Computer virus, cant remove

AdmSirRed · 2008/03/05

I am trying to help my sister who seems to have gotten some kind of Virus on her computer, i have done many scans with many different programs but none of them seem to work. i am busy trying to find out the name of the virus on her computer but im not sure yet.

so far what ive found is it attaches itself to other programs, but i could be wrong. i tried going in and manually removing the files that were infected but what i removed did not fix it *removed sound driver before i noticed the virus was just attached to it*

I have run out of idea on what to try and do so i decided to come here for some help. i hope i did this right.

the following is the log of it. once i find the name of the virus, or suspected name. i will post that as well

Logfile of HijackThis v1.99.1
Scan saved at 7:02:59 PM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkll.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1166158722\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe "
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\Run: [BM47d97be7] Rundll32.exe "C:\WINDOWS\system32\emypltqo.dll ",s
O4 - HKLM\..\Run: [44ea487b] rundll32.exe "C:\WINDOWS\system32\wnqcsnhq.dll ",b
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr .Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\gui1.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Tiffany\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

thanks for any help i can get, i have been working on this for a couple weeks now.

noahdfear · 2008/03/05

Welcome to WindowsBBS AdmSirRed

Download ComboFix by sUBs from here, saving the file to your desktop.

It's best disable realtime protection applications as they sometime interfere with the tool. Check this link for your applicable programs.

Close all open programs and windows

Double click combofix.exe and follow the prompts.

It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

AdmSirRed · 2008/03/05

Ok i have done that and ran it an everything, it seems to have gone smoothly, how do i know it worked and things? do i have to post any kind of a log here again??

i have gone over a few things a small test. things seem to be working ok, but i still don't got a sound driver on it. and i was wondering if i could get help on that? or should i start a new thread for it.

noahdfear · 2008/03/05

"noahdfear said: ↑

Close all open programs and windows

Double click combofix.exe and follow the prompts.

It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Click to expand...

Please post the C:\combofix.txt log and a new HijackThis log.

AdmSirRed · 2008/03/05

Hijack list

Logfile of HijackThis v1.99.1
Scan saved at 10:49:59 PM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1166158722\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe "
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr .Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\gui1.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Tiffany\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Combo Fix

ComboFix 08-03-05.1 - Tiffany 2008-03-05 22:03:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.156 [GMT -7:00]
Running from: C:\Documents and Settings\Tiffany\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\WINDOWS\BM47d97be7.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\apsvdkgr.ini
C:\WINDOWS\system32\axnupgni.dll
C:\WINDOWS\system32\bafgxifp.dll
C:\WINDOWS\system32\baithkbq.ini
C:\WINDOWS\system32\bisewcsl.dll
C:\WINDOWS\system32\blppvcbp.dll
C:\WINDOWS\system32\cjyuwsbm.dll
C:\WINDOWS\system32\cqaycvap.ini
C:\WINDOWS\system32\crqprgma.dll
C:\WINDOWS\system32\csvaynqd.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\cuxfuefl.dll
C:\WINDOWS\system32\cxqibalj.dll
C:\WINDOWS\system32\dafxnnep.ini
C:\WINDOWS\system32\deggmamx.dll
C:\WINDOWS\system32\dfojdrtj.ini
C:\WINDOWS\system32\dleqshsw.dll
C:\WINDOWS\system32\dqmtxlrf.ini
C:\WINDOWS\system32\dvdsvrjl.dll
C:\WINDOWS\system32\eifkeutp.ini
C:\WINDOWS\system32\emapgemb.dll
C:\WINDOWS\system32\emypltqo.dll
C:\WINDOWS\system32\eodlvtau.ini
C:\WINDOWS\system32\euttocvw.ini
C:\WINDOWS\system32\fauibccb.dll
C:\WINDOWS\system32\fijcrkue.ini
C:\WINDOWS\system32\fuiihsfc.dll
C:\WINDOWS\system32\ggsarcwe.dll
C:\WINDOWS\system32\gkgdjgyy.dll
C:\WINDOWS\system32\gonmfcgc.ini
C:\WINDOWS\system32\hhvxkqgw.dll
C:\WINDOWS\system32\hmrklfxk.dll
C:\WINDOWS\system32\hpudytvm.dll
C:\WINDOWS\system32\hvnbskxa.dll
C:\WINDOWS\system32\ieoyxsil.dll
C:\WINDOWS\system32\ikbqmeys.ini
C:\WINDOWS\system32\ilwbgdse.ini
C:\WINDOWS\system32\jhepvuyo.dll
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\jkkll.exe
C:\WINDOWS\system32\jmhkhnlf.dll
C:\WINDOWS\system32\jonukeya.dll
C:\WINDOWS\system32\jsuahlyk.dll
C:\WINDOWS\system32\kecimknb.dll
C:\WINDOWS\system32\khgwamiy.dll
C:\WINDOWS\system32\khijyyjj.ini
C:\WINDOWS\system32\kraflvgv.ini
C:\WINDOWS\system32\kryddpia.dll
C:\WINDOWS\system32\ktkhxxjs.dll
C:\WINDOWS\system32\kxflkrmh.ini
C:\WINDOWS\system32\ljjigec.dll
C:\WINDOWS\system32\llkkj.ini
C:\WINDOWS\system32\llkkj.ini2
C:\WINDOWS\system32\lrmgvqmk.ini
C:\WINDOWS\system32\mrqknwmn.dll
C:\WINDOWS\system32\mvtyduph.ini
C:\WINDOWS\system32\ngilfiod.dll
C:\WINDOWS\system32\nlvulqby.ini
C:\WINDOWS\system32\nmwnkqrm.ini
C:\WINDOWS\system32\nnpjbbtb.dll
C:\WINDOWS\system32\ntkdoxcj.dll
C:\WINDOWS\system32\ojwdcbdl.ini
C:\WINDOWS\system32\oppvxone.dll
C:\WINDOWS\system32\osslkums.dll
C:\WINDOWS\system32\oyoxgeti.ini
C:\WINDOWS\system32\pfixgfab.ini
C:\WINDOWS\system32\piuiekpv.dll
C:\WINDOWS\system32\pjyldqst.dll
C:\WINDOWS\system32\pooqeaie.ini
C:\WINDOWS\system32\qbkhtiab.dll
C:\WINDOWS\system32\qhnscqnw.ini
C:\WINDOWS\system32\qhsslhpf.ini
C:\WINDOWS\system32\qukmmcuv.ini
C:\WINDOWS\system32\qvjdikpq.dll
C:\WINDOWS\system32\qwujvfim.ini
C:\WINDOWS\system32\rbxmobno.ini
C:\WINDOWS\system32\rlroreoq.ini
C:\WINDOWS\system32\rrmjgxoi.dll
C:\WINDOWS\system32\sioyhrwf.ini
C:\WINDOWS\system32\smuklsso.ini
C:\WINDOWS\system32\tayrexfm.dll
C:\WINDOWS\system32\tdincvpv.dll
C:\WINDOWS\system32\tgahfnlq.dll
C:\WINDOWS\system32\tsqdlyjp.ini
C:\WINDOWS\system32\uhjufeke.dll
C:\WINDOWS\system32\wgqkxvhh.ini
C:\WINDOWS\system32\wkdqaerp.ini
C:\WINDOWS\system32\wnqcsnhq.dll
C:\WINDOWS\system32\wxgkghgo.dll
C:\WINDOWS\system32\wxwiyblv.dll
C:\WINDOWS\system32\xlekhrxa.dll
C:\WINDOWS\system32\xsockrkv.dll
C:\WINDOWS\system32\yasekxwx.dll
C:\WINDOWS\system32\ybfkndsp.ini
C:\WINDOWS\system32\yimawghk.ini
C:\WINDOWS\system32\ysmxjmkg.ini
C:\WINDOWS\system32\ytpigqbm.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NTNDIS
-------\ntndis

