« previous next »
Pages: [1] 2 3

Author Topic: Vundo  (Read 7404 times)

Offline ixjerryxi

  • Newbie
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Vundo
« on: January 23, 2008, 08:46:21 AM »
I just found a vundo trojan on my computer and I was wondering if anyone knows how I can get rid of it.  Thanks in advance.

Trojan.vundo
C:\\windows\system32\jkhhe.dll



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:23 AM, on 1/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET .EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML .exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Winamp\winampa .exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm  .exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect .exe
C:\Program Files\ATI Multimedia\main\ATIDtct .EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW .exe
C:\Program Files\Microsoft ActiveSync\wcescomm   .exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.Email Removed.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = forbin.qc.edu:3128
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkhhe.exe
O1 - Hosts: comments (such as these) may be inserted on individual
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask   .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm   .exe"
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095300908968
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 12032 bytes
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Vundo
« Reply #1 on: January 23, 2008, 02:31:07 PM »
Can you do the following please

Do a "System scan only" with Hijackthis and put a check next to these entries:

F3 - REG:win.ini: load=C:\WINDOWS\system32\jkhhe.exe
O1 - Hosts: comments (such as these) may be inserted on individual
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe

O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab


After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Download HostsXpert [color=\"red\"]Here[/color] and unzip it to your desktop.
Next, open HostsXpert
  • Make sure that the "make hosts writable?" button in the upper left corner is checked>>Should read 'Make Readonly'
  • Now, click on 'Backup/Restore'
  • Click 'Create Backup'>>OK>>OK
  • then click on 'Restore MS host files'>>OK
  • Finally, close HostsXpert.

Temporarily disable Avast's protections so it won't interfere
Right click the Avast icon by the clock and Stop on access protections>>OK the prompt

Afterwards
Download [color=\"blue\"]VundoFix.exe[/color]
to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files,  click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button."

I'll need to see this report from Vundofix later>>C:\Vundofix.txt

Ensure Avast's protections are still disabled
Afterwards:
Download this file - Combofix.exe and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Post back all the following after the above is done, even if it takes more than one reply to do so

1. Post the log from Combofix, it's default location is >>C:\Combofix.txt
2. Post the log from Vundofix, it's default location is >>C:\Vundofix.txt
3. Run a fresh Scan>Save logfile with Hijackthis and post it's log also
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline ixjerryxi

  • Newbie
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Vundo
« Reply #2 on: January 23, 2008, 07:49:16 PM »
Combofix Log

ComboFix 08-01-23.2 - Administrator 2008-01-23 19:32:15.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.490 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
 * Created a new restore point

[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\80avp08.com
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashDisp .exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\ATI Multimedia\main\ATIDtct .EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW .exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Roxio Shared\System\EngUtil .exe
C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect .exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML .exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET .EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Microsoft ActiveSync\wcescomm     .exe
C:\Program Files\Microsoft ActiveSync\wcescomm    .exe
C:\Program Files\Microsoft ActiveSync\wcescomm   .exe
C:\Program Files\Microsoft ActiveSync\wcescomm  .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\QuickTime\qttask     .exe
C:\Program Files\QuickTime\qttask    .exe
C:\Program Files\QuickTime\qttask   .exe
C:\Program Files\QuickTime\qttask  .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Winamp\winampa .exe
C:\Program Files\Winamp\winampa.exe
C:\semo2x.exe
C:\u.bat
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo1.dll
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\ehhkj.ini
C:\WINDOWS\system32\ehhkj.ini2
C:\WINDOWS\system32\jkhhe.dll
C:\WINDOWS\system32\jkhhe.exe
C:\WINDOWS\system32\NeroCheck .exe
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\UpdReg .EXE
C:\WINDOWS\UpdReg.EXE
F:\80avp08.com
F:\semo2x.exe
F:\u.bat

