My Computer Has been Taken Over

Chawni12 · 2008/01/07

I guess I must have surfed on a site that was a big NO NO cuz my browser opens up all by itself to different sites now. I have tried running the SuperAnti-Spy program but everytime I do, when I fix the "detected files" and reboot, Windows will not boot normally and I have to boot into safemode and do a system restore. Windows boot is ok after that BUT the problem is still there. I have ran Spybot S&D and its still ******* up.
Now the problem has got worse and I can't even open my browser to get on the internet. I also have a FAKE yellow Windows Security Alert icon in the bottom right corner of my task bar with a pop up that keeps appearing.
Can someone please give me some advice on how to GET RID of this THING? I'm desperate.

Thanks in advance.

noahdfear · 2008/01/07

Hi Chawni12

Please read this post then install HijackThis and run a scan, then save the log. No need to post that log.

Next, download and run Deckard's System Scanner, then post the main.txt log here.

Chawni12 · 2008/01/08

I followed your instructions. Here is the log. Thanks for your help. I apprecitate it.

Deckard's System Scanner v20071014.68
Run by Debbie on 2008-01-08 06:14:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).

-- Last 5 Restore Point(s) --
11: 2008-01-07 01:28:42 UTC - RP339 - Restore Operation
10: 2008-01-06 20:04:30 UTC - RP338 - Last known good configuration
9: 2008-01-06 20:04:24 UTC - RP337 - Restore Operation
8: 2008-01-06 20:04:24 UTC - RP336 - Installed SUPERAntiSpyware Free Edition
7: 2008-01-06 18:53:35 UTC - RP335 - Last known good configuration

-- First Restore Point --
1: 2008-01-06 20:04:19 UTC - RP329 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Debbie.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:19:42 AM, on 1/8/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\hxjqcxfk.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\svcd\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\DOCUME~1\Debbie\MYDOCU~1\ASKS~1\rundll32.exe
C:\Program Files\Common Files\F?nts\n?pdb.exe
C:\Program Files\Router\Router.exe
C:\Program Files\Router\Router .exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Debbie\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Debbie.exe
C:\WINDOWS\system32\ieupdates.exe
C:\WINDOWS\system32\ieupdates.exe
C:\WINDOWS\system32\ieupdates .exe

F3 - REG:win.ini: run= "C:\WINDOWS\system32\winupdate.exe "
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: &Research - {037C7B8A-151A-49E6-BAED-CC05FCB50328} - C:\WINDOWS\system32\winsrc.dll
O2 - BHO: (no name) - {106B1157-7D0F-4BF4-83FB-F94A047A996F} - C:\Program Files\MSN\homeq4444.dll (file missing)
O2 - BHO: (no name) - {1302DD02-B337-4EE4-8F0A-75F3331F0024} - C:\WINDOWS\System32\gebcb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {70C416F1-C968-4C8D-85B0-38D9A04F2FA7} - C:\Program Files\MSN\homeq83122.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {B68B8834-60D8-4A5D-DC2F-39E676860B9E} - C:\WINDOWS\System32\ipgebf.dll
O2 - BHO: {50dfadfd-b593-a7f8-7964-69ded737618d} - {d816737d-ed96-4697-8f7a-395bdfdafd05} - C:\WINDOWS\System32\uhquhhej.dll
O2 - BHO: (no name) - {E1759A31-E627-4758-9562-6899DF36C9C2} - C:\WINDOWS\System32\jkkliii.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [VideoDriverHook] C:\WINDOWS\System32\vmdriver.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [ServUTrayIcon] C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\ieupdates.exe "
O4 - HKCU\..\Run: [VideoDriverHook] C:\WINDOWS\System32\vmdriver.exe
O4 - HKCU\..\Run: [Mprr] "C:\DOCUME~1\Debbie\MYDOCU~1\ASKS~1\rundll32.exe" -vt yazb
O4 - HKCU\..\Run: [Kwdd] "C:\Program Files\Common Files\F?nts\n?pdb.exe "
O4 - HKCU\..\Run: [Router] "C:\Program Files\Router\Router.exe "
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137451203234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137451278171
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: jkkliii - C:\WINDOWS\SYSTEM32\jkkliii.dll
O20 - Winlogon Notify: yaywwut - yaywwut.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: DomainService - - C:\WINDOWS\System32\hxjqcxfk.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Security Service (GSYW) - Unknown owner - C:\WINDOWS\System32\svcd\svchost.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: TrueVector Basic Logging Client (minilog) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\minilog.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Rhino Software, Inc. +1(262) 560-9627 - C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\prohdyxepr.html

--
End of file - 6892 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080108-053857-274 O4 - HKLM\..\Run: [ptask] "C:\Program Files\SpyGuardPro\ptask.exe "
backup-20080108-053857-357 O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\SpyGuardPro\bm.exe" dm=http://spyguardpro.com ad=http://spyguardpro.com sd=http://ykeeper.spyguardpro.com
backup-20080108-054402-200 O4 - HKLM\..\Run: [ecc1e442] rundll32.exe "C:\WINDOWS\System32\lvucbcwf.dll ",b
backup-20080108-054402-399 O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
backup-20080108-054402-815 O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\SPYGUA~1\ugac.exe" -start

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 PQV2i - c:\windows\system32\drivers\pqv2i.sys <Not Verified; StorageCraft; V2i Protector>
R1 PQIMount - c:\windows\system32\drivers\pqimount.sys <Not Verified; PowerQuest Corporation; V2i Protector>
R1 smwdmm - c:\windows\system32\drivers\smwdmm.sys
R3 ntload (ntload v0.1) - c:\windows\system32\ntload.sys
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 SYMIDSCO - c:\progra~1\common~1\symant~1\symcdata\ids-di~1\20071220.001\symidsco.sys (file missing)
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 DomainService - c:\windows\system32\hxjqcxfk.exe /service <Not Verified; ; DDC>
R2 GEARSecurity - c:\windows\system32\gearsec.exe <Not Verified; GEAR Software; gearsec>
R2 GSYW (Security Service) - c:\windows\system32\svcd\svchost.exe
R2 Serv-U (Serv-U FTP Server) - c:\program files\rhinosoft.com\serv-u\servudaemon.exe <Not Verified; Rhino Software, Inc. +1(262) 560-9627; Serv-U FTP Server>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: USB Mass Storage Device
Device ID: USB\VID_1058&PID_0910\5&1EDCBA0F&0&574341505A31353032373935
Manufacturer: Compatible USB storage device
Name: USB Mass Storage Device
PNP Device ID: USB\VID_1058&PID_0910\5&1EDCBA0F&0&574341505A31353032373935
Service: USBSTOR

Class GUID:
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&08F0
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&08F0
Service:

-- Files created between 2007-12-08 and 2008-01-08 -----------------------------

2008-01-08 04:10:24 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-08 04:09:19 0 d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2008-01-08 04:09:06 50688 --a------ C:\WINDOWS\System32\ieupdates .exe
2008-01-08 04:08:54 86188 --a------ C:\WINDOWS\System32\vmdriver .exe
2008-01-08 04:05:52 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-08 04:05:20 155648 --a------ C:\WINDOWS\System32\ssleay32.dll
2008-01-08 04:05:20 684032 --a------ C:\WINDOWS\System32\libeay32.dll
2008-01-08 04:05:19 0 d-------- C:\Program Files\Webroot
2008-01-08 04:05:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-08 04:03:48 0 d-------- C:\Documents and Settings\Debbie\Application Data\Webroot
2008-01-07 22:55:27 0 d-------- C:\WINDOWS\ffri
2008-01-07 22:55:27 0 d-------- C:\Program Files\Common Files\ffri
2008-01-07 20:34:19 0 d--hs---- C:\SpyGuardPro
2008-01-07 20:33:53 0 d-------- C:\Documents and Settings\NetworkService\Application Data\NetMon
2008-01-07 20:33:51 0 d--hs---- C:\WINDOWS\RGViYmll
2008-01-07 20:33:35 0 d-------- C:\Documents and Settings\Debbie\Application Data\SpyGuardPro
2008-01-07 20:33:30 0 dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-01-07 20:33:18 0 d-------- C:\Program Files\SpyGuardPro
2008-01-07 20:33:18 0 d-------- C:\Program Files\Common Files\SpyGuardPro
2008-01-07 20:31:35 39936 --a------ C:\WINDOWS\17PHolmes572.exe
2008-01-07 20:31:17 41472 --a------ C:\WINDOWS\System32\cbxuurp.dll
2008-01-07 20:29:03 41472 --a------ C:\WINDOWS\System32\wvuvuss.dll
2008-01-07 20:28:35 0 d-------- C:\Program Files\Router
2008-01-07 20:28:34 0 d-------- C:\Program Files\InetGet2
2008-01-07 20:28:13 60928 --a------ C:\WINDOWS\System32\ipgebf.dll
2008-01-07 20:28:13 0 d-------- C:\Program Files\Outerinfo
2008-01-07 20:28:13 0 d-------- C:\Program Files\Common Files\F?nts
2008-01-07 20:28:03 41723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2008-01-07 20:27:56 41472 --a------ C:\WINDOWS\System32\jkkliii.dll
2008-01-07 18:11:37 428544 --a------ C:\WINDOWS\System32\vmdriver.exe
2008-01-07 17:14:52 0 d-------- C:\Program Files\Trend Micro
2008-01-07 17:10:33 0 d-------- C:\Program Files\Enigma Software Group
2008-01-07 15:11:03 90176 --a------ C:\WINDOWS\System32\lvucbcwf.dll
2008-01-07 15:08:03 74304 --a------ C:\WINDOWS\System32\hxjqcxfk.exe <Not Verified; ; DDC>
2008-01-07 15:05:03 76864 --a------ C:\WINDOWS\System32\uhquhhej.dll
2008-01-07 07:03:17 240128 --a------ C:\WINDOWS\System32\winsrc.dll
2008-01-07 07:03:17 393216 --a------ C:\WINDOWS\System32\ieupdates.exe
2008-01-06 20:32:43 50688 --a------ C:\WINDOWS\System32\update32.exe
2008-01-06 18:29:29 342528 --a------ C:\WINDOWS\System32\gebcb.exe
2008-01-06 18:16:29 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-01-06 18:16:22 571904 --a------ C:\WINDOWS\System32\wscmp.dll
2008-01-06 18:14:21 64512 --a------ C:\WINDOWS\System32\winupdate.exe
2008-01-06 18:14:21 2752 --a------ C:\WINDOWS\System32\ntload.sys
2008-01-06 18:14:05 64512 --a------ C:\WINDOWS\System32\TmpX.exe
2008-01-06 18:11:54 0 d-------- C:\Program Files\SymNetDrv
2008-01-06 17:46:49 0 d-------- C:\Program Files\Norton AntiVirus
2008-01-06 17:28:05 114 --a------ C:\WINDOWS\System32\url3
2008-01-06 17:28:05 102 --a------ C:\WINDOWS\System32\url2
2008-01-06 17:28:05 102 --a------ C:\WINDOWS\System32\url1
2008-01-06 17:28:05 8 --a------ C:\WINDOWS\System32\CID
2008-01-06 17:28:03 4 --a------ C:\WINDOWS\System32\SvcNm
2008-01-06 17:28:03 0 d-------- C:\WINDOWS\System32\svcd
2008-01-06 17:27:58 34816 --a------ C:\wndpilf.exe
2008-01-06 15:27:12 0 d-------- C:\Program Files\RegCleaner
2008-01-06 14:58:14 396601 --ahs---- C:\WINDOWS\System32\bcbeg.ini2
2008-01-06 13:53:26 2621440 --a------ C:\Documents and Settings\Debbie\ntuser.dat
2008-01-06 13:53:25 233472 --a------ C:\Documents and Settings\NetworkService\ntuser.dat
2008-01-06 13:53:25 233472 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-01-06 13:52:38 338944 --a------ C:\WINDOWS\System32\gebcb.dll
2008-01-06 13:45:04 0 d-------- C:\Documents and Settings\Administrator\Templates
2008-01-06 13:45:04 0 d-------- C:\Documents and Settings\Administrator\Local Settings
2008-01-06 13:45:04 0 d-------- C:\Documents and Settings\Administrator\Cookies
2008-01-06 13:45:04 0 d-------- C:\Documents and Settings\Administrator\Application Data
2008-01-06 13:45:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-01-06 13:45:03 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-01-06 12:40:53 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-01-06 12:40:53 0 d-------- C:\Documents and Settings\Debbie\Application Data\SUPERAntiSpyware.com
2008-01-06 12:34:31 0 d-------- C:\Program Files\Temporary
2008-01-06 12:31:34 2 --a------ C:\WINDOWS\System32\wintsvcc.exe
2008-01-06 12:31:31 0 d-------- C:\Documents and Settings\Debbie\Application Data\??mbols
2008-01-06 12:31:29 135168 --a------ C:\WINDOWS\tk58.exe
2008-01-06 12:31:10 39936 --a------ C:\WINDOWS\mrofinu1000106.exe
2008-01-06 12:31:06 41472 --a------ C:\WINDOWS\System32\opnommj.dll
2008-01-06 12:30:51 383488 --a------ C:\WINDOWS\mrofinu572.exe
2008-01-06 12:30:41 86016 --a------ C:\WINDOWS\System32\drivers\smwdmm.sys
2008-01-06 12:30:39 0 d-------- C:\WINDOWS\System32\usmvt3
2008-01-06 12:30:39 0 d-------- C:\WINDOWS\System32\drivr3
2008-01-06 12:30:39 0 d-------- C:\WINDOWS\System32\comp2
2008-01-06 12:30:39 0 d-------- C:\WINDOWS\System32\cache3
2008-01-06 12:30:26 0 d-------- C:\WINDOWS\System32\ardCo01
2008-01-06 12:30:26 0 d-------- C:\Temp
2008-01-06 12:24:54 0 d-------- C:\WINDOWS\Sun
2008-01-06 12:24:54 0 d-------- C:\Documents and Settings\Debbie\Application Data\Sun
2008-01-01 09:20:56 0 d-------- C:\WINDOWS\System32\appmgmt
2007-12-31 13:21:20 53760 --a------ C:\WINDOWS\b122.exe
2007-12-30 18:02:42 0 d-------- C:\Program Files\RhinoSoft.com
2007-12-27 13:57:07 0 d-------- C:\Program Files\No-IP
2007-12-27 12:55:13 0 d-------- C:\UFTP
2007-12-25 10:42:17 0 d-------- C:\Program Files\Winamp
2007-12-25 10:42:17 0 d-------- C:\Documents and Settings\Debbie\Application Data\Winamp
2007-12-22 14:06:13 0 d-------- C:\Documents and Settings\Debbie\Application Data\Adobe
2007-12-11 09:11:44 96256 --a------ C:\WINDOWS\b151.exe