((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.

2008-02-09 10:13 . 2008-02-09 10:13 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-02-09 09:35 . 2008-02-13 19:30 <DIR> d-------- C:\Program Files\Realtek AC97
2008-02-09 09:35 . 2006-12-08 15:20 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.EXE
2008-02-09 09:35 . 2008-01-24 16:36 4,127,488 -ra------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2008-02-09 09:35 . 2002-02-05 13:54 141,016 --a------ C:\WINDOWS\system32\ALSNDMGR.WAV
2008-02-09 09:34 . 2006-11-17 05:40 18,804,736 --a------ C:\WINDOWS\system32\ALSNDMGR.CPL
2008-02-09 09:34 . 2007-04-16 15:28 577,536 --a------ C:\WINDOWS\SOUNDMAN.EXE
2008-02-09 09:34 . 2006-07-31 11:19 315,392 --a------ C:\WINDOWS\alcupd.exe
2008-02-09 09:34 . 2006-07-31 11:27 217,088 --a------ C:\WINDOWS\Alcrmv.exe
2008-02-09 09:34 . 2006-10-18 02:53 147,456 --a------ C:\WINDOWS\system32\RTLCPAPI.dll
2008-02-09 08:56 . 2008-02-09 08:56 <DIR> d-------- C:\Program Files\VIAudioi
2008-02-09 08:56 . 2005-01-05 15:21 36,864 --a------ C:\WINDOWS\system32\UnAudioNT.dll
2008-02-09 08:52 . 2004-11-01 15:19 163,712 --a------ C:\WINDOWS\system32\drivers\vinyl97.sys
2008-02-09 08:38 . 2008-02-09 08:38 <DIR> d-------- C:\swsetup
2008-02-09 08:06 . 2008-02-09 08:49 <DIR> d-------- C:\Program Files\Analog Devices
2008-02-09 08:02 . 2008-02-09 08:48 <DIR> d-------- C:\Analogue devices
2008-02-07 20:26 . 2008-02-07 20:25 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-07 20:25 . 2008-02-07 21:56 <DIR> d-------- C:\Documents and Settings\Tiffany\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 02:04 --------- d-----w C:\Documents and Settings\Tiffany\Application Data\AVG7
2008-02-28 23:11 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\yahoo!
2008-02-28 23:10 --------- d-----w C:\Program Files\Windows Live
2008-02-28 23:05 --------- d-----w C:\Program Files\StarForge
2008-02-28 23:05 --------- d-----w C:\Program Files\Starcraft
2008-02-28 23:04 --------- d-----w C:\Program Files\Common Files\NewSoft
2008-02-28 23:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-28 23:00 --------- d-----w C:\Program Files\MySpace
2008-02-28 22:59 --------- d-----w C:\Program Files\Microsoft Games
2008-02-28 22:58 --------- d-----w C:\Program Files\Guild Wars
2008-02-28 22:58 --------- d-----w C:\Program Files\Google
2008-02-28 22:55 --------- d-----w C:\Program Files\DJ Music Mixer
2008-02-28 21:43 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-28 21:42 --------- d-----w C:\Documents and Settings\Tiffany\Application Data\AOL
2008-02-28 21:42 --------- d-----w C:\Documents and Settings\Jesse\Application Data\AOL
2008-02-28 21:42 --------- d-----w C:\Documents and Settings\Hellrazer\Application Data\AOL
2008-02-28 21:42 --------- d-----w C:\Documents and Settings\Chris\Application Data\AOL
2008-02-28 21:42 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL
2008-02-22 07:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-19 05:48 --------- d-----w C:\Program Files\Diablo II2
2008-01-30 06:30 --------- d-----w C:\Program Files\QuickTime
2008-01-30 06:30 --------- d-----w C:\Program Files\Incomplete
2008-01-29 23:25 --------- d-----w C:\Documents and Settings\Tiffany\Application Data\Grisoft
2008-01-29 23:24 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-01-29 02:08 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-01-29 02:07 --------- d-----w C:\Program Files\Lavasoft
2008-01-29 02:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-20 22:49 40,183 --sh--w C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2007-12-15 04:35 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2006-01-23 21:35 64 ----a-w C:\Program Files\BF-X5.ini
2005-04-29 04:42 77 ----a-w C:\Program Files\Desktop.ini
2004-12-27 08:13 8,007,680 ----a-w C:\Program Files\Microsoft.mshtml.dll
2004-12-27 08:13 5,694 ----a-w C:\Program Files\ico 5.ico
2004-12-27 08:13 45,056 ----a-w C:\Program Files\AxInterop.SHDocVw.dll
2004-12-27 08:13 122,880 ----a-w C:\Program Files\Interop.SHDocVw.dll
2004-12-27 08:13 1,406 ----a-w C:\Program Files\donate.ico
2004-12-27 08:13 1,078 ----a-w C:\Program Files\up.ico
2004-12-27 08:13 1,078 ----a-w C:\Program Files\down.ico
2004-12-27 08:13 1,078 ----a-w C:\Program Files\chaton.ico
2004-12-27 08:13 1,078 ----a-w C:\Program Files\chatoff.ico
2004-11-27 05:08 139,264 ----a-w C:\Program Files\BF-X5.exe
.
Code:
<pre>
----a-w           125,528 2008-01-29 22:23:34  C:\Program Files\Common Files\AOL\1166158722\EE\AOLHostManager .exe
----a-w           125,528 2008-01-29 22:24:06  C:\Program Files\Common Files\AOL\1166158722\EE\AOLHOS~1 .EXE
----a-w            79,448 2008-01-29 22:23:38  C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler .exe
----a-w           185,896 2008-01-29 22:23:39  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            30,208 2008-01-29 22:23:30  C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w            49,152 2008-01-29 22:23:31  C:\Program Files\CyberLink\PowerDVD\Language\Language .exe
----a-w           421,888 2008-01-29 22:23:28  C:\Program Files\Grisoft\AVG Free\avgcc .exe
----a-w           353,280 2008-01-29 22:23:31  C:\Program Files\Grisoft\AVG Free\avgemc .exe
----a-w           132,496 2008-01-29 22:23:34  C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w         4,670,968 2008-01-21 17:50:31  C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w           968,696 2008-01-29 22:23:45  C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
----a-w            15,360 2008-02-14 03:04:37  C:\WINDOWS\system32\ctfmon .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [ ]
"MsnMsgr "= "C:\Program Files\Windows Live\Messenger\MsnMsgr .exe" [ ]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [ ]
"AVG7_EMC "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [ ]
"HostManager "= "C:\Program Files\Common Files\AOL\1166158722\EE\AOLHostManager.exe" [ ]
"AOL Spyware Protection "= "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [ ]
"AudioDeck "= "C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [ ]
"SoundMan "= "SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\SOUNDMAN.EXE]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"C:\\StubInstaller.exe "=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"C:\\Program Files\\America Online 9.0\\waol.exe "=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe "=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe "=
"C:\\Program Files\\Common Files\\AOL\\1166158722\\EE\\AOLServiceHost.exe "=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe "=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe "=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe "=
"C:\\Program Files\\America Online 9.0a\\waol.exe "=
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2 Endangered Species Trial Version\\zt.exe "=
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2 Trial Version\\zt2demoretail.exe "=