Code: [Select]
<pre>
C:\Program Files\Alwil Software\Avast4\ashDisp .exe ---> QooBox
C:\Program Files\ATI Multimedia\main\ATIDtct .EXE ---> QooBox
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW .exe ---> QooBox
C:\Program Files\Common Files\Real\Update_OB\realsched .exe ---> QooBox
C:\Program Files\Common Files\Roxio Shared\System\EngUtil .exe ---> QooBox
C:\Program Files\Creative\MediaSource\Detector\CTDetect .exe ---> QooBox
C:\Program Files\Creative\Shared Files\Module Loader\DLLML .exe ---> QooBox
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET .EXE ---> QooBox
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe ---> QooBox
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe ---> QooBox
C:\Program Files\iTunes\iTunesHelper .exe ---> QooBox
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe ---> QooBox
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe ---> QooBox
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe ---> QooBox
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe ---> QooBox
C:\Program Files\Winamp\winampa .exe ---> QooBox
C:\WINDOWS\UpdReg .EXE ---> QooBox
C:\WINDOWS\system32\ctfmon .exe ---> QooBox
C:\WINDOWS\system32\NeroCheck .exe ---> QooBox
</pre>.
.
(((((((((((((((((((((((((   Files Created from 2007-12-24 to 2008-01-24  )))))))))))))))))))))))))))))))
.

2008-01-23 19:30 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-23 15:21 . 2008-01-23 15:20 107,528 -r-hs---- C:\awda2.exe
2008-01-23 00:45 . 2008-01-23 00:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-22 22:02 . 2008-01-22 22:02 435 --a------ C:\WINDOWS\system32\Shortcut to system32.lnk
2008-01-22 22:00 . 2008-01-22 23:55 289 --a------ C:\WINDOWS\wininit.ini
2008-01-22 20:40 . 2008-01-22 20:40 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-21 13:37 . 2008-01-23 08:55 443,904 -r-hs---- C:\xn1i9x.com
2008-01-17 08:15 . 2008-01-17 08:14 105,525 -r-hs---- C:\m1t8ta.com
2008-01-15 13:56 . 2008-01-16 19:35 104,863 -r-hs---- C:\juok3st.bat
2008-01-11 18:07 . 2008-01-11 18:07 <DIR> d-------- C:\Program Files\Jabra
2008-01-10 11:30 . 2008-01-15 07:22 104,451 -r-hs---- C:\d.com
2008-01-09 12:50 . 2008-01-09 12:49 104,392 -r-hs---- C:\tio8x6.cmd

