:\Documents and Settings\root\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\root\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\root\ntuser.ini Object is locked skipped
C:\Documents and Settings\root\Recent\Desktop.ini Object is locked skipped
C:\Documents and Settings\root\SendTo\Compressed (zipped) Folder.ZFSendToTarget Object is locked skipped
C:\Documents and Settings\root\SendTo\Desktop (create shortcut).DeskLink Object is locked skipped
C:\Documents and Settings\root\SendTo\desktop.ini Object is locked skipped
C:\Documents and Settings\root\SendTo\Mail Recipient.MAPIMail Object is locked skipped
C:\Documents and Settings\root\SendTo\My Documents.mydocs Object is locked skipped
C:\Documents and Settings\root\Start Menu\desktop.ini Object is locked skipped
C:\Documents and Settings\root\Start Menu\Programs\Accessories\Accessibility\desktop.ini Object is locked skipped
C:\Documents and Settings\root\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk Object is locked skipped
C:\Documents and Settings\root\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk Object is locked skipped
C:\Documents and Settings\root\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk Object is locked skipped
C:\Documents and Settings\root\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk Object is locked skipped
C:\Documents and Settings\root\Start Menu\Programs\Accessories\Address Book.lnk Object is locked skipped
C:\Documents and Settings\root\Start Menu\Programs\Accessories\Command Prompt.lnk Object is locked skipped
C:\Documents and Settings\root\Start Menu\Programs\Accessories\desktop.ini Object is locked skipped
C:\Documents and Settings\root\Start Menu\Programs\Accessories\Entertainment\desktop.ini Object is locked skipped
C:\Documents and Settings\root\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk Object is locked skipped
C:\Documents and Settings\root\Start Menu\Programs\Accessories\Notepad.lnk Object is locked skipped
C:\Documents and Settings\root\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk Object is locked skipped
C:\Documents and Settings\root\Start Menu\Programs\Accessories\Synchronize.lnk Object is locked skipped
C:\Documents and Settings\root\Start Menu\Programs\Accessories\Tour Windows XP.lnk Object is locked skipped
C:\Documents and Settings\root\Start Menu\Programs\Accessories\Windows Explorer.lnk Object is locked skipped
C:\Documents and Settings\root\Start Menu\Programs\desktop.ini Object is locked skipped
C:\Documents and Settings\root\Start Menu\Programs\Internet Explorer.lnk Object is locked skipped
C:\Documents and Settings\root\Start Menu\Programs\Outlook Express.lnk Object is locked skipped
C:\Documents and Settings\root\Start Menu\Programs\Remote Assistance.lnk Object is locked skipped
C:\Documents and Settings\root\Start Menu\Programs\Startup\desktop.ini Object is locked skipped
C:\Documents and Settings\root\Start Menu\Programs\Windows Media Player.lnk Object is locked skipped
C:\Documents and Settings\root\Templates\amipro.sam Object is locked skipped
C:\Documents and Settings\root\Templates\excel.xls Object is locked skipped
C:\Documents and Settings\root\Templates\excel4.xls Object is locked skipped
C:\Documents and Settings\root\Templates\lotus.wk4 Object is locked skipped
C:\Documents and Settings\root\Templates\powerpnt.ppt Object is locked skipped
C:\Documents and Settings\root\Templates\presenta.shw Object is locked skipped
C:\Documents and Settings\root\Templates\quattro.wb2 Object is locked skipped
C:\Documents and Settings\root\Templates\sndrec.wav Object is locked skipped
C:\Documents and Settings\root\Templates\winword.doc Object is locked skipped
C:\Documents and Settings\root\Templates\winword2.doc Object is locked skipped
C:\Documents and Settings\root\Templates\wordpfct.wpd Object is locked skipped
C:\Documents and Settings\root\Templates\wordpfct.wpg Object is locked skipped
C:\Pstools\psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\Pstools\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped
C:\Pstools\rkipii.exe.tmp Object is locked skipped
C:\QooBox\Quarantine\C\Documents and Settings\Jonathan Fong\Application Data\STEM32~1\ѕеrvices.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gs skipped
C:\QooBox\Quarantine\C\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu572.exe.tmp.vir Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ctfmon.exe.tmp.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gebca.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\idfutfrf.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ebw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qommnll.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX9.tmp.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1159\A0191701.exe Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1160\A0191719.exe Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1161\A0191732.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1163\A0191856.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1165\A0191896.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dyx skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1165\A0191961.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dyx skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1165\A0191968.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gt skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1167\A0194085.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1169\A0196062.exe Infected: Trojan.Win32.Agent.eco skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1169\A0196063.exe Infected: not-a-virus:FraudTool.Win32.DrAntispy.ag skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1170\A0201060.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1171\A0201073.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1171\A0202060.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1172\A0202076.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1172\A0202078.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1172\A0202082.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1172\A0202083.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dyx skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1172\A0202084.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1172\A0203097.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1172\A0204097.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1172\A0204101.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1172\A0204105.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dyx skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1172\A0204106.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1172\A0204108.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1173\A0204123.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1173\A0204149.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1173\A0205148.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1173\A0205149.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1173\A0206154.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1173\A0206156.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dyx skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1173\A0206157.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1174\A0206168.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1174\A0206199.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1174\A0207163.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1174\A0207164.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1174\A0207320.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1174\A0207325.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1175\A0207352.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1176\A0207353.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1176\A0207356.exe Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1176\A0207357.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1176\A0207358.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ebw skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1176\A0207359.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1176\A0207362.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1176\A0207363.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gs skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1176\A0207369.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dyx skipped
C:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1178\change.log Object is locked skipped
C:\VundoFix Backups\ajxrbeys.exe.bad Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\VundoFix Backups\ddcayvv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped
C:\VundoFix Backups\ejlvwuli.exe.bad Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\VundoFix Backups\gebyw.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dyx skipped
C:\VundoFix Backups\jkhhf.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dyx skipped
C:\VundoFix Backups\jkhhf.exe.bad Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\VundoFix Backups\jktakapq.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\VundoFix Backups\jnvogvuq.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\VundoFix Backups\kanrsqtc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\VundoFix Backups\mljgg.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dyx skipped
C:\VundoFix Backups\mlljj.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dyx skipped
C:\VundoFix Backups\npidpxch.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\VundoFix Backups\qommnll.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped
C:\VundoFix Backups\ssttr.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dyx skipped
C:\VundoFix Backups\ssttr.exe.bad Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\VundoFix Backups\sylrgxno.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\VundoFix Backups\xsstaihd.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\webinst.dll Infected: Trojan-Downloader.Win32.Adload.pi skipped
C:\WINDOWS\MEMORY.DMP Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\windows_tobedeleted_old Infected: Trojan.Win32.Zapchast.dt skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
D:\Program Files\mIRC1\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
D:\Program Files\Steam\Steam.log Object is locked skipped
D:\Program Files\Steam\SteamApps\winui.gcf Object is locked skipped
D:\System Volume Information\_restore{D3588862-74A2-4FEF-8D1F-4895922D1A26}\RP1178\change.log Object is locked skipped