-- Find3M Report ---------------------------------------------------------------

2008-01-08 05:47:42 0 d-------- C:\Program Files\Common Files
2008-01-08 04:06:40 0 d-------- C:\Documents and Settings\Debbie\Application Data\Azureus
2008-01-07 20:28:13 0 d-------- C:\Program Files\Common Files\F?nts
2008-01-06 20:23:12 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-06 18:12:21 0 d-------- C:\Program Files\Symantec
2008-01-06 16:30:47 0 d-------- C:\Program Files\Azureus
2008-01-06 15:19:23 0 d-------- C:\Documents and Settings\Debbie\Application Data\??mbols
2008-01-06 15:04:11 458240 --a------ C:\WINDOWS\System32\igfxpers.exe <Not Verified; Intel Corporation; Intel(R) Common User Interface>
2008-01-06 15:04:10 437760 --a------ C:\WINDOWS\System32\igfxtray.exe <Not Verified; Intel Corporation; Intel(R) Common User Interface>
2008-01-06 15:04:10 421376 --a------ C:\WINDOWS\System32\hkcmd.exe <Not Verified; Intel Corporation; Intel(R) Common User Interface>
2008-01-06 15:04:10 0 d-------- C:\Program Files\Free Surfer
2008-01-06 14:54:42 0 d-------- C:\Program Files\Windows NT
2008-01-06 13:53:06 392704 --a------ C:\WINDOWS\SOUNDMAN.EXE <Not Verified; Avance Logic, Inc.; Avance Sound Manager>
2008-01-06 07:47:28 0 d-------- C:\Documents and Settings\Debbie\Application Data\Vso
2008-01-01 09:21:58 0 d-------- C:\Program Files\AIM
2008-01-01 09:21:54 0 d-------- C:\Documents and Settings\Debbie\Application Data\Aim
2008-01-01 09:19:44 0 d-------- C:\Program Files\Yahoo!
2007-11-01 04:23:59 229376 --a------ C:\WINDOWS\b128.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}]
01/07/2008 06:07 PM 240128 --a------ C:\WINDOWS\system32\winsrc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{106B1157-7D0F-4BF4-83FB-F94A047A996F}]
C:\Program Files\MSN\homeq4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1302DD02-B337-4EE4-8F0A-75F3331F0024}]
01/06/2008 01:52 PM 338944 --a------ C:\WINDOWS\System32\gebcb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70C416F1-C968-4C8D-85B0-38D9A04F2FA7}]
C:\Program Files\MSN\homeq83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B68B8834-60D8-4A5D-DC2F-39E676860B9E}]
11/01/2007 08:44 AM 60928 --a------ C:\WINDOWS\System32\ipgebf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d816737d-ed96-4697-8f7a-395bdfdafd05}]
01/07/2008 03:05 PM 76864 --a------ C:\WINDOWS\System32\uhquhhej.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1759A31-E627-4758-9562-6899DF36C9C2}]
01/07/2008 08:27 PM 41472 --a------ C:\WINDOWS\System32\jkkliii.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor "= "C:\PROGRA~1\SYMNET~1\SNDMon.exe" [01/08/2008 05:47 AM]
"VideoDriverHook "= "C:\WINDOWS\System32\vmdriver.exe" [01/08/2008 05:47 AM]
"SpyHunter "=" " []
"SpySweeper "= "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/08/2008 05:47 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"ServUTrayIcon "= "C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe" []
"ieupdate "= "C:\WINDOWS\system32\ieupdates.exe" [01/08/2008 05:47 AM]
"VideoDriverHook "= "C:\WINDOWS\System32\vmdriver.exe" [01/08/2008 05:47 AM]
"Mprr "= "C:\DOCUME~1\Debbie\MYDOCU~1\ASKS~1\rundll32.exe" [01/07/2008 08:28 PM]
"Kwdd "= "C:\Program Files\Common Files\F?nts\n?pdb.exe" [11/01/2007 08:45 AM]
"Router "= "C:\Program Files\Router\Router.exe" [01/08/2008 05:47 AM]

C:\Documents and Settings\Debbie\Start Menu\Programs\Startup\
No-IP DUC.lnk - C:\Program Files\No-IP\DUC20.exe [12/27/2007 1:57:07 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2/25/2006 1:20:04 PM]
ZoneAlarm Pro.lnk - C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe [5/1/2005 8:40:25 AM]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Windows NT\prohdyxepr.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E1759A31-E627-4758-9562-6899DF36C9C2} "= C:\WINDOWS\System32\jkkliii.dll [01/07/2008 08:27 PM 41472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkliii]
jkkliii.dll 01/07/2008 08:27 PM 41472 C:\WINDOWS\system32\jkkliii.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywwut]
yaywwut.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\WINDOWS\System32\gebcb

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@= "Service "

-- Hosts -----------------------------------------------------------------------

66.98.148.65 auto.search.msn.com
66.98.148.65 auto.search.msn.es

-- End of Deckard's System Scanner: finished at 2008-01-08 06:22:43 ------------

noahdfear · 2008/01/08

Download ComboFix by sUBs from here, saving the file to your desktop.

Close all open programs and windows

Double click combofix.exe and follow the prompts.

When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Chawni12 · 2008/01/08

2 Logs

Here are the logs.

ComboFix 08-01-09.2 - Debbie 2008-01-08 16:54:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.747 [GMT -5:00]
Running from: C:\Documents and Settings\Debbie\Desktop\ComboFix.exe
* Created a new restore point
.
/wow section - STAGE 3

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Debbie\Desktop\Online Security Center.URL
C:\Documents and Settings\Debbie\My Documents\ASKS~1
C:\Documents and Settings\Debbie\My Documents\ASKS~1\?asks\
C:\Documents and Settings\Debbie\My Documents\ASKS~1\rundll32.exe
C:\Documents and Settings\Debbie\ResErrors.log
C:\Documents and Settings\Debbie\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Debbie\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Debbie\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\PROGRA~1\SYMNET~1\SNDMon.exe
C:\Program Files\Analog Devices\Core\smax4pnp .exe
C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\fnts~1\n?pdb.exe
C:\Program Files\Common Files\SpyGuardPro
C:\Program Files\Common Files\SpyGuardPro\ugac .exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\Free Surfer\fs20 .exe
C:\Program Files\inetget2
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Nero\Nero 7\InCD\InCD .exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Router
C:\Program Files\Router\Router .exe
C:\Program Files\Router\Router.exe
C:\Program Files\Router\UnInstall.exe
C:\Program Files\SpyGuardPro
C:\Program Files\SpyGuardPro\history.db
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray .exe
C:\Program Files\SymNetDrv\SNDMon .exe
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInstall.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT .EXE
C:\Program Files\Windows NT\laxukiv.dll
C:\SpyGuardPro
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\b103.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b128.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b151.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\SOUNDMAN .EXE
C:\WINDOWS\system32\bcbeg.ini
C:\WINDOWS\system32\bcbeg.ini2
C:\WINDOWS\system32\cbxuurp.dll
C:\WINDOWS\system32\fwcbcuvl.ini
C:\WINDOWS\system32\gebcb.dll
C:\WINDOWS\system32\gebcb.exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\hxjqcxfk.exe
C:\WINDOWS\system32\ieupdates .exe
C:\WINDOWS\system32\ieupdates.exe
C:\WINDOWS\system32\igfxpers .exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\ipgebf.dll
C:\WINDOWS\system32\jkkliii.dll
C:\WINDOWS\system32\lvucbcwf.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ntload.sys
C:\WINDOWS\system32\opnommj.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\RCX16.tmp
C:\WINDOWS\system32\uhquhhej.dll
C:\WINDOWS\system32\update32.exe
C:\WINDOWS\System32\vmdriver.exe
C:\WINDOWS\system32\winsrc.dll
C:\WINDOWS\system32\wintsvcc.exe
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\wscmp.dll
C:\WINDOWS\system32\wvuvuss.dll
C:\WINDOWS\tk58.exe
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
Code:
 <pre>
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\UIUCU .EXE ---> QooBox
C:\Program Files\Analog Devices\Core\smax4pnp .exe ---> QooBox
C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe ---> QooBox
C:\Program Files\Free Surfer\fs20 .exe ---> QooBox
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe ---> QooBox
C:\Program Files\Nero\Nero 7\InCD\InCD .exe ---> QooBox
C:\Program Files\Router\Router .exe ---> Router.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray .exe ---> QooBox
C:\Program Files\SymNetDrv\SNDMon .exe ---> QooBox
Error moving C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe to C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe: 5.
C:\Program Files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT  .EXE ---> WD_SRT.EXE
C:\WINDOWS\SOUNDMAN .EXE ---> QooBox
C:\WINDOWS\system32\hkcmd .exe ---> QooBox
C:\WINDOWS\system32\ieupdates .exe ---> QooBox
C:\WINDOWS\system32\igfxpers .exe ---> QooBox
C:\WINDOWS\system32\igfxtray .exe ---> QooBox
C:\WINDOWS\system32\vmdriver .exe ---> vmdriver.exe
</pre> 
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NTLOAD
-------\DomainService
-------\ntload

((((((((((((((((((((((((( Files Created from 2007-12-09 to 2008-01-09 )))))))))))))))))))))))))))))))
.