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 00:38 --------- d-----w C:\Program Files\Winamp
2008-01-24 00:37 --------- d-----w C:\Program Files\QuickTime
2008-01-24 00:37 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-24 00:37 --------- d-----w C:\Program Files\iTunes
2008-01-15 23:41 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-03 02:22 --------- d-----w C:\Program Files\Creative
2008-01-03 02:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-24 12:52 124,370 --sh--r C:\usdeiect.com
2007-12-21 19:24 121,918 --sh--r C:\uxdeiect.com
2007-12-18 20:22 123,873 --sh--r C:\n1deiect.com
2007-12-16 23:27 --------- d-----w C:\Program Files\mIRC
2007-12-15 23:51 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-10 15:21 123,223 --sh--r C:\nideiect.com
2007-12-06 22:19 --------- d-----w C:\Program Files\iPod
2007-12-06 03:36 --------- d-----w C:\Program Files\Viewpoint
2007-12-06 03:36 --------- d-----w C:\Program Files\AIM6
2007-12-01 17:56 98,620 --sh--r C:\ntde1ect.com
2007-11-26 19:04 --------- d-----w C:\Program Files\Java
2005-01-14 06:28 0 -c-h--w C:\Program Files\ENYOLINK Settings
2004-11-19 05:05 3,546 -c--a-w C:\Program Files\uninstal.log
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD4C3CF0-4B15-11D1-ABED-709549C10000}]
   C:\Program Files\Go!Zilla\GoIEHlp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [ ]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [ ]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [ ]
"ATI Launchpad"="" []
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [ ]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm     .exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DXDllRegExe"="dxdllreg.exe" []
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [ ]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [ ]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [ ]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-11-30 12:19 4628480]
"nwiz"="nwiz.exe" [2004-11-30 12:19 921600 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-11-30 12:19 86016]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 11:45 49152 C:\WINDOWS\KHALMNPR.Exe]
"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [ ]
"RCSystem"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [ ]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [ ]
"CTHelper"="CTHELPER.EXE" [2005-08-07 17:10 16384 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-08-07 17:10 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [ ]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask     .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-07-22 15:50:16 577597]
Color Calibration.lnk - C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe [2005-01-17 21:40:40 36864]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]
Logitech Desktop Messenger.lnk - C:\QooBox\Quarantine\C\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe.vir [2007-02-26 23:01:24 433152]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2005-10-08 19:34:22 434176]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2005-01-17 21:40:17 155715]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 ATIDACXX;ATI DTV Wonder Analog Audio Capture Device;C:\WINDOWS\system32\drivers\atidacxx.sys [2005-09-26 20:21]
R3 ATIDDCXX;ATI DTV Wonder Digital BDA Capture Device;C:\WINDOWS\system32\drivers\atiddcxx.sys [2005-09-26 20:20]
R3 ATIDTUXX;ATI DTV Wonder Digital And Analog Tuner Device;C:\WINDOWS\system32\drivers\atidtuxx.sys [2005-09-26 20:21]
R3 ATIDVCXX;ATI DTV Wonder Analog AV Capture Device;C:\WINDOWS\system32\drivers\atidvcxx.sys [2005-09-26 20:20]
R3 ATIDXBXX;ATI DTV Wonder Analog AV Crossbar Device;C:\WINDOWS\system32\drivers\atidxbxx.sys [2005-09-26 20:20]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2005-08-07 16:54]
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 09:05]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 09:27]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 13:31]
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 09:05]
S3 S3SAV2K;S3SAV2K;C:\WINDOWS\system32\DRIVERS\s3sav2km.sys [2004-09-25 21:43]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-13 19:21:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 19:42:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\Logitech\SetPoint\GameHook.dll
.
Logged

Offline ixjerryxi

  • Newbie
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Vundo
« Reply #3 on: January 23, 2008, 07:51:42 PM »
Vundofix Log