Scan process completed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:30, on 2008-01-25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
D:\program files\steam\steam.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Ventrilo\Ventrilo.exe
D:\Program Files\mIRC1\mirc.exe
C:\Documents and Settings\Jonathan Fong\Desktop\scanner.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "d:\program files\steam\steam.exe" -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malw...tup/webinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe (file missing)

--
End of file - 3489 bytes

[jpshortstuff]

Hi

You mentioned that you have AVG, but do you mean you have the Anti-Spyware or the Anti-Virus version (completely different things)? I can see the Anti-Spyware one from you logs, but there is no evidence of any type of anti-virus software. It's not sufficient to rely on Anti-Spyware software to protect your PC, you need to have Anti-Virus and Firewall software (but don't install any firewalls until we are clean, I'll let you know).
So, I strongly recommend you install Avast! or AVG Free.


Due to the nature of your infection, you will need to re-install some programs if you wish them to function properly. These programs are the following:
Aim6
Skype
QuickTime
AVG Anti-Spyware

You should fully uninstall these by going into Add/Remove Programs, then download and install fresh versions.



Please Right Click your Start button, and click Explore.
Next, locate and delete the following files and folders (if present):

Files:
C:\WINDOWS\Downloaded Program Files\webinst.dll <<FILE

Folders:
C:\WINDOWS\system32\windows_tobedeleted_old\ <<FOLDER
C:\Documents and Settings\Jonathan Fong\.housecall\Quarantine\ <<FOLDER
C:\Documents and Settings\Jonathan Fong\Desktop\Anti Virus\backups\ <<FOLDER

If any of them aren't there then don't worry, but if you have a problem deleting one of them then please let me know.



Open HijackThis. Hit Do A System Scan Only. Place a check next to the following items (if present):
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

Close all browsers and windows except for HijackThis and click Fix Checked.


After completing all these steps, please reboot your computer and post a new HijackThis log, and also describe how your computer is running at the moment.

Thanks,

jpshortstuff

Edited by jpshortstuff, 27 January 2008 - 11:28 AM.

[jonfong]

jpshortstuff thanks for all the help. my computer has been running just like it was before the virus/trojans came to my computer. you're a life saver. thanks again.

[jpshortstuff]

If you want to post another HijackThis log to look over just to make sure you're all cleaned up, go ahead. You did have a nasty infection, no harm in checking.

[Trevuren]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.