2008-01-09 16:59 . 2008-01-09 16:59 <DIR> d-------- C:\Temp\tn3
2008-01-09 16:57 . 2008-01-09 16:58 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-08 16:53 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 06:14 . 2008-01-08 06:14 <DIR> d-------- C:\Deckard
2008-01-08 04:10 . 2008-01-08 04:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-08 04:09 . 2008-01-08 04:09 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2008-01-08 04:08 . 2008-01-08 05:47 86,188 --a------ C:\WINDOWS\system32\vmdriver.exe
2008-01-08 04:05 . 2008-01-08 04:05 <DIR> d-------- C:\Program Files\Webroot
2008-01-08 04:05 . 2008-01-08 04:05 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-08 04:05 . 2008-01-08 04:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-08 04:05 . 2002-08-13 06:09 684,032 --a------ C:\WINDOWS\system32\libeay32.dll
2008-01-08 04:05 . 2002-08-13 06:10 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-01-08 04:05 . 2006-11-01 17:09 128,064 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-01-08 04:05 . 2006-11-01 17:09 21,568 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-01-08 04:05 . 2006-11-01 17:09 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-08 04:05 . 2006-11-01 17:09 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2008-01-08 04:03 . 2008-01-08 04:03 <DIR> d-------- C:\Documents and Settings\Debbie\Application Data\Webroot
2008-01-07 22:55 . 2008-01-07 22:55 <DIR> d-------- C:\WINDOWS\ffri
2008-01-07 22:55 . 2008-01-08 04:57 <DIR> d-------- C:\Program Files\Common Files\ffri
2008-01-07 20:33 . 2008-01-08 05:21 <DIR> d--hs---- C:\WINDOWS\RGViYmll
2008-01-07 20:33 . 2008-01-07 20:33 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\NetMon
2008-01-07 20:33 . 2008-01-07 20:33 <DIR> d-------- C:\Documents and Settings\Debbie\Application Data\SpyGuardPro
2008-01-07 20:33 . 2008-01-07 20:33 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-01-07 20:33 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-01-07 20:31 . 2008-01-07 20:31 39,936 --a------ C:\WINDOWS\17PHolmes572.exe
2008-01-07 18:09 . 2008-01-07 18:09 0 --a------ C:\WINDOWS\system32\wscmp.dll.tmp
2008-01-07 17:14 . 2008-01-07 17:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-07 17:10 . 2008-01-07 17:10 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-06 18:14 . 2008-01-06 18:14 64,512 --a------ C:\WINDOWS\system32\TmpX.exe
2008-01-06 18:11 . 2008-01-09 16:55 <DIR> d-------- C:\Program Files\SymNetDrv
2008-01-06 17:46 . 2008-01-06 20:23 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-01-06 17:46 . 2006-09-15 22:52 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-06 17:46 . 2006-09-15 22:52 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-06 17:28 . 2008-01-06 17:28 <DIR> d-------- C:\WINDOWS\system32\svcd
2008-01-06 17:28 . 2008-01-09 16:58 114 --a------ C:\WINDOWS\system32\url3
2008-01-06 17:28 . 2008-01-09 16:58 102 --a------ C:\WINDOWS\system32\url2
2008-01-06 17:28 . 2008-01-09 16:58 102 --a------ C:\WINDOWS\system32\url1
2008-01-06 17:28 . 2008-01-09 16:58 8 --a------ C:\WINDOWS\system32\CID
2008-01-06 17:28 . 2008-01-06 17:28 4 --a------ C:\WINDOWS\system32\SvcNm
2008-01-06 17:27 . 2008-01-06 17:27 34,816 --a------ C:\wndpilf.exe
2008-01-06 15:27 . 2008-01-06 15:42 <DIR> d-------- C:\Program Files\RegCleaner
2008-01-06 12:40 . 2008-01-06 15:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-06 12:40 . 2008-01-06 12:40 <DIR> d-------- C:\Documents and Settings\Debbie\Application Data\SUPERAntiSpyware.com
2008-01-06 12:31 . 2008-01-06 15:19 <DIR> d-------- C:\Documents and Settings\Debbie\Application Data\??mbols
2008-01-06 12:30 . 2008-01-06 14:54 <DIR> d-------- C:\WINDOWS\system32\usmvt3
2008-01-06 12:30 . 2008-01-06 14:54 <DIR> d-------- C:\WINDOWS\system32\drivr3
2008-01-06 12:30 . 2008-01-06 14:54 <DIR> d-------- C:\WINDOWS\system32\comp2
2008-01-06 12:30 . 2008-01-06 12:30 <DIR> d-------- C:\WINDOWS\system32\cache3
2008-01-06 12:30 . 2008-01-06 14:54 <DIR> d-------- C:\WINDOWS\system32\ardCo01
2008-01-06 12:30 . 2008-01-06 12:30 <DIR> d-------- C:\Temp\cEeer12
2008-01-06 12:30 . 2008-01-09 16:59 <DIR> d-------- C:\Temp
2008-01-06 12:30 . 2008-01-06 12:30 86,016 --a------ C:\WINDOWS\system32\drivers\smwdmm.sys
2008-01-06 12:30 . 2008-01-07 20:28 39,936 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-01-06 12:24 . 2008-01-06 12:24 <DIR> d-------- C:\WINDOWS\Sun
2007-12-30 18:02 . 2007-12-30 18:02 <DIR> d-------- C:\Program Files\RhinoSoft.com
2007-12-27 13:57 . 2007-12-27 13:57 <DIR> d-------- C:\Program Files\No-IP
2007-12-27 12:55 . 2007-12-27 13:18 <DIR> d-------- C:\UFTP
2007-12-25 10:42 . 2007-12-25 10:44 <DIR> d-------- C:\Program Files\Winamp
2007-12-25 10:42 . 2007-12-25 10:44 <DIR> d-------- C:\Documents and Settings\Debbie\Application Data\Winamp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 21:55 --------- d-----w C:\Program Files\Free Surfer
2008-01-08 21:53 --------- d-----w C:\Documents and Settings\Debbie\Application Data\Azureus
2008-01-07 01:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-07 01:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-06 23:12 --------- d-----w C:\Program Files\Symantec
2008-01-06 21:30 --------- d-----w C:\Program Files\Azureus
2008-01-06 20:19 --------- d-----w C:\Documents and Settings\Debbie\Application Data\??mbols
2008-01-06 20:04 458,240 ----a-w C:\WINDOWS\system32\igfxpers.exe
2008-01-06 20:04 437,760 ----a-w C:\WINDOWS\system32\igfxtray.exe
2008-01-06 20:04 421,376 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-01-06 18:53 392,704 ----a-w C:\WINDOWS\SOUNDMAN.EXE
2008-01-06 12:47 --------- d-----w C:\Documents and Settings\Debbie\Application Data\Vso
2008-01-01 14:21 --------- d-----w C:\Program Files\AIM
2008-01-01 14:21 --------- d-----w C:\Documents and Settings\Debbie\Application Data\Aim
2008-01-01 14:19 --------- d-----w C:\Program Files\Yahoo!
2007-07-14 14:28 87,608 ----a-w C:\Documents and Settings\Debbie\Application Data\inst.exe
2007-07-14 14:28 47,360 ----a-w C:\Documents and Settings\Debbie\Application Data\pcouffin.sys
2003-07-14 17:43 30 ----a-w C:\Program Files\readme1st.txt
2003-07-12 00:04 46,592 -c--a-w C:\Program Files\KeyGen.exe
2003-07-11 10:19 3,901 ----a-w C:\Program Files\phx0day.nfo
2003-05-30 14:59 72,701 ----a-w C:\Program Files\setup.cfg
2003-05-30 14:06 1,155,072 ----a-w C:\Program Files\Setup.exe
.
Code:
<pre>
----a-w           139,264 2008-01-06 22:58:35  C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w            58,488 2008-01-06 22:58:29  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w           218,240 2008-01-06 22:58:30  C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt .exe
----a-w           148,608 2008-01-06 22:58:32  C:\Program Files\Norton AntiVirus\BootWarn .exe
----a-w           132,248 2008-01-06 22:58:31  C:\Program Files\Norton AntiVirus\CfgWiz .exe
----a-w         4,806,144 2008-01-08 10:47:45  C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{106B1157-7D0F-4BF4-83FB-F94A047A996F}]
C:\Program Files\MSN\homeq4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70C416F1-C968-4C8D-85B0-38D9A04F2FA7}]
C:\Program Files\MSN\homeq83122.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"ServUTrayIcon "= "C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe" [ ]
"VideoDriverHook "= "C:\WINDOWS\System32\vmdriver.exe" [2008-01-08 05:47 86188]
"Mprr "= "C:\DOCUME~1\Debbie\MYDOCU~1\ASKS~1\rundll32.exe" [ ]
"Kwdd "= "C:\Program Files\Common Files\F?nts\n?pdb.exe" [ ]
"Router "= "C:\Program Files\Router\Router.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor "= "C:\PROGRA~1\SYMNET~1\SNDMon.exe" [ ]
"VideoDriverHook "= "C:\WINDOWS\System32\vmdriver.exe" [2008-01-08 05:47 86188]
"SpyHunter "=" " []
"SpySweeper "= "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [ ]

C:\Documents and Settings\Debbie\Start Menu\Programs\Startup\
No-IP DUC.lnk - C:\Program Files\No-IP\DUC20.exe [2007-12-27 13:57:07]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-02-25 13:20:04]
ZoneAlarm Pro.lnk - C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe [2005-05-01 08:40:25]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Windows NT\prohdyxepr.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywwut]
yaywwut.dll

R0 PQV2i;PQV2i;C:\WINDOWS\System32\drivers\PQV2i.sys [2004-07-29 02:33]
R1 PQIMount;PQIMount;C:\WINDOWS\System32\drivers\PQIMount.sys [2004-07-29 03:13]
R1 smwdmm;smwdmm;C:\WINDOWS\System32\drivers\smwdmm.sys [2008-01-06 12:30]
R2 GSYW;Security Service;C:\WINDOWS\System32\svcd\svchost.exe [2008-01-06 17:27]
R2 Serv-U;Serv-U FTP Server;C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe [2006-10-05 08:55]

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-09 16:59:40
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-09 17:00:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-09 22:00:25