Symantec Trojan.Vundo Removal Tool 1.5.0

C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\194AVJPD\homead;arena=nfl;arena=home;type=psa;team=HOME;user=Anonymous;seg=nonaol;ct
ype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;dpart=1;adid=23532491;cust=no;vip=no;u=;sz=1x1;ti[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\194AVJPD\homead;arena=nfl;arena=home;type=psa;team=HOME;user=Anonymous;seg=nonaol;ct
ype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;dpart=1;cust=no;vip=no;u=;sz=230x75;tile=7;ord=61[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\194AVJPD\homead;arena=nfl;arena=home;type=psa;team=HOME;user=Anonymous;seg=nonaol;ct
ype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;dpart=1;cust=no;vip=no;u=;sz=985x40;tile=6;ord=46[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\194AVJPD\players;arena=nfl;feat=players;type=psa;page=index;user=Anonymous;seg=nonao
l;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;cust=no;vip=no;u=Q7txegq0Dr4AAGU1cNs;sz=160x6[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\194AVJPD\players;arena=nfl;feat=players;type=psa;team=NE;playr=187741;user=Anonymous
;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;cust=no;vip=no;u=Q7txegq0Dr4AAGU1cN[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\194OHH6I\CAI3OPGP.com%26scx%3D1280%26scy%3D1024%26scc%3D32%26sta%3D%2C%2C%2C1%2C%2C%2C%2C%2C%2C%2C0%2C5%2C0%2C19679%2C19579%2C14659%2C15477%2C501%26iid%3D218218%26bid%3D804224%26datne%3D (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\2NWRYPW7\Directions;MN=93206399;wm=o;city=brooklyn;st=ny;dma=newyork;co=usa;abr=%21ec;!c=d-fls;!c=d-htm;!c=d-jav;!c=d-dxp;!c=d-pxp;sz=300x250;tile=1;dcove=d;ord=185230333[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\2TSB4RS5\site=cs&pagepos=3&city=newyork&market_id=66&adsize=160x600&adsize=120x600&guide=cityguide&context=generic&brand=citysearch&Params.richmedia=yes&Params[1].htm (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\4Z6BY5UX\Directions;MN=93206399;wm=o;city=brooklyn;st=ny;dma=newyork;co=usa;abr=%21ec;!c=d-fls;!c=d-htm;!c=d-jav;!c=d-dxp;!c=d-pxp;sz=300x250;tile=1;dcove=d;ord=185277880[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\6Y3IEP2Y\Burton-12_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10QQf
rtsZ50QQfsooZ1QQfsopZ1QQfstypeZ1QQftrtZ1QQftrvZ1QQsacatZQ2d1QQsaprchiZQQsaprcloZ[
1].htm (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\6Y3IEP2Y\Burton-mission_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR
10QQfrtsZ50QQfsooZ1QQfsopZ1QQfstypeZ1QQftrtZ1QQftrvZ1QQsacatZQ2d1QQsaprchiZQQsapr
c[1].htm (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\DWKVOFZ5\Burton-Cartel_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR1
0QQfrtsZ50QQfsooZ1QQfsopZ1QQftrtZ1QQftrvZ1QQsacatZQ2d1QQsaprchiZQQsaprcloZ[1].htm (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\DWKVOFZ5\Burton-freestyle_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfrom
ZR10QQfrtsZ50QQfsooZ1QQfsopZ1QQftrtZ1QQftrvZ1QQsacatZQ2d1QQsaprchiZQQsaprcloZ[1].
htm (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\DWKVOFZ5\CAUZ0P25.com%26scx%3D1280%26scy%3D1024%26scc%3D32%26sta%3D%2C%2C%2C1%2C%2C%2C%2C%2C%2C%2C0%2C5%2C0%2C19679%2C19579%2C14659%2C15477%2C501%26iid%3D218218%26bid%3D804224%26datne%3D (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\EX4ZQ1GX\.nu%2F&color_bg=FFFFFF&color_text=000000&color_link=3C5E92&color_url=3C5E92&color_border=FFFFFF&cc=100&u_h=1024&u_w=1280&u_ah=994&u_aw=1280&u_cd=32&u_tz=-300&u_his=2&u_java=true (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H1LMRNPQ\CAC9AD4N.583&kw_type=broad&kw=Lipstick%20%26%20Dynamite%2C%20Piss%20%26%20Vinegar&ad_type=text&u_h=1024&u_w=1280&u_ah=994&u_aw=1280&u_cd=32&u_tz=-240&u_his=8&u_java=true (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H1LMRNPQ\players;arena=nfl;feat=players;type=psa;page=index;user=Anonymous;seg=nonao
l;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;cust=no;vip=no;dcopt=ist;u=Q7txegq0Dr4AAGU1cN[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H1LMRNPQ\players;arena=nfl;feat=players;type=psa;page=index;user=Anonymous;seg=nonao
l;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;cust=no;vip=no;dcopt=ist;u=Q7txegq0Dr4AAGU1cN[2] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\MVYD290H\site=cs&pagepos=7&city=newyork&market_id=66&adsize=160x125&adsize=125x125&guide=cityguide&context=generic&brand=cit[1].styles=csalign_html,csalign_img&topic_id=1214&page=search (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\NHDFEEQ9\Directions;MN=93206399;wm=o;city=brooklyn;st=ny;dma=newyork;co=usa;abr=%21ec;!c=d-fls;!c=d-htm;!c=d-jav;!c=d-dxp;!c=d-pxp;sz=300x250;tile=1;dcove=d;ord=363783018[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\NHDFEEQ9\homead;arena=nfl;arena=home;type=psa;team=HOME;user=Anonymous;seg=nonaol;ct
ype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;dpart=1;adid=22079287;cust=no;vip=no;u=;sz=1x1;ti[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\NHDFEEQ9\players;arena=nfl;feat=players;type=psa;page=index;user=Anonymous;seg=nonao
l;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;cust=no;vip=no;u=Q7txegq0Dr4AAGU1cNs;sz=150x3[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\NHDFEEQ9\players;arena=nfl;feat=players;type=psa;page=index;user=Anonymous;seg=nonao
l;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;cust=no;vip=no;u=Q7txegq0Dr4AAGU1cNs;sz=160x6[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\NHDFEEQ9\players;arena=nfl;feat=players;type=psa;team=NE;playr=187741;user=Anonymous
;seg=nonaol;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;cust=no;vip=no;dcopt=ist;u=Q7txegq0[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\UYB318R3\Directions;MN=93206399;wm=o;city=brooklyn;st=ny;dma=newyork;co=usa;abr=%21ec;!c=d-fls;!c=d-htm;!c=d-jav;!c=d-dxp;!c=d-pxp;sz=300x250;tile=1;dcove=d;ord=363678299[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\UYB318R3\homead;arena=nfl;arena=home;type=psa;team=HOME;user=Anonymous;seg=nonaol;ct
ype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;dpart=1;adid=22079287;cust=no;vip=no;u=;sz=1x1;ti[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\UYB318R3\homead;arena=nfl;arena=home;type=psa;team=HOME;user=Anonymous;seg=nonaol;ct
ype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;dpart=1;adid=23532491;cust=no;vip=no;u=;sz=1x1;ti[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\UYB318R3\homead;arena=nfl;arena=home;type=psa;team=HOME;user=Anonymous;seg=nonaol;ct
ype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;dpart=1;cust=no;vip=no;u=;sz=230x75;tile=7;ord=46[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\UYB318R3\players;arena=nfl;feat=players;type=psa;page=index;user=Anonymous;seg=nonao
l;ctype=lan;lang=en-us;lang=en-us;vpmp=yes;adv=b;cust=no;vip=no;u=Q7txegq0Dr4AAGU1cNs;sz=150x3[1] (WARNING: not scanned, path to long)
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\XHKTXUB5\Burton-ion_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10QQ
frtsZ50QQfsooZ1QQfsopZ1QQfstypeZ1QQftrtZ1QQftrvZ1QQsacatZQ2d1QQsaprchiZQQsaprcloZ
[1].htm (WARNING: not scanned, path to long)
C:\System Volume Information: (not scanned)
F:\System Volume Information: (not scanned)
Trojan.Vundo has not been found on your computer.
Logged