S2 Ca536av;FashionCam Video Camera Device;C:\WINDOWS\system32\Drivers\Ca536av.sys [2003-09-05 12:47]
S3 iMSPCLOj;iMSPCLOj;C:\DOCUME~1\Tiffany\LOCALS~1\Temp\iMSPCLOj.sys []
S3 SaiHFF0C;SaiHFF0C;C:\WINDOWS\system32\DRIVERS\SaiHFF0C.sys [2004-06-11 02:59]
S3 SaiUFF0C;SaiUFF0C;C:\WINDOWS\system32\DRIVERS\SaiUFF0C.sys [2004-06-11 02:59]
S3 USBCamera;FashionCam Digital Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 16:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{220abe93-bc52-11db-b13a-00038a000015}]
\Shell\AutoRun\command - F:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c60997ee-ddb5-11da-9bba-806d6172696f}]
\Shell\AutoRun\command - E:\SETUP.EXE

.
Contents of the 'Scheduled Tasks' folder
"2008-02-07 16:03:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-16 16:00:01 C:\WINDOWS\Tasks\rpc.job "
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 22:13:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
.
**************************************************************************
.
Completion time: 2008-03-05 22:15:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-06 05:15:54
.
2008-02-28 23:20:18 --- E O F ---

ok those are the two.

noahdfear · 2008/03/06

Check the Add?remove programs list for and remove RegistryPowerCleaner by Winferno if listed.
Make sure the C:\Program Files\Winferno folder gets deleted afterwards.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
File::
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\WINDOWS\Tasks\rpc.job
RenV::
C:\Program Files\Common Files\AOL\1166158722\EE\AOLHostManager .exe
C:\Program Files\Common Files\AOL\1166158722\EE\AOLHOS~1 .EXE
C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
C:\Program Files\CyberLink\PowerDVD\Language\Language .exe
C:\Program Files\Grisoft\AVG Free\avgcc .exe
C:\Program Files\Grisoft\AVG Free\avgemc .exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
C:\WINDOWS\system32\ctfmon .exe
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

AdmSirRed · 2008/03/07

ComboFix 08-03-05.1 - Tiffany 2008-03-07 15:35:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.201 [GMT -7:00]
Running from: C:\Documents and Settings\Tiffany\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tiffany\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\WINDOWS\Tasks\rpc.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\WINDOWS\Tasks\rpc.job

.
((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 )))))))))))))))))))))))))))))))
.