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:03:59 PM, on 1/9/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\svcd\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ZoneLabs\minilog.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {106B1157-7D0F-4BF4-83FB-F94A047A996F} - C:\Program Files\MSN\homeq4444.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {70C416F1-C968-4C8D-85B0-38D9A04F2FA7} - C:\Program Files\MSN\homeq83122.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [VideoDriverHook] C:\WINDOWS\System32\vmdriver.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [ServUTrayIcon] C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe
O4 - HKCU\..\Run: [VideoDriverHook] C:\WINDOWS\System32\vmdriver.exe
O4 - HKCU\..\Run: [Mprr] "C:\DOCUME~1\Debbie\MYDOCU~1\ASKS~1\rundll32.exe" -vt yazb
O4 - HKCU\..\Run: [Kwdd] "C:\Program Files\Common Files\F?nts\n?pdb.exe "
O4 - HKCU\..\Run: [Router] "C:\Program Files\Router\Router.exe "
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137451203234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137451278171
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: yaywwut - yaywwut.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Security Service (GSYW) - Unknown owner - C:\WINDOWS\System32\svcd\svchost.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: TrueVector Basic Logging Client (minilog) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\minilog.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Rhino Software, Inc. +1(262) 560-9627 - C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\prohdyxepr.html

--
End of file - 6026 bytes

noahdfear · 2008/01/08

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\vmdriver.exe
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\system32\wscmp.dll.tmp
C:\WINDOWS\system32\TmpX.exe
C:\WINDOWS\system32\url3
C:\WINDOWS\system32\url2
C:\WINDOWS\system32\url1
C:\WINDOWS\system32\CID
C:\WINDOWS\system32\SvcNm
C:\wndpilf.exe
C:\WINDOWS\system32\drivers\smwdmm.sys
C:\WINDOWS\mrofinu572.exe.tmp
C:\Program Files\Windows NT\prohdyxepr.html
Folder::
C:\Temp\tn3
C:\WINDOWS\ffri
C:\Program Files\Common Files\ffri
C:\WINDOWS\RGViYmll
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\Debbie\Application Data\SpyGuardPro
C:\Documents and Settings\All Users\Application Data\SalesMon
C:\WINDOWS\system32\usmvt3
C:\WINDOWS\system32\drivr3
C:\WINDOWS\system32\comp2
C:\WINDOWS\system32\cache3
C:\WINDOWS\system32\ardCo01
C:\Temp\cEeer12
C:\Program Files\Router
RenV::
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt .exe
C:\Program Files\Norton AntiVirus\BootWarn .exe
C:\Program Files\Norton AntiVirus\CfgWiz .exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{106B1157-7D0F-4BF4-83FB-F94A047A996F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70C416F1-C968-4C8D-85B0-38D9A04F2FA7}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "VideoDriverHook "=-
 "Mprr "=-
 "Kwdd "=-
 "Router "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "VideoDriverHook "=-
 "SpyHunter "=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywwut]
Driver::
smwdmm
GSYW
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log here.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Next download OTMoveIt2 by OldTimer.

Save it to your desktop.

Double-click OTMoveIt.exe to run it.

If pre-checked, Uncheck the box labled 'Unregister Dll's and Ocx's'

In the lower left window labled 'Paste List of Files/Patterns to Search for and Move' type purity then click MoveIt!

Copy everything on the Results window to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.

Click "Exit " to close OTMoveIt2.

*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.

**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time ")

Please post the OTMoveIt2 log and a fresh dss log.

Chawni12 · 2008/01/09

Ok... here you go......

ComboFix 08-01-09.2 - Debbie 2008-01-10 4:51:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.761 [GMT -5:00]
Running from: C:\Documents and Settings\Debbie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Debbie\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\Windows NT\prohdyxepr.html
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\CID
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\smwdmm.sys
C:\WINDOWS\system32\SvcNm
C:\WINDOWS\system32\TmpX.exe
C:\WINDOWS\system32\url1
C:\WINDOWS\system32\url2
C:\WINDOWS\system32\url3
C:\WINDOWS\system32\vmdriver.exe
C:\WINDOWS\system32\wscmp.dll.tmp
C:\wndpilf.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\SalesMon
C:\Documents and Settings\Debbie\Application Data\inst.exe
C:\Documents and Settings\Debbie\Application Data\MBOLS~1
C:\Documents and Settings\Debbie\Application Data\SpyGuardPro
C:\Documents and Settings\Debbie\Application Data\SpyGuardPro\Logs\threats.log
C:\Documents and Settings\Debbie\Application Data\SpyGuardPro\Logs\update.log
C:\Documents and Settings\Debbie\Application Data\SpyGuardPro\PGE.dat
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\ffri
C:\Program Files\Common Files\ffri\ffria.lck
C:\Program Files\Common Files\ffri\ffril.lck
C:\Program Files\Common Files\ffri\ffrim.lck
C:\Temp\cEeer12
C:\Temp\cEeer12\skAt.log
C:\temp\tn3
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\ffri
C:\WINDOWS\ffri\ffri.dat
C:\WINDOWS\ffri\wu
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\RGViYmll
C:\WINDOWS\system32\ardCo01
C:\WINDOWS\system32\ardCo01\ardCo011065.exe
C:\WINDOWS\system32\cache3
C:\WINDOWS\system32\cache3\vumpedll23.exe
C:\WINDOWS\system32\CID
C:\WINDOWS\system32\comp2
C:\WINDOWS\system32\comp2\aroblcidr31z.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\smwdmm.sys
C:\WINDOWS\system32\drivr3
C:\WINDOWS\system32\drivr3\jeppdrvrwb9.exe
C:\WINDOWS\system32\SvcNm
C:\WINDOWS\system32\TmpX.exe
C:\WINDOWS\system32\url1
C:\WINDOWS\system32\url2
C:\WINDOWS\system32\url3
C:\WINDOWS\system32\usmvt3
C:\WINDOWS\system32\usmvt3\gyreo83122.exe
C:\WINDOWS\system32\vmdriver.exe
C:\WINDOWS\system32\wscmp.dll.tmp
C:\wndpilf.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SMWDMM
-------\smwdmm

((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.

2008-01-10 04:54 . 2008-01-10 04:54 0 --a------ C:\WINDOWS\system32\url3
2008-01-10 04:54 . 2008-01-10 04:54 0 --a------ C:\WINDOWS\system32\url2
2008-01-10 04:54 . 2008-01-10 04:54 0 --a------ C:\WINDOWS\system32\url1
2008-01-10 04:54 . 2008-01-10 04:54 0 --a------ C:\WINDOWS\system32\CID
2008-01-08 16:53 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 06:14 . 2008-01-08 06:14 <DIR> d-------- C:\Deckard
2008-01-08 04:10 . 2008-01-08 04:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-08 04:05 . 2008-01-08 04:05 <DIR> d-------- C:\Program Files\Webroot
2008-01-08 04:05 . 2008-01-08 04:05 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-08 04:05 . 2008-01-08 04:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-08 04:05 . 2002-08-13 06:09 684,032 --a------ C:\WINDOWS\system32\libeay32.dll
2008-01-08 04:05 . 2002-08-13 06:10 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-01-08 04:05 . 2006-11-01 17:09 128,064 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-01-08 04:05 . 2006-11-01 17:09 21,568 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-01-08 04:05 . 2006-11-01 17:09 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-08 04:05 . 2006-11-01 17:09 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2008-01-08 04:03 . 2008-01-08 04:03 <DIR> d-------- C:\Documents and Settings\Debbie\Application Data\Webroot
2008-01-07 20:33 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-01-07 17:14 . 2008-01-07 17:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-07 17:10 . 2008-01-07 17:10 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-06 18:11 . 2008-01-09 16:55 <DIR> d-------- C:\Program Files\SymNetDrv
2008-01-06 17:46 . 2008-01-10 04:51 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-01-06 17:46 . 2006-09-15 22:52 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-06 17:46 . 2006-09-15 22:52 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-06 17:28 . 2008-01-06 17:28 <DIR> d-------- C:\WINDOWS\system32\svcd
2008-01-06 15:27 . 2008-01-06 15:42 <DIR> d-------- C:\Program Files\RegCleaner
2008-01-06 12:40 . 2008-01-06 15:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-06 12:40 . 2008-01-06 12:40 <DIR> d-------- C:\Documents and Settings\Debbie\Application Data\SUPERAntiSpyware.com
2008-01-06 12:30 . 2008-01-10 04:52 <DIR> d-------- C:\Temp
2008-01-06 12:24 . 2008-01-06 12:24 <DIR> d-------- C:\WINDOWS\Sun
2007-12-30 18:02 . 2007-12-30 18:02 <DIR> d-------- C:\Program Files\RhinoSoft.com
2007-12-27 13:57 . 2007-12-27 13:57 <DIR> d-------- C:\Program Files\No-IP
2007-12-27 12:55 . 2007-12-27 13:18 <DIR> d-------- C:\UFTP
2007-12-25 10:42 . 2007-12-25 10:44 <DIR> d-------- C:\Program Files\Winamp
2007-12-25 10:42 . 2007-12-25 10:44 <DIR> d-------- C:\Documents and Settings\Debbie\Application Data\Winamp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-10 09:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-10 09:39 --------- d-----w C:\Documents and Settings\Debbie\Application Data\Azureus
2008-01-09 21:55 --------- d-----w C:\Program Files\Free Surfer
2008-01-07 01:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-06 23:12 --------- d-----w C:\Program Files\Symantec
2008-01-06 21:30 --------- d-----w C:\Program Files\Azureus
2008-01-06 18:53 392,704 ----a-w C:\WINDOWS\SOUNDMAN.EXE
2008-01-06 12:47 --------- d-----w C:\Documents and Settings\Debbie\Application Data\Vso
2008-01-01 14:21 --------- d-----w C:\Program Files\AIM
2008-01-01 14:21 --------- d-----w C:\Documents and Settings\Debbie\Application Data\Aim
2008-01-01 14:19 --------- d-----w C:\Program Files\Yahoo!
2007-07-14 14:28 47,360 ----a-w C:\Documents and Settings\Debbie\Application Data\pcouffin.sys
2003-07-14 17:43 30 ----a-w C:\Program Files\readme1st.txt
2003-07-12 00:04 46,592 -c--a-w C:\Program Files\KeyGen.exe
2003-07-11 10:19 3,901 ----a-w C:\Program Files\phx0day.nfo
2003-05-30 14:59 72,701 ----a-w C:\Program Files\setup.cfg
2003-05-30 14:06 1,155,072 ----a-w C:\Program Files\Setup.exe
.
Code:
<pre>
----a-w         4,806,144 2008-01-08 10:47:45  C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
</pre>
((((((((((((((((((((((((((((( snapshot@2008-01-09_17.00.11.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-08 21:53:55 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\ntuser.dat
+ 2008-01-10 09:51:26 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\ntuser.dat
- 2008-01-08 21:53:55 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-10 09:51:26 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-08 21:53:56 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-10 09:51:26 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-08 21:53:56 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-10 09:51:26 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-08 21:53:56 2,453,504 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-10 09:51:26 2,453,504 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-08 21:53:56 147,456 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-10 09:51:26 147,456 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-08 21:54:01 258,048 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-01-10 09:51:30 258,048 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-06 17:58 139264]
"ServUTrayIcon "= "C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor "= "C:\PROGRA~1\SYMNET~1\SNDMon.exe" [ ]
"SpySweeper "= "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [ ]

C:\Documents and Settings\Debbie\Start Menu\Programs\Startup\
No-IP DUC.lnk - C:\Program Files\No-IP\DUC20.exe [2007-12-27 13:57:07]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-02-25 13:20:04]
ZoneAlarm Pro.lnk - C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe [2005-05-01 08:40:25]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Windows NT\prohdyxepr.html
FriendlyName=

R0 PQV2i;PQV2i;C:\WINDOWS\System32\drivers\PQV2i.sys [2004-07-29 02:33]
R1 PQIMount;PQIMount;C:\WINDOWS\System32\drivers\PQIMount.sys [2004-07-29 03:13]
R2 GSYW;Security Service;C:\WINDOWS\System32\svcd\svchost.exe [2008-01-06 17:27]
R2 Serv-U;Serv-U FTP Server;C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe [2006-10-05 08:55]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 04:54:07
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-10 4:55:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-10 09:54:57
ComboFix2.txt 2008-01-09 22:00:34