Offline ixjerryxi

  • Newbie
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Vundo
« Reply #4 on: January 23, 2008, 07:53:09 PM »
Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:55, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.Email Removed.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = forbin.qc.edu:3128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: IEHlprObj Class - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Go!Zilla\GoIEHlp.dll (file missing)
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask     .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm     .exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\QooBox\Quarantine\C\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe.vir
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095300908968
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 10321 bytes
Logged

Offline ixjerryxi

  • Newbie
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Vundo
« Reply #5 on: January 23, 2008, 07:55:36 PM »
Also on startup a window popped up saying "Windows cannot open this file"

LogitechDesktopMessenger.exe.vir

and it asks me to choose an option either use web service to find a program or choose manually.
Logged

Offline ixjerryxi

  • Newbie
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Vundo
« Reply #6 on: January 23, 2008, 09:33:26 PM »
[quote name=\'ixjerryxi\' post=\'419692\' date=\'Jan 23 2008, 07:55 PM\']Also on startup a window popped up saying "Windows cannot open this file"

LogitechDesktopMessenger.exe.vir

and it asks me to choose an option either use web service to find a program or choose manually.[/quote]

Also I forgot to mention my printer driver always reinstalls at startup too.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Vundo
« Reply #7 on: January 28, 2008, 07:37:02 PM »
Very sorry for the delay
If you still need a hand, can you do the following

DELETE your version of Combofix, and then let's redo it

Download this file - Combofix.exe and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post the fresh log from combofix>>C:/Combofix.txt as well as a fresh hijackthis log
Keep me informed how things are running please

NOTE:
Quote
Symantec Trojan.Vundo Removal Tool 1.5.0
That IS NOT the Vundofix I linked you too above, please keep with the instructions
Can you run the one I linked to and post it's log also
« Last Edit: January 28, 2008, 07:39:35 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline ixjerryxi

  • Newbie
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Vundo
« Reply #8 on: January 28, 2008, 09:18:34 PM »
On startup it say "Windows cannot open this file" LogitechDesktopMessenger.exe.vir

My printer driver no longer comes up.