2008-02-09 10:13 . 2008-02-09 10:13 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-02-09 09:35 . 2008-02-13 19:30 <DIR> d-------- C:\Program Files\Realtek AC97
2008-02-09 09:35 . 2006-12-08 15:20 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.EXE
2008-02-09 09:35 . 2008-01-24 16:36 4,127,488 -ra------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2008-02-09 09:35 . 2002-02-05 13:54 141,016 --a------ C:\WINDOWS\system32\ALSNDMGR.WAV
2008-02-09 09:34 . 2006-11-17 05:40 18,804,736 --a------ C:\WINDOWS\system32\ALSNDMGR.CPL
2008-02-09 09:34 . 2007-04-16 15:28 577,536 --a------ C:\WINDOWS\SOUNDMAN.EXE
2008-02-09 09:34 . 2006-07-31 11:19 315,392 --a------ C:\WINDOWS\alcupd.exe
2008-02-09 09:34 . 2006-07-31 11:27 217,088 --a------ C:\WINDOWS\Alcrmv.exe
2008-02-09 09:34 . 2006-10-18 02:53 147,456 --a------ C:\WINDOWS\system32\RTLCPAPI.dll
2008-02-09 08:56 . 2008-02-09 08:56 <DIR> d-------- C:\Program Files\VIAudioi
2008-02-09 08:56 . 2005-01-05 15:21 36,864 --a------ C:\WINDOWS\system32\UnAudioNT.dll
2008-02-09 08:52 . 2004-11-01 15:19 163,712 --a------ C:\WINDOWS\system32\drivers\vinyl97.sys
2008-02-09 08:38 . 2008-02-09 08:38 <DIR> d-------- C:\swsetup
2008-02-09 08:06 . 2008-02-09 08:49 <DIR> d-------- C:\Program Files\Analog Devices
2008-02-09 08:02 . 2008-02-09 08:48 <DIR> d-------- C:\Analogue devices
2008-02-07 20:26 . 2008-02-07 20:25 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-07 20:25 . 2008-02-07 21:56 <DIR> d-------- C:\Documents and Settings\Tiffany\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 07:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-06 23:36 --------- d-----w C:\Program Files\Diablo II2
2008-03-06 02:04 --------- d-----w C:\Documents and Settings\Tiffany\Application Data\AVG7
2008-02-28 23:11 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\yahoo!
2008-02-28 23:10 --------- d-----w C:\Program Files\Windows Live
2008-02-28 23:05 --------- d-----w C:\Program Files\StarForge
2008-02-28 23:05 --------- d-----w C:\Program Files\Starcraft
2008-02-28 23:04 --------- d-----w C:\Program Files\Common Files\NewSoft
2008-02-28 23:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-28 23:00 --------- d-----w C:\Program Files\MySpace
2008-02-28 22:59 --------- d-----w C:\Program Files\Microsoft Games
2008-02-28 22:58 --------- d-----w C:\Program Files\Guild Wars
2008-02-28 22:58 --------- d-----w C:\Program Files\Google
2008-02-28 22:55 --------- d-----w C:\Program Files\DJ Music Mixer
2008-02-28 21:43 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-28 21:42 --------- d-----w C:\Documents and Settings\Tiffany\Application Data\AOL
2008-02-28 21:42 --------- d-----w C:\Documents and Settings\Jesse\Application Data\AOL
2008-02-28 21:42 --------- d-----w C:\Documents and Settings\Hellrazer\Application Data\AOL
2008-02-28 21:42 --------- d-----w C:\Documents and Settings\Chris\Application Data\AOL
2008-02-28 21:42 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL
2008-01-30 06:30 --------- d-----w C:\Program Files\QuickTime
2008-01-30 06:30 --------- d-----w C:\Program Files\Incomplete
2008-01-29 23:25 --------- d-----w C:\Documents and Settings\Tiffany\Application Data\Grisoft
2008-01-29 23:24 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-01-29 02:08 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-01-29 02:07 --------- d-----w C:\Program Files\Lavasoft
2008-01-29 02:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-15 04:35 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2006-01-23 21:35 64 ----a-w C:\Program Files\BF-X5.ini
2005-04-29 04:42 77 ----a-w C:\Program Files\Desktop.ini
2004-12-27 08:13 8,007,680 ----a-w C:\Program Files\Microsoft.mshtml.dll
2004-12-27 08:13 5,694 ----a-w C:\Program Files\ico 5.ico
2004-12-27 08:13 45,056 ----a-w C:\Program Files\AxInterop.SHDocVw.dll
2004-12-27 08:13 122,880 ----a-w C:\Program Files\Interop.SHDocVw.dll
2004-12-27 08:13 1,406 ----a-w C:\Program Files\donate.ico
2004-12-27 08:13 1,078 ----a-w C:\Program Files\up.ico
2004-12-27 08:13 1,078 ----a-w C:\Program Files\down.ico
2004-12-27 08:13 1,078 ----a-w C:\Program Files\chaton.ico
2004-12-27 08:13 1,078 ----a-w C:\Program Files\chatoff.ico
2004-11-27 05:08 139,264 ----a-w C:\Program Files\BF-X5.exe
.

((((((((((((((((((((((((((((( snapshot@2008-03-05_22.15.29.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-19 05:46:01 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
+ 2008-03-06 23:36:18 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2008-01-21 10:50 4670968]
"MsnMsgr "= "C:\Program Files\Windows Live\Messenger\MsnMsgr .exe" [ ]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-01-29 15:23 421888]
"AVG7_EMC "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [2008-01-29 15:23 353280]
"HostManager "= "C:\Program Files\Common Files\AOL\1166158722\EE\AOLHostManager.exe" [2008-01-29 15:23 125528]
"AOL Spyware Protection "= "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2008-01-29 15:23 79448]
"AudioDeck "= "C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [ ]
"SoundMan "= "SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\SOUNDMAN.EXE]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"C:\\StubInstaller.exe "=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"C:\\Program Files\\America Online 9.0\\waol.exe "=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe "=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe "=
"C:\\Program Files\\Common Files\\AOL\\1166158722\\EE\\AOLServiceHost.exe "=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe "=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe "=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe "=
"C:\\Program Files\\America Online 9.0a\\waol.exe "=
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2 Endangered Species Trial Version\\zt.exe "=
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2 Trial Version\\zt2demoretail.exe "=

S2 Ca536av;FashionCam Video Camera Device;C:\WINDOWS\system32\Drivers\Ca536av.sys [2003-09-05 12:47]
S3 iMSPCLOj;iMSPCLOj;C:\DOCUME~1\Tiffany\LOCALS~1\Temp\iMSPCLOj.sys []
S3 SaiHFF0C;SaiHFF0C;C:\WINDOWS\system32\DRIVERS\SaiHFF0C.sys [2004-06-11 02:59]
S3 SaiUFF0C;SaiUFF0C;C:\WINDOWS\system32\DRIVERS\SaiUFF0C.sys [2004-06-11 02:59]
S3 USBCamera;FashionCam Digital Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 16:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{220abe93-bc52-11db-b13a-00038a000015}]
\Shell\AutoRun\command - F:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c60997ee-ddb5-11da-9bba-806d6172696f}]
\Shell\AutoRun\command - E:\SETUP.EXE

.
Contents of the 'Scheduled Tasks' folder
"2008-02-07 16:03:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 15:42:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\COMMON~1\AOL\116615~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\116615~1\EE\AOLServiceHost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
.
**************************************************************************
.
Completion time: 2008-03-07 15:45:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-07 22:45:29
ComboFix2.txt 2008-03-06 05:15:59
.
2008-03-07 21:17:13 --- E O F ---

noahdfear · 2008/03/07

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "MsnMsgr "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "!AVG Anti-Spyware "=-
Driver::
iMSPCLOj
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

AdmSirRed · 2008/03/08

Logfile of HijackThis v1.99.1
Scan saved at 3:15:43 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\116615~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\116615~1\EE\AOLServiceHost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1166158722\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe "
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr .Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\gui1.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Tiffany\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

new combo log

ComboFix 08-03-05.1 - Tiffany 2008-03-07 15:35:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.201 [GMT -7:00]
Running from: C:\Documents and Settings\Tiffany\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tiffany\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\WINDOWS\Tasks\rpc.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\WINDOWS\Tasks\rpc.job

.
((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 )))))))))))))))))))))))))))))))
.