[Manual Searches]
< purity >

OTMoveIt2 v1.0.5 log created on 01102008_051433

Deckard's System Scanner v20071014.68
Run by Debbie on 2008-01-10 05:16:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Debbie.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:16:35 AM, on 1/10/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\svcd\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ZoneLabs\minilog.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Debbie\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Debbie.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [ServUTrayIcon] C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137451203234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137451278171
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Security Service (GSYW) - Unknown owner - C:\WINDOWS\System32\svcd\svchost.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: TrueVector Basic Logging Client (minilog) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\minilog.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Rhino Software, Inc. +1(262) 560-9627 - C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\prohdyxepr.html

--
End of file - 5430 bytes

-- Files created between 2007-12-10 and 2008-01-10 -----------------------------

2008-01-10 04:54:07 114 --a------ C:\WINDOWS\System32\url3
2008-01-10 04:54:07 102 --a------ C:\WINDOWS\System32\url2
2008-01-10 04:54:07 102 --a------ C:\WINDOWS\System32\url1
2008-01-10 04:54:07 8 --a------ C:\WINDOWS\System32\CID
2008-01-08 04:10:24 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-08 04:05:52 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-08 04:05:20 155648 --a------ C:\WINDOWS\System32\ssleay32.dll
2008-01-08 04:05:20 684032 --a------ C:\WINDOWS\System32\libeay32.dll
2008-01-08 04:05:19 0 d-------- C:\Program Files\Webroot
2008-01-08 04:05:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-08 04:03:48 0 d-------- C:\Documents and Settings\Debbie\Application Data\Webroot
2008-01-07 17:14:52 0 d-------- C:\Program Files\Trend Micro
2008-01-07 17:10:33 0 d-------- C:\Program Files\Enigma Software Group
2008-01-06 18:16:29 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-01-06 18:11:54 0 d-------- C:\Program Files\SymNetDrv
2008-01-06 17:46:49 0 d-------- C:\Program Files\Norton AntiVirus
2008-01-06 17:28:03 0 d-------- C:\WINDOWS\System32\svcd
2008-01-06 15:27:12 0 d-------- C:\Program Files\RegCleaner
2008-01-06 13:53:26 2621440 --a------ C:\Documents and Settings\Debbie\ntuser.dat
2008-01-06 13:53:25 233472 --a------ C:\Documents and Settings\NetworkService\ntuser.dat
2008-01-06 13:53:25 233472 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-01-06 13:45:04 0 d-------- C:\Documents and Settings\Administrator\Templates
2008-01-06 13:45:04 0 d-------- C:\Documents and Settings\Administrator\Local Settings
2008-01-06 13:45:04 0 d-------- C:\Documents and Settings\Administrator\Cookies
2008-01-06 13:45:04 0 d-------- C:\Documents and Settings\Administrator\Application Data
2008-01-06 13:45:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-01-06 13:45:03 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-01-06 12:40:53 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-01-06 12:40:53 0 d-------- C:\Documents and Settings\Debbie\Application Data\SUPERAntiSpyware.com
2008-01-06 12:30:26 0 d-------- C:\Temp
2008-01-06 12:24:54 0 d-------- C:\WINDOWS\Sun
2008-01-06 12:24:54 0 d-------- C:\Documents and Settings\Debbie\Application Data\Sun
2008-01-01 09:20:56 0 d-------- C:\WINDOWS\System32\appmgmt
2007-12-30 18:02:42 0 d-------- C:\Program Files\RhinoSoft.com
2007-12-27 13:57:07 0 d-------- C:\Program Files\No-IP
2007-12-27 12:55:13 0 d-------- C:\UFTP
2007-12-25 10:42:17 0 d-------- C:\Program Files\Winamp
2007-12-25 10:42:17 0 d-------- C:\Documents and Settings\Debbie\Application Data\Winamp
2007-12-22 14:06:13 0 d-------- C:\Documents and Settings\Debbie\Application Data\Adobe

-- Find3M Report ---------------------------------------------------------------

2008-01-10 04:52:27 0 d-------- C:\Program Files\Common Files
2008-01-10 04:51:33 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-10 04:39:53 0 d-------- C:\Documents and Settings\Debbie\Application Data\Azureus
2008-01-09 16:55:36 0 d-------- C:\Program Files\Free Surfer
2008-01-09 16:55:34 0 d-------- C:\Program Files\Windows NT
2008-01-06 18:12:21 0 d-------- C:\Program Files\Symantec
2008-01-06 16:30:47 0 d-------- C:\Program Files\Azureus
2008-01-06 15:04:11 458240 --a------ C:\WINDOWS\System32\igfxpers.exe <Not Verified; Intel Corporation; Intel(R) Common User Interface>
2008-01-06 15:04:10 437760 --a------ C:\WINDOWS\System32\igfxtray.exe <Not Verified; Intel Corporation; Intel(R) Common User Interface>
2008-01-06 15:04:10 421376 --a------ C:\WINDOWS\System32\hkcmd.exe <Not Verified; Intel Corporation; Intel(R) Common User Interface>
2008-01-06 13:53:06 392704 --a------ C:\WINDOWS\SOUNDMAN.EXE <Not Verified; Avance Logic, Inc.; Avance Sound Manager>
2008-01-06 07:47:28 0 d-------- C:\Documents and Settings\Debbie\Application Data\Vso
2008-01-01 09:21:58 0 d-------- C:\Program Files\AIM
2008-01-01 09:21:54 0 d-------- C:\Documents and Settings\Debbie\Application Data\Aim
2008-01-01 09:19:44 0 d-------- C:\Program Files\Yahoo!

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor "= "C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
"SpySweeper "= "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [01/06/2008 05:58 PM]
"ServUTrayIcon "= "C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe" []

C:\Documents and Settings\Debbie\Start Menu\Programs\Startup\
No-IP DUC.lnk - C:\Program Files\No-IP\DUC20.exe [12/27/2007 1:57:07 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2/25/2006 1:20:04 PM]
ZoneAlarm Pro.lnk - C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe [5/1/2005 8:40:25 AM]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Windows NT\prohdyxepr.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@= "Service "

-- End of Deckard's System Scanner: finished at 2008-01-10 05:16:57 ------------

noahdfear · 2008/01/09

Right click the desktop and select Properties.
Select the Desktop tab then click Customize Desktop.
Select the Web tab.
Select the entry for C:\Program Files\Windows NT\prohdyxepr.html then click Delete.
OK out.

Please delete the ComboFix.exe file you currently have and download a fresh copy from here, saving it to your desktop.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
File::
C:\WINDOWS\System32\url3
C:\WINDOWS\System32\url2
C:\WINDOWS\System32\url1
Folder::
C:\WINDOWS\System32\svcd
RenV::
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
Driver::
GSYW
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Chawni12 · 2008/01/09

Here it is........................

ComboFix 08-01-09.2 - Debbie 2008-01-10 6:38:51.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.753 [GMT -5:00]
Running from: C:\Documents and Settings\Debbie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Debbie\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\System32\url1
C:\WINDOWS\System32\url2
C:\WINDOWS\System32\url3
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\System32\svcd
C:\WINDOWS\System32\svcd\svchost.exe
C:\WINDOWS\System32\url1
C:\WINDOWS\System32\url2
C:\WINDOWS\System32\url3

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_GSYW
-------\GSYW

((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.

2008-01-10 04:54 . 2008-01-10 06:25 8 --a------ C:\WINDOWS\system32\CID
2008-01-08 16:53 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 06:14 . 2008-01-08 06:14 <DIR> d-------- C:\Deckard
2008-01-08 04:10 . 2008-01-08 04:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-08 04:05 . 2008-01-08 04:05 <DIR> d-------- C:\Program Files\Webroot
2008-01-08 04:05 . 2008-01-08 04:05 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-08 04:05 . 2008-01-08 04:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-08 04:05 . 2002-08-13 06:09 684,032 --a------ C:\WINDOWS\system32\libeay32.dll
2008-01-08 04:05 . 2002-08-13 06:10 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-01-08 04:05 . 2006-11-01 17:09 128,064 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-01-08 04:05 . 2006-11-01 17:09 21,568 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-01-08 04:05 . 2006-11-01 17:09 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-08 04:05 . 2006-11-01 17:09 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2008-01-08 04:03 . 2008-01-08 04:03 <DIR> d-------- C:\Documents and Settings\Debbie\Application Data\Webroot
2008-01-07 20:33 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-01-07 17:14 . 2008-01-07 17:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-07 17:10 . 2008-01-07 17:10 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-06 18:11 . 2008-01-09 16:55 <DIR> d-------- C:\Program Files\SymNetDrv
2008-01-06 17:46 . 2008-01-10 04:51 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-01-06 17:46 . 2006-09-15 22:52 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-06 17:46 . 2006-09-15 22:52 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-06 15:27 . 2008-01-06 15:42 <DIR> d-------- C:\Program Files\RegCleaner
2008-01-06 12:40 . 2008-01-06 15:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-06 12:40 . 2008-01-06 12:40 <DIR> d-------- C:\Documents and Settings\Debbie\Application Data\SUPERAntiSpyware.com
2008-01-06 12:30 . 2008-01-10 04:52 <DIR> d-------- C:\Temp
2008-01-06 12:24 . 2008-01-06 12:24 <DIR> d-------- C:\WINDOWS\Sun
2007-12-30 18:02 . 2007-12-30 18:02 <DIR> d-------- C:\Program Files\RhinoSoft.com
2007-12-27 13:57 . 2007-12-27 13:57 <DIR> d-------- C:\Program Files\No-IP
2007-12-27 12:55 . 2007-12-27 13:18 <DIR> d-------- C:\UFTP
2007-12-25 10:42 . 2007-12-25 10:44 <DIR> d-------- C:\Program Files\Winamp
2007-12-25 10:42 . 2007-12-25 10:44 <DIR> d-------- C:\Documents and Settings\Debbie\Application Data\Winamp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-10 09:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-10 09:39 --------- d-----w C:\Documents and Settings\Debbie\Application Data\Azureus
2008-01-09 21:55 --------- d-----w C:\Program Files\Free Surfer
2008-01-07 01:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-06 23:12 --------- d-----w C:\Program Files\Symantec
2008-01-06 21:30 --------- d-----w C:\Program Files\Azureus
2008-01-06 18:53 392,704 ----a-w C:\WINDOWS\SOUNDMAN.EXE
2008-01-06 12:47 --------- d-----w C:\Documents and Settings\Debbie\Application Data\Vso
2008-01-01 14:21 --------- d-----w C:\Program Files\AIM
2008-01-01 14:21 --------- d-----w C:\Documents and Settings\Debbie\Application Data\Aim
2008-01-01 14:19 --------- d-----w C:\Program Files\Yahoo!
2007-07-14 14:28 47,360 ----a-w C:\Documents and Settings\Debbie\Application Data\pcouffin.sys
2003-07-14 17:43 30 ----a-w C:\Program Files\readme1st.txt
2003-07-12 00:04 46,592 -c--a-w C:\Program Files\KeyGen.exe
2003-07-11 10:19 3,901 ----a-w C:\Program Files\phx0day.nfo
2003-05-30 14:59 72,701 ----a-w C:\Program Files\setup.cfg
2003-05-30 14:06 1,155,072 ----a-w C:\Program Files\Setup.exe
.
Code:
<pre>
----a-w         4,806,144 2008-01-08 10:47:45  C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
</pre>
((((((((((((((((((((((((((((( snapshot@2008-01-09_17.00.11.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-08 21:53:55 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\ntuser.dat
+ 2008-01-10 11:38:48 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\ntuser.dat
- 2008-01-08 21:53:55 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-10 11:38:48 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-08 21:53:56 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-10 11:38:48 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-08 21:53:56 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-10 11:38:48 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-08 21:53:56 2,453,504 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-10 11:38:48 2,453,504 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-08 21:53:56 147,456 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-10 11:38:48 147,456 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-08 09:08:59 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-10 09:54:05 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-08 09:08:59 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-10 09:54:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-10 09:54:27 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-08 21:54:01 258,048 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-01-10 09:51:30 258,048 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-06 17:58 139264]
"ServUTrayIcon "= "C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor "= "C:\PROGRA~1\SYMNET~1\SNDMon.exe" [ ]
"SpySweeper "= "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [ ]