Here is Combofix log

ComboFix 08-01-29.3 - Administrator 2008-01-28 21:08:05.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.611 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
 * Created a new restore point

[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Vundo
« Reply #9 on: January 28, 2008, 09:38:38 PM »
I hope that's not all your planning on posting??

First, you didn't post the Whole combofix log?
You didn't post the Hijackthis log?
You didn't run Vundofix from what I linked to earlier and post the log?

If you are having problems copying>>pasting
In the log select EDIT>>SELECT ALL
EDIT>>COPY
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline ixjerryxi

  • Newbie
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Vundo
« Reply #10 on: January 28, 2008, 09:57:25 PM »
[quote name=\'guestolo\' post=\'420270\' date=\'Jan 28 2008, 09:38 PM\']I hope that's not all your planning on posting??

First, you didn't post the Whole combofix log?
You didn't post the Hijackthis log?
You didn't run Vundofix from what I linked to earlier and post the log?

If you are having problems copying>>pasting
In the log select EDIT>>SELECT ALL
EDIT>>COPY[/quote]

sorry about that...

the combofix log was all I had on combofix.txt

this is the vundofix log


VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Scan started at 21:18:04 2008-01-28

Listing files found while scanning....

C:\WINDOWS\system32\NCTAudioCDGrabber2.dll
C:\WINDOWS\system32\NCTAudioFile2.dll
C:\WINDOWS\system32\NCTAudioPlayer2.dll
C:\WINDOWS\system32\NCTAudioRecord2.dll
C:\WINDOWS\system32\NCTAVIFile.dll
C:\WINDOWS\system32\NCTQuickTimeFile.dll
C:\WINDOWS\system32\NCTVideoCoreM.dll
C:\WINDOWS\system32\NCTWMAFile2.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\NCTAudioCDGrabber2.dll
C:\WINDOWS\system32\NCTAudioCDGrabber2.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\NCTAudioFile2.dll
C:\WINDOWS\system32\NCTAudioFile2.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\NCTAudioPlayer2.dll
C:\WINDOWS\system32\NCTAudioPlayer2.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\NCTAudioRecord2.dll
C:\WINDOWS\system32\NCTAudioRecord2.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\NCTAVIFile.dll
C:\WINDOWS\system32\NCTAVIFile.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\NCTQuickTimeFile.dll
C:\WINDOWS\system32\NCTQuickTimeFile.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\NCTVideoCoreM.dll
C:\WINDOWS\system32\NCTVideoCoreM.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\NCTWMAFile2.dll
C:\WINDOWS\system32\NCTWMAFile2.dll Has been deleted!

Performing Repairs to the registry.
Done!






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:01, on 2008-01-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.Email Removed.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = forbin.qc.edu:3128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\QooBox\Quarantine\C\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe.vir
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095300908968
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7584 bytes
« Last Edit: January 28, 2008, 10:02:33 PM by ixjerryxi »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Vundo
« Reply #11 on: January 28, 2008, 10:55:26 PM »
That shouldn't be all from Combofix, did you follow all the prompts properly?
Also, go look for this file
C:\Combofix.txt
Open it and post the contents if different than above
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline ixjerryxi

  • Newbie
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Vundo
« Reply #12 on: January 29, 2008, 12:22:20 AM »
[quote name=\'guestolo\' post=\'420275\' date=\'Jan 28 2008, 10:55 PM\']That shouldn't be all from Combofix, did you follow all the prompts properly?
Also, go look for this file
C:\Combofix.txt
Open it and post the contents if different than above[/quote]


yeah it ran thru all the processes and then it rebooted.  Should I run it again?
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Vundo
« Reply #13 on: January 29, 2008, 12:28:26 AM »
Can you manually look for this file
C:\Combofix.txt
If you open it is that the whole contents that you posted earlier?
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline ixjerryxi

  • Newbie
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Vundo
« Reply #14 on: January 29, 2008, 12:36:10 AM »
[quote name=\'guestolo\' post=\'420282\' date=\'Jan 29 2008, 12:28 AM\']Can you manually look for this file
C:\Combofix.txt
If you open it is that the whole contents that you posted earlier?[/quote]


ComboFix 08-01-29.3 - Administrator 2008-01-29  0:27:31.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.647 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

(((((((((((((((((((((((((   Files Created from 2007-12-28 to 2008-01-29  )))))))))))))))))))))))))))))))
.