2008-02-09 10:13 . 2008-02-09 10:13 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-02-09 09:35 . 2008-02-13 19:30 <DIR> d-------- C:\Program Files\Realtek AC97
2008-02-09 09:35 . 2006-12-08 15:20 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.EXE
2008-02-09 09:35 . 2008-01-24 16:36 4,127,488 -ra------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2008-02-09 09:35 . 2002-02-05 13:54 141,016 --a------ C:\WINDOWS\system32\ALSNDMGR.WAV
2008-02-09 09:34 . 2006-11-17 05:40 18,804,736 --a------ C:\WINDOWS\system32\ALSNDMGR.CPL
2008-02-09 09:34 . 2007-04-16 15:28 577,536 --a------ C:\WINDOWS\SOUNDMAN.EXE
2008-02-09 09:34 . 2006-07-31 11:19 315,392 --a------ C:\WINDOWS\alcupd.exe
2008-02-09 09:34 . 2006-07-31 11:27 217,088 --a------ C:\WINDOWS\Alcrmv.exe
2008-02-09 09:34 . 2006-10-18 02:53 147,456 --a------ C:\WINDOWS\system32\RTLCPAPI.dll
2008-02-09 08:56 . 2008-02-09 08:56 <DIR> d-------- C:\Program Files\VIAudioi
2008-02-09 08:56 . 2005-01-05 15:21 36,864 --a------ C:\WINDOWS\system32\UnAudioNT.dll
2008-02-09 08:52 . 2004-11-01 15:19 163,712 --a------ C:\WINDOWS\system32\drivers\vinyl97.sys
2008-02-09 08:38 . 2008-02-09 08:38 <DIR> d-------- C:\swsetup
2008-02-09 08:06 . 2008-02-09 08:49 <DIR> d-------- C:\Program Files\Analog Devices
2008-02-09 08:02 . 2008-02-09 08:48 <DIR> d-------- C:\Analogue devices
2008-02-07 20:26 . 2008-02-07 20:25 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-07 20:25 . 2008-02-07 21:56 <DIR> d-------- C:\Documents and Settings\Tiffany\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 07:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-06 23:36 --------- d-----w C:\Program Files\Diablo II2
2008-03-06 02:04 --------- d-----w C:\Documents and Settings\Tiffany\Application Data\AVG7
2008-02-28 23:11 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\yahoo!
2008-02-28 23:10 --------- d-----w C:\Program Files\Windows Live
2008-02-28 23:05 --------- d-----w C:\Program Files\StarForge
2008-02-28 23:05 --------- d-----w C:\Program Files\Starcraft
2008-02-28 23:04 --------- d-----w C:\Program Files\Common Files\NewSoft
2008-02-28 23:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-28 23:00 --------- d-----w C:\Program Files\MySpace
2008-02-28 22:59 --------- d-----w C:\Program Files\Microsoft Games
2008-02-28 22:58 --------- d-----w C:\Program Files\Guild Wars
2008-02-28 22:58 --------- d-----w C:\Program Files\Google
2008-02-28 22:55 --------- d-----w C:\Program Files\DJ Music Mixer
2008-02-28 21:43 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-28 21:42 --------- d-----w C:\Documents and Settings\Tiffany\Application Data\AOL
2008-02-28 21:42 --------- d-----w C:\Documents and Settings\Jesse\Application Data\AOL
2008-02-28 21:42 --------- d-----w C:\Documents and Settings\Hellrazer\Application Data\AOL
2008-02-28 21:42 --------- d-----w C:\Documents and Settings\Chris\Application Data\AOL
2008-02-28 21:42 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL
2008-01-30 06:30 --------- d-----w C:\Program Files\QuickTime
2008-01-30 06:30 --------- d-----w C:\Program Files\Incomplete
2008-01-29 23:25 --------- d-----w C:\Documents and Settings\Tiffany\Application Data\Grisoft
2008-01-29 23:24 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-01-29 02:08 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-01-29 02:07 --------- d-----w C:\Program Files\Lavasoft
2008-01-29 02:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-15 04:35 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2006-01-23 21:35 64 ----a-w C:\Program Files\BF-X5.ini
2005-04-29 04:42 77 ----a-w C:\Program Files\Desktop.ini
2004-12-27 08:13 8,007,680 ----a-w C:\Program Files\Microsoft.mshtml.dll
2004-12-27 08:13 5,694 ----a-w C:\Program Files\ico 5.ico
2004-12-27 08:13 45,056 ----a-w C:\Program Files\AxInterop.SHDocVw.dll
2004-12-27 08:13 122,880 ----a-w C:\Program Files\Interop.SHDocVw.dll
2004-12-27 08:13 1,406 ----a-w C:\Program Files\donate.ico
2004-12-27 08:13 1,078 ----a-w C:\Program Files\up.ico
2004-12-27 08:13 1,078 ----a-w C:\Program Files\down.ico
2004-12-27 08:13 1,078 ----a-w C:\Program Files\chaton.ico
2004-12-27 08:13 1,078 ----a-w C:\Program Files\chatoff.ico
2004-11-27 05:08 139,264 ----a-w C:\Program Files\BF-X5.exe
.

((((((((((((((((((((((((((((( snapshot@2008-03-05_22.15.29.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-19 05:46:01 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
+ 2008-03-06 23:36:18 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2008-01-21 10:50 4670968]
"MsnMsgr "= "C:\Program Files\Windows Live\Messenger\MsnMsgr .exe" [ ]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-01-29 15:23 421888]
"AVG7_EMC "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [2008-01-29 15:23 353280]
"HostManager "= "C:\Program Files\Common Files\AOL\1166158722\EE\AOLHostManager.exe" [2008-01-29 15:23 125528]
"AOL Spyware Protection "= "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2008-01-29 15:23 79448]
"AudioDeck "= "C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [ ]
"SoundMan "= "SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\SOUNDMAN.EXE]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"C:\\StubInstaller.exe "=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"C:\\Program Files\\America Online 9.0\\waol.exe "=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe "=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe "=
"C:\\Program Files\\Common Files\\AOL\\1166158722\\EE\\AOLServiceHost.exe "=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe "=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe "=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe "=
"C:\\Program Files\\America Online 9.0a\\waol.exe "=
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2 Endangered Species Trial Version\\zt.exe "=
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2 Trial Version\\zt2demoretail.exe "=