C:\Documents and Settings\Debbie\Start Menu\Programs\Startup\
No-IP DUC.lnk - C:\Program Files\No-IP\DUC20.exe [2007-12-27 13:57:07]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-02-25 13:20:04]
ZoneAlarm Pro.lnk - C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe [2005-05-01 08:40:25]

R0 PQV2i;PQV2i;C:\WINDOWS\System32\drivers\PQV2i.sys [2004-07-29 02:33]
R1 PQIMount;PQIMount;C:\WINDOWS\System32\drivers\PQIMount.sys [2004-07-29 03:13]
R2 Serv-U;Serv-U FTP Server;C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe [2006-10-05 08:55]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 06:41:44
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-10 6:42:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-10 11:42:23
ComboFix2.txt 2008-01-10 09:55:06
ComboFix3.txt 2008-01-09 22:00:34

noahdfear · 2008/01/09

You need to disable SpySweeper. Please scan again with HijackThis and place a check next to the following entry then click Fix Checked.

O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
RenV::
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
REBOOT

Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Chawni12 · 2008/01/09

here you go .......

ComboFix 08-01-09.2 - Debbie 2008-01-10 18:31:59.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.740 [GMT -5:00]
Running from: C:\Documents and Settings\Debbie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Debbie\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.

2008-01-10 04:54 . 2008-01-10 06:25 8 --a------ C:\WINDOWS\system32\CID
2008-01-08 16:53 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 06:14 . 2008-01-08 06:14 <DIR> d-------- C:\Deckard
2008-01-08 04:05 . 2002-08-13 06:09 684,032 --a------ C:\WINDOWS\system32\libeay32.dll
2008-01-08 04:05 . 2002-08-13 06:10 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-01-07 20:33 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-01-07 17:14 . 2008-01-07 17:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-07 17:10 . 2008-01-10 16:53 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-06 18:11 . 2008-01-09 16:55 <DIR> d-------- C:\Program Files\SymNetDrv
2008-01-06 17:46 . 2008-01-10 04:51 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-01-06 17:46 . 2006-09-15 22:52 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-06 17:46 . 2006-09-15 22:52 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-06 15:27 . 2008-01-06 15:42 <DIR> d-------- C:\Program Files\RegCleaner
2008-01-06 12:40 . 2008-01-06 15:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-06 12:40 . 2008-01-06 12:40 <DIR> d-------- C:\Documents and Settings\Debbie\Application Data\SUPERAntiSpyware.com
2008-01-06 12:30 . 2008-01-10 04:52 <DIR> d-------- C:\Temp
2008-01-06 12:24 . 2008-01-06 12:24 <DIR> d-------- C:\WINDOWS\Sun
2007-12-30 18:02 . 2007-12-30 18:02 <DIR> d-------- C:\Program Files\RhinoSoft.com
2007-12-27 13:57 . 2007-12-27 13:57 <DIR> d-------- C:\Program Files\No-IP
2007-12-27 12:55 . 2007-12-27 13:18 <DIR> d-------- C:\UFTP
2007-12-25 10:42 . 2007-12-25 10:44 <DIR> d-------- C:\Program Files\Winamp
2007-12-25 10:42 . 2007-12-25 10:44 <DIR> d-------- C:\Documents and Settings\Debbie\Application Data\Winamp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-10 23:31 --------- d-----w C:\Documents and Settings\Debbie\Application Data\Vso
2008-01-10 09:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-10 09:39 --------- d-----w C:\Documents and Settings\Debbie\Application Data\Azureus
2008-01-09 21:55 --------- d-----w C:\Program Files\Free Surfer
2008-01-07 01:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-06 23:12 --------- d-----w C:\Program Files\Symantec
2008-01-06 21:30 --------- d-----w C:\Program Files\Azureus
2008-01-06 20:04 458,240 ----a-w C:\WINDOWS\system32\igfxpers.exe
2008-01-06 20:04 437,760 ----a-w C:\WINDOWS\system32\igfxtray.exe
2008-01-06 20:04 421,376 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-01-06 18:53 392,704 ----a-w C:\WINDOWS\SOUNDMAN.EXE
2008-01-01 14:21 --------- d-----w C:\Program Files\AIM
2008-01-01 14:21 --------- d-----w C:\Documents and Settings\Debbie\Application Data\Aim
2008-01-01 14:19 --------- d-----w C:\Program Files\Yahoo!
2007-07-14 14:28 47,360 ----a-w C:\Documents and Settings\Debbie\Application Data\pcouffin.sys
2003-07-14 17:43 30 ----a-w C:\Program Files\readme1st.txt
2003-07-12 00:04 46,592 -c--a-w C:\Program Files\KeyGen.exe
2003-07-11 10:19 3,901 ----a-w C:\Program Files\phx0day.nfo
2003-05-30 14:59 72,701 ----a-w C:\Program Files\setup.cfg
2003-05-30 14:06 1,155,072 ----a-w C:\Program Files\Setup.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-09_17.00.11.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-08 21:53:55 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\ntuser.dat
+ 2008-01-10 23:31:56 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\ntuser.dat
- 2008-01-08 21:53:55 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-10 23:31:56 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-08 21:53:56 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-10 23:31:56 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-08 21:53:56 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-10 23:31:56 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-08 21:53:56 2,453,504 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-10 23:31:57 2,453,504 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-08 21:53:56 147,456 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-10 23:31:57 147,456 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-08 09:08:59 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-10 09:54:05 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-08 09:08:59 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-10 09:54:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-08 21:54:01 258,048 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-01-10 09:51:30 258,048 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-06 17:58 139264]
"ServUTrayIcon "= "C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor "= "C:\PROGRA~1\SYMNET~1\SNDMon.exe" [ ]

C:\Documents and Settings\Debbie\Start Menu\Programs\Startup\
No-IP DUC.lnk - C:\Program Files\No-IP\DUC20.exe [2007-12-27 13:57:07]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-02-25 13:20:04]
ZoneAlarm Pro.lnk - C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe [2005-05-01 08:40:25]

R0 PQV2i;PQV2i;C:\WINDOWS\System32\drivers\PQV2i.sys [2004-07-29 02:33]
R1 PQIMount;PQIMount;C:\WINDOWS\System32\drivers\PQIMount.sys [2004-07-29 03:13]
R2 Serv-U;Serv-U FTP Server;C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe [2006-10-05 08:55]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 18:32:53
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-10 18:33:16
ComboFix-quarantined-files.txt 2008-01-10 23:33:09
ComboFix2.txt 2008-01-10 11:42:32
ComboFix3.txt 2008-01-10 09:55:06
ComboFix4.txt 2008-01-09 22:00:34

noahdfear · 2008/01/09

Great! Lets make sure we haven't missed something. Please do an online scan with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on NEXT

Now click on Scan Settings

In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:

Select My Computer

This will program will start and scan your system.

The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Post the Kaspersky log and one more fresh HijackThis log.

Chawni12 · 2008/01/09

You gotta be kidding.....................
I have to do this is 3 posts

------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, January 10, 2008 8:20:22 PM
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/01/2008
Kaspersky Anti-Virus database records: 505995
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 27391
Number of viruses found: 49
Number of infected objects: 404
Number of suspicious objects: 6
Duration of the scan process: 00:50:44