2008-01-28 18:00 . 2008-01-28 17:59 104,734 -r-hs---- C:\ylr.exe
2008-01-25 09:12 . 2008-01-28 17:58 443,904 -r-hs---- C:\xo8wr9.exe
2008-01-25 09:11 . 2008-01-28 17:58 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-25 02:29 . 2008-01-25 09:11 443,392 -r-hs---- C:\qd.cmd
2008-01-24 04:16 . 2008-01-24 04:16 <DIR> d-------- C:\Program Files\Abexo
2008-01-24 00:38 . 2004-08-04 03:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-01-24 00:38 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-01-24 00:38 . 2004-08-04 07:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-01-24 00:38 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-01-24 00:38 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-01-24 00:38 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-01-24 00:38 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-01-24 00:38 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-01-24 00:36 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-01-24 00:35 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-01-24 00:34 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-01-24 00:33 . 2004-08-04 01:31 132,695 --a--c--- C:\WINDOWS\system32\dllcache\netwlan5.sys
2008-01-24 00:32 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-01-24 00:31 . 2001-08-17 13:28 907,456 --a--c--- C:\WINDOWS\system32\dllcache\hcf_msft.sys
2008-01-24 00:30 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-01-24 00:29 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-01-24 00:28 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-01-24 00:27 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-01-24 00:26 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-01-23 23:01 . 2008-01-28 22:17 <DIR> d-------- C:\VundoFix Backups
2008-01-23 15:21 . 2008-01-23 22:27 107,528 -r-hs---- C:\awda2.exe
2008-01-23 00:45 . 2008-01-23 00:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-22 22:02 . 2008-01-22 22:02 435 --a------ C:\WINDOWS\system32\Shortcut to system32.lnk
2008-01-22 22:00 . 2008-01-22 23:55 289 --a------ C:\WINDOWS\wininit.ini
2008-01-22 20:40 . 2008-01-22 20:40 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-21 13:37 . 2008-01-23 08:55 443,904 -r-hs---- C:\xn1i9x.com
2008-01-17 08:15 . 2008-01-17 08:14 105,525 -r-hs---- C:\m1t8ta.com
2008-01-15 13:56 . 2008-01-16 19:35 104,863 -r-hs---- C:\juok3st.bat
2008-01-11 18:07 . 2008-01-11 18:07 <DIR> d-------- C:\Program Files\Jabra
2008-01-11 18:07 . 2008-01-11 18:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jabra
2008-01-10 11:30 . 2008-01-15 07:22 104,451 -r-hs---- C:\d.com
2008-01-09 12:50 . 2008-01-09 12:49 104,392 -r-hs---- C:\tio8x6.cmd