S2 Ca536av;FashionCam Video Camera Device;C:\WINDOWS\system32\Drivers\Ca536av.sys [2003-09-05 12:47]
S3 iMSPCLOj;iMSPCLOj;C:\DOCUME~1\Tiffany\LOCALS~1\Temp\iMSPCLOj.sys []
S3 SaiHFF0C;SaiHFF0C;C:\WINDOWS\system32\DRIVERS\SaiHFF0C.sys [2004-06-11 02:59]
S3 SaiUFF0C;SaiUFF0C;C:\WINDOWS\system32\DRIVERS\SaiUFF0C.sys [2004-06-11 02:59]
S3 USBCamera;FashionCam Digital Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 16:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{220abe93-bc52-11db-b13a-00038a000015}]
\Shell\AutoRun\command - F:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c60997ee-ddb5-11da-9bba-806d6172696f}]
\Shell\AutoRun\command - E:\SETUP.EXE

.
Contents of the 'Scheduled Tasks' folder
"2008-02-07 16:03:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 15:42:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\COMMON~1\AOL\116615~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\116615~1\EE\AOLServiceHost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
.
**************************************************************************
.
Completion time: 2008-03-07 15:45:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-07 22:45:29
ComboFix2.txt 2008-03-06 05:15:59
.
2008-03-07 21:17:13 --- E O F ---

AdmSirRed · 2008/03/08

im sorry please ignore the first post i thought i already ran it but dident. heres the updated version.

ComboFix 08-03-05.1 - Tiffany 2008-03-08 15:18:41.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.270 [GMT -7:00]
Running from: C:\Documents and Settings\Tiffany\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tiffany\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.

2008-02-09 10:13 . 2008-02-09 10:13 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-02-09 09:35 . 2008-02-13 19:30 <DIR> d-------- C:\Program Files\Realtek AC97
2008-02-09 09:35 . 2006-12-08 15:20 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.EXE
2008-02-09 09:35 . 2008-01-24 16:36 4,127,488 -ra------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2008-02-09 09:35 . 2002-02-05 13:54 141,016 --a------ C:\WINDOWS\system32\ALSNDMGR.WAV
2008-02-09 09:34 . 2006-11-17 05:40 18,804,736 --a------ C:\WINDOWS\system32\ALSNDMGR.CPL
2008-02-09 09:34 . 2007-04-16 15:28 577,536 --a------ C:\WINDOWS\SOUNDMAN.EXE
2008-02-09 09:34 . 2006-07-31 11:19 315,392 --a------ C:\WINDOWS\alcupd.exe
2008-02-09 09:34 . 2006-07-31 11:27 217,088 --a------ C:\WINDOWS\Alcrmv.exe
2008-02-09 09:34 . 2006-10-18 02:53 147,456 --a------ C:\WINDOWS\system32\RTLCPAPI.dll
2008-02-09 08:56 . 2008-02-09 08:56 <DIR> d-------- C:\Program Files\VIAudioi
2008-02-09 08:56 . 2005-01-05 15:21 36,864 --a------ C:\WINDOWS\system32\UnAudioNT.dll
2008-02-09 08:52 . 2004-11-01 15:19 163,712 --a------ C:\WINDOWS\system32\drivers\vinyl97.sys
2008-02-09 08:38 . 2008-02-09 08:38 <DIR> d-------- C:\swsetup
2008-02-09 08:06 . 2008-02-09 08:49 <DIR> d-------- C:\Program Files\Analog Devices
2008-02-09 08:02 . 2008-02-09 08:48 <DIR> d-------- C:\Analogue devices

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 15:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-06 23:36 --------- d-----w C:\Program Files\Diablo II2
2008-03-06 02:04 --------- d-----w C:\Documents and Settings\Tiffany\Application Data\AVG7
2008-02-28 23:11 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\yahoo!
2008-02-28 23:10 --------- d-----w C:\Program Files\Windows Live
2008-02-28 23:05 --------- d-----w C:\Program Files\StarForge
2008-02-28 23:05 --------- d-----w C:\Program Files\Starcraft
2008-02-28 23:04 --------- d-----w C:\Program Files\Common Files\NewSoft
2008-02-28 23:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-28 23:00 --------- d-----w C:\Program Files\MySpace
2008-02-28 22:59 --------- d-----w C:\Program Files\Microsoft Games
2008-02-28 22:58 --------- d-----w C:\Program Files\Guild Wars
2008-02-28 22:58 --------- d-----w C:\Program Files\Google
2008-02-28 22:55 --------- d-----w C:\Program Files\DJ Music Mixer
2008-02-28 21:43 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-28 21:42 --------- d-----w C:\Documents and Settings\Tiffany\Application Data\AOL
2008-02-28 21:42 --------- d-----w C:\Documents and Settings\Jesse\Application Data\AOL
2008-02-28 21:42 --------- d-----w C:\Documents and Settings\Hellrazer\Application Data\AOL
2008-02-28 21:42 --------- d-----w C:\Documents and Settings\Chris\Application Data\AOL
2008-02-28 21:42 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL
2008-02-08 03:25 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-30 06:30 --------- d-----w C:\Program Files\QuickTime
2008-01-30 06:30 --------- d-----w C:\Program Files\Incomplete
2008-01-29 23:25 --------- d-----w C:\Documents and Settings\Tiffany\Application Data\Grisoft
2008-01-29 23:24 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-01-29 02:08 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-01-29 02:07 --------- d-----w C:\Program Files\Lavasoft
2008-01-29 02:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-15 04:35 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2006-01-23 21:35 64 ----a-w C:\Program Files\BF-X5.ini
2005-04-29 04:42 77 ----a-w C:\Program Files\Desktop.ini
2004-12-27 08:13 8,007,680 ----a-w C:\Program Files\Microsoft.mshtml.dll
2004-12-27 08:13 5,694 ----a-w C:\Program Files\ico 5.ico
2004-12-27 08:13 45,056 ----a-w C:\Program Files\AxInterop.SHDocVw.dll
2004-12-27 08:13 122,880 ----a-w C:\Program Files\Interop.SHDocVw.dll
2004-12-27 08:13 1,406 ----a-w C:\Program Files\donate.ico
2004-12-27 08:13 1,078 ----a-w C:\Program Files\up.ico
2004-12-27 08:13 1,078 ----a-w C:\Program Files\down.ico
2004-12-27 08:13 1,078 ----a-w C:\Program Files\chaton.ico
2004-12-27 08:13 1,078 ----a-w C:\Program Files\chatoff.ico
2004-11-27 05:08 139,264 ----a-w C:\Program Files\BF-X5.exe
.