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\123.exe Infected: Backdoor.Win32.Bifrose.acj skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\CCB.tmp/[From "Debbie" <chawni@earthlink.net>][Date Mon, 27 Feb 2006 04:49:28 -0500]/SPAREMIRC_MOVIESCRIPT.zip/SPAREMIRC_MOVIESCRIPT/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\CCB.tmp/[From "Debbie" <chawni@earthlink.net>][Date Mon, 27 Feb 2006 04:49:28 -0500]/SPAREMIRC_MOVIESCRIPT.zip/SPAREMIRC_MOVIESCRIPT/mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\CCB.tmp/[From "Debbie" <chawni@earthlink.net>][Date Mon, 27 Feb 2006 04:49:28 -0500]/SPAREMIRC_MOVIESCRIPT.zip/SPAREMIRC_MOVIESCRIPT/mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\CCB.tmp/[From "Debbie" <chawni@earthlink.net>][Date Mon, 27 Feb 2006 04:49:28 -0500]/SPAREMIRC_MOVIESCRIPT.zip/SPAREMIRC_MOVIESCRIPT/sysreset253.exe/data.rar/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\CCB.tmp/[From "Debbie" <chawni@earthlink.net>][Date Mon, 27 Feb 2006 04:49:28 -0500]/SPAREMIRC_MOVIESCRIPT.zip/SPAREMIRC_MOVIESCRIPT/sysreset253.exe/data.rar Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\CCB.tmp/[From "Debbie" <chawni@earthlink.net>][Date Mon, 27 Feb 2006 04:49:28 -0500]/SPAREMIRC_MOVIESCRIPT.zip/SPAREMIRC_MOVIESCRIPT/sysreset253.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\CCB.tmp/[From "Debbie" <chawni@earthlink.net>][Date Mon, 27 Feb 2006 04:49:28 -0500]/SPAREMIRC_MOVIESCRIPT.zip Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\CCB.tmp Mail: infected - 7 skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\NI.UGA6P_0001_N122M2210\setup.exe Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\RCX11.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\RCX14.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\RCX15.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\RCX17.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\RCX19.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\RCX1A.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\RCX1D.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\RCX1E.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\RCX20.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\RCX21.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\RCX23.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\RCX29.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\RCX2C.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\RCX34.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\RCX4.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\RCX5.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\RCX8.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\RCX9.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\RCXA.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\RCXC.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\snapsnet.exe/data0006 Infected: Trojan-Downloader.Win32.VB.ccs skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\snapsnet.exe NSIS: infected - 1 skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\TMP13.tmp Infected: Trojan-Downloader.Win32.Agent.hcn skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\TMP16.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\TMP22.tmp Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\TMP35.tmp Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\TMP5E.tmp Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\UIUCU.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\yazzsnet.exe/data0003 Infected: Trojan-Downloader.Win32.PurityScan.fg skipped
C:\Deckard\System Scanner\20080108063040\backup\DOCUME~1\Debbie\LOCALS~1\Temp\yazzsnet.exe NSIS: infected - 1 skipped
C:\Deckard\System Scanner\20080108063040\backup\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe Infected: not-a-virusownloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\20080108063040\main.txt Suspicious: Exploit.HTML.Mht skipped
C:\Deckard\System Scanner\20080110051632\main.txt Suspicious: Exploit.HTML.Mht skipped
C:\Deckard\System Scanner\main.txt Suspicious: Exploit.HTML.Mht skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MalwareAlarm.zip/lsass.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MalwareAlarm.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-01-10_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\Debbie\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Debbie\Desktop\upp_2.00_final_[2005.01.28].zip/mirc_upp.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Documents and Settings\Debbie\Desktop\upp_2.00_final_[2005.01.28].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Debbie\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Debbie\Local Settings\Application Data\Ahead\Nero Home\bl.db-journal Object is locked skipped
C:\Documents and Settings\Debbie\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Debbie\Local Settings\Application Data\Ahead\Nero Home\is2.db-journal Object is locked skipped
C:\Documents and Settings\Debbie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Debbie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Debbie\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Debbie\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Debbie\My Documents\NEWMOVIEMIRC2.zip/NEWMOVIEMIRC2/sysreset/sysreset/backup/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
C:\Documents and Settings\Debbie\My Documents\NEWMOVIEMIRC2.zip/NEWMOVIEMIRC2/sysreset/sysreset/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Documents and Settings\Debbie\My Documents\NEWMOVIEMIRC2.zip/NEWMOVIEMIRC2/sysreset/sysreset/mirc612.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped
C:\Documents and Settings\Debbie\My Documents\NEWMOVIEMIRC2.zip/NEWMOVIEMIRC2/sysreset/sysreset/mirc612.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped
C:\Documents and Settings\Debbie\My Documents\NEWMOVIEMIRC2.zip ZIP: infected - 4 skipped
C:\Documents and Settings\Debbie\My Documents\NEWSYSRESET.zip/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Documents and Settings\Debbie\My Documents\NEWSYSRESET.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Debbie\ntuser.dat Object is locked skipped
C:\Documents and Settings\Debbie\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\mirc\mirc_upp.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\Analog Devices\Core\smax4pnp.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Nero\Nero 7\InCD\InCD.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Norton AntiVirus\Quarantine\1BEE2400.DLL Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\2B4E521C.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Norton AntiVirus\Quarantine\2B517C19.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Norton AntiVirus\Quarantine\2BE3380A.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Norton AntiVirus\Quarantine\2DDB1F4E.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Norton AntiVirus\Quarantine\2DDE494A.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Norton AntiVirus\Quarantine\2E2664FB.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Norton AntiVirus\Quarantine\37906E9F.DLL Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\37974298.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Norton AntiVirus\Quarantine\384D71CE.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Norton AntiVirus\Quarantine\385445C7.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Trend Micro\HijackThis\hijackthis.log Suspicious: Exploit.HTML.Mht skipped
C:\QooBox\Quarantine\C\Documents and Settings\Debbie\My Documents\ASKS~1\rundll32.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.ez skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\FNTS~1\nоpdb.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\QooBox\Quarantine\C\Program Files\Router\Router .exe.vir Infected: Trojan-Downloader.Win32.Agent.gdi skipped
C:\QooBox\Quarantine\C\Program Files\Router\Router.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Router\UnInstall.exe.vir Infected: Trojan-Downloader.Win32.Delf.dlk skipped
C:\QooBox\Quarantine\C\Program Files\SymNetDrv\SNDMon.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Temporary\kernInstall.exe.vir Infected: Trojan-Downloader.Win32.Agent.haq skipped
C:\QooBox\Quarantine\C\Program Files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT .EXE.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Windows NT\laxukiv.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\17PHolmes572.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\QooBox\Quarantine\C\WINDOWS\b103.exe.vir Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir Infected: Trojan-Downloader.Win32.Agent.haq skipped
C:\QooBox\Quarantine\C\WINDOWS\b128.exe.vir Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\QooBox\Quarantine\C\WINDOWS\b138.exe.vir Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\QooBox\Quarantine\C\WINDOWS\b151.exe.vir Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu572.exe.tmp.vir Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu572.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ardCo01\ardCo011065.exe.vir Infected: Trojan-Downloader.Win32.VB.ccs skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cbxuurp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.diu skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\comp2\aroblcidr31z.exe.vir Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivr3\jeppdrvrwb9.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gebcb.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hxjqcxfk.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ieupdates.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ipgebf.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gl skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lvucbcwf.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ntload.sys.vir Infected: Backdoor.Win32.Delf.azr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\opnommj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.diu skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX16.tmp.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\TmpX.exe.vir Infected: Backdoor.Win32.Delf.cgf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\usmvt3\gyreo83122.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\usmvt3\gyreo83122.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vmdriver.exe.vir Infected: Backdoor.Win32.Bifrose.acj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\winupdate.exe.vir Infected: Backdoor.Win32.Delf.cgf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wvuvuss.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.diu skipped
C:\QooBox\Quarantine\C\WINDOWS\tk58.exe.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\catchme2008-01-09_165931.04.zip/jkkliii.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.diu skipped
C:\QooBox\Quarantine\catchme2008-01-09_165931.04.zip/SpySweeperUI.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\catchme2008-01-09_165931.04.zip ZIP: infected - 2 skipped

Chawni12 · 2008/01/09

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP331\A0067128.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP331\A0067141.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP332\A0067144.exe Infected: Trojan-Downloader.Win32.VB.ccs skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067155.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067156.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067157.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067158.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067159.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067160.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gl skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067161.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067162.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067163.dll Infected: not-a-virus:AdWare.Win32.Agent.wx skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067164.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067165.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067166.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067168.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067172.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067172.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067173.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067175.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067175.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067176.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067176.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067179.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067183.exe Infected: Trojan-Downloader.Win32.Alphabet.bd skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067184.exe Infected: Trojan-Downloader.Win32.Alphabet.bd skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067185.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067186.dll Infected: Trojan-Downloader.Win32.BHO.cf skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0067187.exe Infected: Trojan-Downloader.Win32.PurityScan.fg skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0068191.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.diu skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0068192.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.diu skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0068193.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.diu skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0068194.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0069191.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0069192.exe Infected: Trojan-Downloader.Win32.Alphabet.an skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0069193.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0069194.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0069195.dll Infected: not-a-virus:AdWare.Win32.Agent.wx skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0069197.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0069198.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0069199.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0069200.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0069201.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0069202.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0069203.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0069204.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0069205.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0069206.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0069208.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP333\A0070207.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070212.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070213.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070214.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070215.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070216.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070217.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070218.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070219.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070220.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070221.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070301.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070303.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070305.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070306.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070308.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070309.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070310.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070311.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070312.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070313.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070314.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070315.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070316.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070317.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070318.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP334\A0070319.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP335\A0070323.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0070327.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.diu skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0070328.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0070329.dll Infected: not-a-virus:AdWare.Win32.Agent.wx skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0070330.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0070332.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0070333.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0070334.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0070336.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0070337.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gl skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0070339.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0070343.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0070343.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0070344.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0070345.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0070347.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0070347.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0070348.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0070348.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0070350.exe Infected: Trojan-Downloader.Win32.VB.ccs skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0070352.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0070355.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.diu skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0071355.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0071356.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0071357.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0072355.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0072357.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0072358.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0072359.exe Infected: Trojan-Downloader.Win32.Adload.pn skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0072361.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0072364.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0072367.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0072368.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0072369.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0072370.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0072371.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0072372.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0072373.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0072374.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0073378.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0073379.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0073380.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0073381.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0073382.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0073383.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0073384.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP336\A0073385.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073387.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073388.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073389.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073390.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073391.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073392.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073393.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073396.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073397.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073398.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073431.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073434.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073435.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073436.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073437.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073438.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073439.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073440.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073441.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073442.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073443.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073444.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073445.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073446.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP337\A0073447.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073465.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073466.exe Infected: Trojan-Downloader.Win32.Adload.pn skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073468.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073477.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073480.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073481.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073482.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073484.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073487.exe Infected: Trojan-Downloader.Win32.Adload.pn skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073490.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gl skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073491.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073493.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073496.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073496.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073497.exe Infected: Trojan-Downloader.Win32.PurityScan.fg skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073498.dll Infected: not-a-virus:AdWare.Win32.Agent.wx skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073500.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073506.exe Infected: Trojan-Downloader.Win32.Adload.pn skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073507.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073508.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073511.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073519.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073519.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073521.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073531.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073532.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073534.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073551.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073553.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073562.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073564.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073565.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073566.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073567.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073568.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073604.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073605.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073653.sys Infected: Backdoor.Win32.Delf.azr skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073657.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073658.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073659.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073660.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073661.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073942.sys Infected: Backdoor.Win32.Delf.azr skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP338\A0073945.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0073957.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0073958.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0073960.sys Infected: Backdoor.Win32.Delf.azr skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0073994.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0073996.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0073997.sys Infected: Backdoor.Win32.Delf.azr skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074032.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074033.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074034.sys Infected: Backdoor.Win32.Delf.azr skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074035.sys Infected: Backdoor.Win32.Delf.azr skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074047.exe Infected: Trojan-Downloader.Win32.VB.ccs skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074048.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074050.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074051.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074059.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074061.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074062.exe Infected: Trojan-Downloader.Win32.Agent.gdi skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074063.exe Infected: Trojan-Downloader.Win32.Agent.hcn skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074065.sys Infected: Backdoor.Win32.Delf.azr skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074070.exe Infected: Trojan-Downloader.Win32.Agent.hcm skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074072.exe Infected: Trojan-Downloader.Win32.PurityScan.fg skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074073.exe Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074074.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074076.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074077.exe Infected: Trojan-Downloader.Win32.TSUpdate.r skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074079.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074081.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074081.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074081.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0074081.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0075056.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0075057.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0075061.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0075063.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0075064.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0075066.exe Infected: Backdoor.Win32.Bifrose.acj skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0075067.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0075068.sys Infected: Backdoor.Win32.Delf.azr skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0075069.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0075077.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

Chawni12 · 2008/01/09

C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0075078.exe Infected: Trojan-Downloader.Win32.Agent.gdi skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0075082.sys Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0075134.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0075136.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0075137.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0075138.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0075139.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0075141.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0075144.exe Infected: Backdoor.Win32.Bifrose.acj skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0075146.exe Infected: Trojan-Downloader.Win32.Agent.gdi skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP339\A0075148.sys Infected: Backdoor.Win32.Delf.azr skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP340\A0075156.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP340\A0075158.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP340\A0075159.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP340\A0075160.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075163.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075163.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075164.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075165.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075167.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075168.exe Infected: Trojan-Downloader.Win32.Agent.haq skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075169.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075170.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075171.exe Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075172.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075173.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gl skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075174.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075175.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075176.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.diu skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075177.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075178.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.diu skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075180.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.diu skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075195.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075196.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075197.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075198.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075199.exe Infected: Trojan-Downloader.Win32.Agent.gdi skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075200.exe Infected: Trojan-Downloader.Win32.Delf.dlk skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075202.exe Infected: Trojan-Downloader.Win32.Agent.haq skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075203.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075205.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075208.exe Infected: Backdoor.Win32.Delf.cgf skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075210.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075212.sys Infected: Backdoor.Win32.Delf.azr skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075213.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP341\A0075221.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.diu skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP342\A0075281.exe Infected: Trojan-Downloader.Win32.VB.ccs skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP342\A0075283.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP342\A0075284.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP342\A0075285.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP342\A0075285.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP342\A0075286.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP342\A0075287.exe Infected: Backdoor.Win32.Delf.cgf skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP342\A0075288.exe Infected: Backdoor.Win32.Bifrose.acj skipped
C:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP344\change.log Object is locked skipped
C:\UPPBuild\mirc_upp.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
C:\UPPBuild\upp_2.00_build_2004.03.05.zip/mirc_upp.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
C:\UPPBuild\upp_2.00_build_2004.03.05.zip ZIP: infected - 1 skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SOUNDMAN.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hkcmd.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\system32\igfxpers.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\system32\igfxtray.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\_restore{8F27EB84-E482-44D2-BF35-96483CCC14BB}\RP344\change.log Object is locked skipped

Scan process completed.