((((((((((((((((((((((((((((( snapshot@2008-03-05_22.15.29.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-19 05:46:01 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
+ 2008-03-06 23:36:18 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2008-01-21 10:50 4670968]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-01-29 15:23 421888]
"AVG7_EMC "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [2008-01-29 15:23 353280]
"HostManager "= "C:\Program Files\Common Files\AOL\1166158722\EE\AOLHostManager.exe" [2008-01-29 15:23 125528]
"AOL Spyware Protection "= "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2008-01-29 15:23 79448]
"AudioDeck "= "C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [ ]
"SoundMan "= "SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"C:\\StubInstaller.exe "=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"C:\\Program Files\\America Online 9.0\\waol.exe "=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe "=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe "=
"C:\\Program Files\\Common Files\\AOL\\1166158722\\EE\\AOLServiceHost.exe "=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe "=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe "=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe "=
"C:\\Program Files\\America Online 9.0a\\waol.exe "=
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2 Endangered Species Trial Version\\zt.exe "=
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2 Trial Version\\zt2demoretail.exe "=

S2 Ca536av;FashionCam Video Camera Device;C:\WINDOWS\system32\Drivers\Ca536av.sys [2003-09-05 12:47]
S3 SaiHFF0C;SaiHFF0C;C:\WINDOWS\system32\DRIVERS\SaiHFF0C.sys [2004-06-11 02:59]
S3 SaiUFF0C;SaiUFF0C;C:\WINDOWS\system32\DRIVERS\SaiUFF0C.sys [2004-06-11 02:59]
S3 USBCamera;FashionCam Digital Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 16:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{220abe93-bc52-11db-b13a-00038a000015}]
\Shell\AutoRun\command - F:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c60997ee-ddb5-11da-9bba-806d6172696f}]
\Shell\AutoRun\command - E:\SETUP.EXE

.
Contents of the 'Scheduled Tasks' folder
"2008-02-07 16:03:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 15:24:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\COMMON~1\AOL\116615~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\116615~1\EE\AOLServiceHost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
.
**************************************************************************
.
Completion time: 2008-03-08 15:27:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-08 22:27:31
ComboFix2.txt 2008-03-07 22:45:35
ComboFix3.txt 2008-03-06 05:15:59
.
2008-03-08 10:01:38 --- E O F ---

HJT

Logfile of HijackThis v1.99.1
Scan saved at 3:33:21 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\116615~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\116615~1\EE\AOLServiceHost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1166158722\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe "
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\gui1.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Tiffany\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

noahdfear · 2008/03/08

Looks good. One of the infections you had disabled AVG AntiSpyware from starting with Windows. You can remedy that by Clicking Start>All Programs>AVG AntiSpyware. Once it opens, an icon for it will appear in your Notification area (down by the clock). Right click the icon and select Start with Windows. You can close the AVG AntiSpyware application.

Download ATF Cleaner by Atribune and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Prefetch

Java Cache

Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".

Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.

Reboot

Now lets get an online scan to see if we've missed anything. Please do an online scan with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on NEXT

Now click on Scan Settings

In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:

Select My Computer

This will program will start and scan your system.

The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Post the Kaspersky log here please.

AdmSirRed · 2008/03/11

i clicked the link and followed it to the site howeever i was not prompted to download the active X contrl, and still was not prompted even after clicking the "scan now" button.

noahdfear · 2008/03/11

Lets run another tool then. Please download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

Double click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select 'Perform Quick Scan', then click Scan.

The scan may take some time to finish,so please be patient.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Post the entire report in your next reply along with a fresh HijackThis log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

AdmSirRed · 2008/03/12

Malwarebytes' Anti-Malware 1.08
Database version: 471

Scan type: Full Scan (C:\|)
Objects scanned: 124733
Time elapsed: 44 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5b4c3b43-49b6-42a7-a602-f7acdca0d409} (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\The Weather Channel FW (Adware.Hotbar) -> Quarantined and deleted successfully.

Files Infected:
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinUninstaller.exe.vir (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP583\A0264711.exe (Adware.Purityscan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP635\A0274845.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Explorer.001 (Heuristic.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Explorer.002 (Heuristic.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Explorer.005 (Heuristic.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

noahdfear · 2008/03/13

Now, in your Internet Explorer browser, click Tools>Internet Options on the menu. Select the Security tab. Make sure Internet Zone is selected then click Default Level, then Apply.
Now select the Programs tab and click Reset Web Settings. Your option when prompted for the Homepage to be reset.

OK out, then close all open IE windows.
Re-open IE and try the Kaspersky scan again.

AdmSirRed · 2008/03/13

i did all of the following however it did not bring up the active X control agian.

noahdfear · 2008/03/13

Please highlight and copy all of the bolded text below.

cd "%systemroot%\Downlo~1 "
dir /s /a > "%userprofile%\desktop\DPF.txt "
start notepad "%userprofile%\desktop\DPF.txt "
exit
cls

Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select Paste. This will create and open a directory listing of the folder that stores the activeX controls. The command window will close on it's own. Please post the contents of the log that opens.

AdmSirRed · 2008/03/13

Volume in drive C has no label.
Volume Serial Number is 44EA-48D4

Directory of C:\WINDOWS\DOWNLO~1

11/28/2007 09:50 PM <DIR> .
11/28/2007 09:50 PM <DIR> ..
05/07/2006 11:08 AM 65 desktop.ini
06/25/2006 12:50 PM 1,793 erma.inf
11/01/2005 11:16 PM 406 FacebookPhotoUploader.inf
11/03/2005 08:17 PM 1,935,120 FacebookPhotoUploader.ocx
10/08/2007 09:21 PM 367 LegitCheckControl.inf
10/24/2003 02:01 PM 278 MsnChat45.inf
10/27/2003 11:35 AM 510,552 MSNChat45.ocx
04/21/2005 09:59 AM 131,072 popcaploader.dll
04/18/2005 01:45 PM 242 popcaploader.inf
01/24/2007 10:24 PM 397,720 StagingUI.ocx
02/19/2007 11:26 AM 159,128 ZIntro.ocx
01/24/2007 10:24 PM 509,848 ZPAChat.ocx
02/16/2007 02:25 PM 345,448 ZPA_KQRP.dll
13 File(s) 3,992,039 bytes

Total Files Listed:
13 File(s) 3,992,039 bytes
2 Dir(s) 150,509,264,896 bytes free

noahdfear · 2008/03/13

Hmmm ........ just to be sure, at the Kaspersky link above, you did click Scan Now? Then a new window opened prompting you to Accept or Decline? Once you accept, the window should change to the scanner and either begin installing files or prompt you to install an ActiveX control.