Chawni12 · 2008/01/09

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:08 PM, on 1/10/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [ServUTrayIcon] C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137451203234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137451278171
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: TrueVector Basic Logging Client (minilog) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\minilog.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Rhino Software, Inc. +1(262) 560-9627 - C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4830 bytes

noahdfear · 2008/01/09

It's not as bad as it looks.

There are some infected files associated with legitimate applications. You will have to re-install them to regain their functionality.

C:\Program Files\Analog Devices\Core\smax4pnp.exe --> Trojan-Dropper.Win32.Agent.dgo
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe --> Trojan-Dropper.Win32.Agent.dgo
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe --> Trojan-Dropper.Win32.Agent.dgo
C:\Program Files\Nero\Nero 7\InCD\InCD.exe --> Trojan-Dropper.Win32.Agent.dgo
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe --> Trojan-Dropper.Win32.Agent.dgo
C:\WINDOWS\SOUNDMAN.EXE --> Trojan-Dropper.Win32.Agent.dgo
C:\WINDOWS\system32\hkcmd.exe --> Trojan-Dropper.Win32.Agent.dgo
C:\WINDOWS\system32\igfxpers.exe --> Trojan-Dropper.Win32.Agent.dgo
C:\WINDOWS\system32\igfxtray.exe --> Trojan-Dropper.Win32.Agent.dgo

I've provided a bit of information below about some of the above files. After we remove the infected files, Nero, Java and Norton Ghost will need to be re-installed.

If you have the Drivers cd that came with your computer, you can re-install these with it.

C:\Program Files\Analog Devices\Core\smax4pnp.exe - a process installed alongside the Analogue Devices range of audio products. This program is a non-essential process, but should not be terminated unless suspected to be causing problems. Required if you have custom settings for your sound.

C:\WINDOWS\SOUNDMAN.EXE - Sound Manager System Tray utility installed by the drivers for Realtek Avance Logic based soundcards, mainly onboard soundcards, which enables the user to control the S/PDIF input and output (Sony/Philips Digital Interface - a standard which allows the transfer of an audio file from one medium to another without first converting to and from analogue format with the resulting loss of audio quality that that entails). SOUNDMAN also allows you to change the function of the input and output ports of your soundcard from Line-In, Line-Out, and MIC to Front, Rear, and Centre speakers.

C:\WINDOWS\system32\hkcmd.exe - installed alongside Intel multimedia devices and allows configuration and diagnostic options for these devices. This program is a non-essential process, but should not be terminated unless suspected to be causing problems.

C:\WINDOWS\system32\igfxpers.exe - a process installed alongside NVidia graphics cards and provides additional configuration options for these devices. This program is a non-essential process, but should not be terminated unless suspected to be causing problems.

C:\WINDOWS\system32\igfxtray.exe - a process which allows you to access the Intel Graphics configuration and diagnostic application for the Intel 810 series graphics chipset. This program is a non-essential system process, and is installed for ease of use via the desktop tray.

Now, lets get to fixing. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
File::
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MalwareAlarm.zip
C:\Program Files\Trend Micro\HijackThis\hijackthis.log
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray.exe
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

We're almost done ....... hang in there!

Chawni12 · 2008/01/10

hopefully... this is it......

mboFix 08-01-09.2 - Debbie 2008-01-11 3:59:28.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.695 [GMT -5:00]
Running from: C:\Documents and Settings\Debbie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Debbie\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MalwareAlarm.zip
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Trend Micro\HijackThis\hijackthis.log
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MalwareAlarm.zip
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Trend Micro\HijackThis\hijackthis.log
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-11 to 2008-01-11 )))))))))))))))))))))))))))))))
.

2008-01-10 19:06 . 2008-01-10 19:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-10 19:06 . 2008-01-10 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-10 04:54 . 2008-01-10 06:25 8 --a------ C:\WINDOWS\system32\CID
2008-01-08 16:53 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 06:14 . 2008-01-08 06:14 <DIR> d-------- C:\Deckard
2008-01-08 04:05 . 2002-08-13 06:09 684,032 --a------ C:\WINDOWS\system32\libeay32.dll
2008-01-08 04:05 . 2002-08-13 06:10 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-01-07 20:33 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-01-07 17:14 . 2008-01-07 17:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-07 17:10 . 2008-01-10 16:53 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-06 18:11 . 2008-01-09 16:55 <DIR> d-------- C:\Program Files\SymNetDrv
2008-01-06 17:46 . 2008-01-10 04:51 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-01-06 17:46 . 2006-09-15 22:52 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-06 17:46 . 2006-09-15 22:52 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-06 15:27 . 2008-01-06 15:42 <DIR> d-------- C:\Program Files\RegCleaner
2008-01-06 12:40 . 2008-01-06 15:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-06 12:40 . 2008-01-06 12:40 <DIR> d-------- C:\Documents and Settings\Debbie\Application Data\SUPERAntiSpyware.com
2008-01-06 12:30 . 2008-01-10 04:52 <DIR> d-------- C:\Temp
2008-01-06 12:24 . 2008-01-06 12:24 <DIR> d-------- C:\WINDOWS\Sun
2007-12-30 18:02 . 2007-12-30 18:02 <DIR> d-------- C:\Program Files\RhinoSoft.com
2007-12-27 13:57 . 2007-12-27 13:57 <DIR> d-------- C:\Program Files\No-IP
2007-12-27 12:55 . 2007-12-27 13:18 <DIR> d-------- C:\UFTP
2007-12-25 10:42 . 2007-12-25 10:44 <DIR> d-------- C:\Program Files\Winamp
2007-12-25 10:42 . 2007-12-25 10:44 <DIR> d-------- C:\Documents and Settings\Debbie\Application Data\Winamp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-10 23:56 --------- d-----w C:\Documents and Settings\Debbie\Application Data\Azureus
2008-01-10 23:31 --------- d-----w C:\Documents and Settings\Debbie\Application Data\Vso
2008-01-10 09:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-09 21:55 --------- d-----w C:\Program Files\Free Surfer
2008-01-07 01:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-06 23:12 --------- d-----w C:\Program Files\Symantec
2008-01-06 21:30 --------- d-----w C:\Program Files\Azureus
2008-01-01 14:21 --------- d-----w C:\Program Files\AIM
2008-01-01 14:21 --------- d-----w C:\Documents and Settings\Debbie\Application Data\Aim
2008-01-01 14:19 --------- d-----w C:\Program Files\Yahoo!
2007-07-14 14:28 47,360 ----a-w C:\Documents and Settings\Debbie\Application Data\pcouffin.sys
2003-07-14 17:43 30 ----a-w C:\Program Files\readme1st.txt
2003-07-12 00:04 46,592 -c--a-w C:\Program Files\KeyGen.exe
2003-07-11 10:19 3,901 ----a-w C:\Program Files\phx0day.nfo
2003-05-30 14:59 72,701 ----a-w C:\Program Files\setup.cfg
2003-05-30 14:06 1,155,072 ----a-w C:\Program Files\Setup.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-09_17.00.11.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-08 21:53:55 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\ntuser.dat
+ 2008-01-11 08:59:21 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\ntuser.dat
- 2008-01-08 21:53:55 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-11 08:59:21 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-08 21:53:56 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-11 08:59:21 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-08 21:53:56 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-11 08:59:21 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-08 21:53:56 2,453,504 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-11 08:59:21 2,453,504 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-08 21:53:56 147,456 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-11 08:59:21 147,456 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-08 09:08:59 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-10 09:54:05 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-08 09:08:59 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-10 09:54:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-08 21:54:01 258,048 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-01-11 08:59:25 258,048 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-06 17:58 139264]
"ServUTrayIcon "= "C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor "= "C:\PROGRA~1\SYMNET~1\SNDMon.exe" [ ]

C:\Documents and Settings\Debbie\Start Menu\Programs\Startup\
No-IP DUC.lnk - C:\Program Files\No-IP\DUC20.exe [2007-12-27 13:57:07]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-02-25 13:20:04]
ZoneAlarm Pro.lnk - C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe [2005-05-01 08:40:25]

R0 PQV2i;PQV2i;C:\WINDOWS\System32\drivers\PQV2i.sys [2004-07-29 02:33]
R1 PQIMount;PQIMount;C:\WINDOWS\System32\drivers\PQIMount.sys [2004-07-29 03:13]
R2 Serv-U;Serv-U FTP Server;C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe [2006-10-05 08:55]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 04:00:20
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-11 4:00:49
ComboFix-quarantined-files.txt 2008-01-11 09:00:35
ComboFix2.txt 2008-01-10 23:33:17
ComboFix3.txt 2008-01-10 11:42:32
ComboFix4.txt 2008-01-10 09:55:06
ComboFix5.txt 2008-01-09 22:00:34

noahdfear · 2008/01/10

Looks good. Lets tidy up.

Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. You can delete OTMoveIt2.exe and dss.exe

Download ATF Cleaner by Atribune and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Prefetch

Java Cache

Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".

Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot

If you're satisfied that the computer is working properly, clear the System Restore points. They are infected.

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.

Now, it appears you may need to repair your Symantec and SuperAntispyware installations. You also need to head straight to Windows Update and start applying whatever critical updates and service packs. Continue to go back repeatedly checking until no more are offered. Your computer lacks any updates which are very important in helping to keep you from being re-infected.

I will also point out that you are introducing even more risk by using file sharing programs and cracks (keygens present).

Your computer is now clean! Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showthread.php?t=67958

Surf safe!

Chawni12 · 2008/01/10

Thank you so much for all your help and patience. I could KISS you!!!!
I'm way ahead of you. I already read Geri's post. My computer is like a fortress now. I have d/l about 5 programs to protect it. Im also using Mozilla Firefox as my browser now. Getting the Windows updates as we speak. I hope I never have to enlist your help again.
Take care and many thanks again!!

Log in or Sign up

My Computer Has been Taken Over

Chawni12 Inactive Thread Starter

noahdfear Inactive

Chawni12 Inactive Thread Starter

noahdfear Inactive

Chawni12 Inactive Thread Starter

noahdfear Inactive

Chawni12 Inactive Thread Starter

noahdfear Inactive

Chawni12 Inactive Thread Starter

noahdfear Inactive

Chawni12 Inactive Thread Starter

noahdfear Inactive

Chawni12 Inactive Thread Starter

Chawni12 Inactive Thread Starter

Chawni12 Inactive Thread Starter

Chawni12 Inactive Thread Starter

noahdfear Inactive

Chawni12 Inactive Thread Starter

noahdfear Inactive

Chawni12 Inactive Thread Starter

Share This Page

Log in or Sign up

My Computer Has been Taken Over

Chawni12 Inactive Thread Starter

noahdfear Inactive

Chawni12 Inactive Thread Starter

noahdfear Inactive

Chawni12 Inactive Thread Starter

noahdfear Inactive

Chawni12 Inactive Thread Starter

noahdfear Inactive

Chawni12 Inactive Thread Starter

noahdfear Inactive

Chawni12 Inactive Thread Starter

noahdfear Inactive

Chawni12 Inactive Thread Starter

Chawni12 Inactive Thread Starter

Chawni12 Inactive Thread Starter

Chawni12 Inactive Thread Starter

noahdfear Inactive

Chawni12 Inactive Thread Starter

noahdfear Inactive

Chawni12 Inactive Thread Starter

Share This Page

Useful Searches