AdmSirRed · 2008/03/14

C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP574\A0263160.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP574\A0263162.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP574\A0263172.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP574\A0263179.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP574\A0263181.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP575\A0263186.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP575\A0263194.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP575\A0263199.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP575\A0263204.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP575\A0263205.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP575\A0263211.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP575\A0263218.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP575\A0263219.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP575\A0263221.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP575\A0263225.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP575\A0263232.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP575\A0263234.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP576\A0263241.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP576\A0263242.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP576\A0263252.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP576\A0263257.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP576\A0263258.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP576\A0263264.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP576\A0263271.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP576\A0263272.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP576\A0263274.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP576\A0263278.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP576\A0263285.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP576\A0263287.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP577\A0263296.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP577\A0263297.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP577\A0263308.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP577\A0263313.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP577\A0263314.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP577\A0263320.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP577\A0263327.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP577\A0263328.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP577\A0263330.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP577\A0263334.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP577\A0263341.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP577\A0263343.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP578\A0263352.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP578\A0263353.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP578\A0263366.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP578\A0263371.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP578\A0263372.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP578\A0263378.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP578\A0263385.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP578\A0263386.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP578\A0263388.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP578\A0263392.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP578\A0263400.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP578\A0263401.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP579\A0263423.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP579\A0263424.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP580\A0263432.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP580\A0263433.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP581\A0263475.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP581\A0263476.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP581\A0263483.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP581\A0263485.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP581\A0263487.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP582\A0263533.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP582\A0263534.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP582\A0263559.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP582\A0263560.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP582\A0263564.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP582\A0263612.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP582\A0263613.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP582\A0263617.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP582\A0263622.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP582\A0263623.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP582\A0263625.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP582\A0263628.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP582\A0263635.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP582\A0263637.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP583\A0263669.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP583\A0263673.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP583\A0264661.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP583\A0264668.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP583\A0264670.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP583\A0264672.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP583\A0264712.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP583\A0264713.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP583\A0264714.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP583\A0264715.exe Infected: Trojan-Downloader.Win32.Small.hsg skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP585\A0264833.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP585\A0264834.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP586\A0264891.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP586\A0264892.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP586\A0264898.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP586\A0264899.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP586\A0264907.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP586\A0264908.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP586\A0264996.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP586\A0264998.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP586\A0265008.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP587\A0266006.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP587\A0266007.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP587\A0266008.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP589\A0266043.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP589\A0266045.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP589\A0266046.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP591\A0266107.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP591\A0266108.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP591\A0266110.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP593\A0266145.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP593\A0266146.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP593\A0266154.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP593\A0266155.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP593\A0266156.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP594\A0266176.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP594\A0266177.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP594\A0266185.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP594\A0266186.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP594\A0266187.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP596\A0266212.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP596\A0266213.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP597\A0266314.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP597\A0266315.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP597\A0266338.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP597\A0266339.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP598\A0266360.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP598\A0266362.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP600\A0266399.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP600\A0266400.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP601\A0268354.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP601\A0268355.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP601\A0268359.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP601\A0268361.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP601\A0268368.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP601\A0268369.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP601\A0268371.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP601\A0268385.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP605\A0269399.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP605\A0269400.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP605\A0269401.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP605\A0269408.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP605\A0269410.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP607\A0269429.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP608\A0269461.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP608\A0269462.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP609\A0269476.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP609\A0269477.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP609\A0269485.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP609\A0269486.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP612\A0269576.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP612\A0269585.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP612\A0269587.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP612\A0270583.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP612\A0270584.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP613\A0270597.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP613\A0270598.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP628\A0272604.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP628\A0272605.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP629\A0272618.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP629\A0272620.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272636.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272639.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272644.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272645.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272646.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272647.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272648.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272649.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272650.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272651.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272652.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272653.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272654.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272655.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272656.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272657.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272658.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272659.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272660.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272661.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272662.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272663.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272664.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272665.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272666.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272667.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272668.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272669.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272670.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272671.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272672.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272673.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272674.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272675.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272676.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272677.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272678.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272679.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272680.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272681.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272682.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272683.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.eby skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272684.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272685.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272686.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272687.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272688.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272689.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272690.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272691.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272692.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272693.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272694.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272695.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP631\A0272696.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{41D88CBE-861B-46BD-AFB6-7085CF7E8C4C}\RP646\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virusownloader.Win32.PopCap.b skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\TIFF.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\cpctdaas.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hxkuxody.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\qobpcbjs.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\qoerorlr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT06214.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT06217.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

******split here rest on second post******

Scan process completed.

finely got it working and thats the report.

said it was to large so i split it into 2 posts.

Log in or Sign up

Computer virus, cant remove

AdmSirRed Inactive Thread Starter

noahdfear Inactive

AdmSirRed Inactive Thread Starter

noahdfear Inactive

AdmSirRed Inactive Thread Starter

noahdfear Inactive

AdmSirRed Inactive Thread Starter

noahdfear Inactive

AdmSirRed Inactive Thread Starter

AdmSirRed Inactive Thread Starter

noahdfear Inactive

AdmSirRed Inactive Thread Starter

noahdfear Inactive

AdmSirRed Inactive Thread Starter

noahdfear Inactive

AdmSirRed Inactive Thread Starter

noahdfear Inactive

AdmSirRed Inactive Thread Starter

noahdfear Inactive

AdmSirRed Inactive Thread Starter

Share This Page

Log in or Sign up

Computer virus, cant remove

AdmSirRed Inactive Thread Starter

noahdfear Inactive

AdmSirRed Inactive Thread Starter

noahdfear Inactive

AdmSirRed Inactive Thread Starter

noahdfear Inactive

AdmSirRed Inactive Thread Starter

noahdfear Inactive

AdmSirRed Inactive Thread Starter

AdmSirRed Inactive Thread Starter

noahdfear Inactive

AdmSirRed Inactive Thread Starter

noahdfear Inactive

AdmSirRed Inactive Thread Starter

noahdfear Inactive

AdmSirRed Inactive Thread Starter

noahdfear Inactive

AdmSirRed Inactive Thread Starter

noahdfear Inactive

AdmSirRed Inactive Thread Starter

Share This Page

Useful Searches