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 18:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-25 07:25 --------- d-----w C:\Program Files\HP
2008-01-24 08:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-24 00:38 --------- d-----w C:\Program Files\Winamp
2008-01-24 00:37 --------- d-----w C:\Program Files\QuickTime
2008-01-24 00:37 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-24 00:37 --------- d-----w C:\Program Files\iTunes
2008-01-17 04:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-01-16 02:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-01-15 23:41 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-03 05:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2008-01-03 02:22 --------- d-----w C:\Program Files\Creative
2008-01-03 02:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-24 12:52 124,370 --sh--r C:\usdeiect.com
2007-12-21 19:24 121,918 --sh--r C:\uxdeiect.com
2007-12-18 20:22 123,873 --sh--r C:\n1deiect.com
2007-12-16 23:27 --------- d-----w C:\Program Files\mIRC
2007-12-16 21:52 32,419 --sha-r C:\WINDOWS\system32\avpo0.dll
2007-12-15 23:51 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-14 22:03 44,564 --sha-r C:\WINDOWS\system32\amvo2.dll
2007-12-10 15:21 123,223 --sh--r C:\nideiect.com
2007-12-07 22:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-06 22:19 --------- d-----w C:\Program Files\iPod
2007-12-06 03:36 --------- d-----w C:\Program Files\Viewpoint
2007-12-06 03:36 --------- d-----w C:\Program Files\AIM6
2007-12-06 03:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-12-02 21:11 22,528 ----a-w C:\WINDOWS\system32\wsock32.dll
2007-12-01 17:56 98,620 --sha-r C:\WINDOWS\system32\avpo.exe
2007-12-01 17:56 98,620 --sh--r C:\ntde1ect.com
2007-12-01 17:56 32,419 --sha-r C:\WINDOWS\system32\avpo1.dll
2007-11-28 18:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-09-19 01:07 20,688 -c--a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-04-12 04:41 92,064 ----a-w C:\Documents and Settings\Administrator\mqdmmdm.sys
2007-04-12 04:41 9,232 ----a-w C:\Documents and Settings\Administrator\mqdmmdfl.sys
2007-04-12 04:41 79,328 ----a-w C:\Documents and Settings\Administrator\mqdmserd.sys
2007-04-12 04:41 66,656 ----a-w C:\Documents and Settings\Administrator\mqdmbus.sys
2007-04-12 04:41 6,208 ----a-w C:\Documents and Settings\Administrator\mqdmcmnt.sys
2007-04-12 04:41 5,936 ----a-w C:\Documents and Settings\Administrator\mqdmwhnt.sys
2007-04-12 04:41 4,048 ----a-w C:\Documents and Settings\Administrator\mqdmcr.sys
2007-04-12 04:41 25,600 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2007-04-12 04:41 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2005-01-14 06:28 0 -c-h--w C:\Program Files\ENYOLINK Settings
2004-11-19 05:05 3,546 -c--a-w C:\Program Files\uninstal.log
.
Code: [Select]
<pre>
----a-w 15,360 2008-01-28 22:58:43  C:\WINDOWS\system32\ctfmon .exe
</pre>

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-11-30 12:19 4628480]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-11-30 12:19 86016]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 11:45 49152 C:\WINDOWS\KHALMNPR.Exe]
"CTHelper"="CTHELPER.EXE" [2005-08-07 17:10 16384 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-08-07 17:10 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-07-22 15:50:16 577597]
Color Calibration.lnk - C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe [2005-01-17 21:40:40 36864]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-11-30 12:19 921600 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"x10nets"=3 (0x3)
"IDriverT"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 ATIDACXX;ATI DTV Wonder Analog Audio Capture Device;C:\WINDOWS\system32\drivers\atidacxx.sys [2005-09-26 20:21]
R3 ATIDDCXX;ATI DTV Wonder Digital BDA Capture Device;C:\WINDOWS\system32\drivers\atiddcxx.sys [2005-09-26 20:20]
R3 ATIDTUXX;ATI DTV Wonder Digital And Analog Tuner Device;C:\WINDOWS\system32\drivers\atidtuxx.sys [2005-09-26 20:21]
R3 ATIDVCXX;ATI DTV Wonder Analog AV Capture Device;C:\WINDOWS\system32\drivers\atidvcxx.sys [2005-09-26 20:20]
R3 ATIDXBXX;ATI DTV Wonder Analog AV Crossbar Device;C:\WINDOWS\system32\drivers\atidxbxx.sys [2005-09-26 20:20]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2005-08-07 16:54]
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 09:05]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 09:27]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 13:31]
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 09:05]
S3 S3SAV2K;S3SAV2K;C:\WINDOWS\system32\DRIVERS\s3sav2km.sys [2004-09-25 21:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32bbff80-58c7-11dc-b00f-0011110d0680}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32bbff87-58c7-11dc-b00f-0011110d0680}]
\Shell\AutoRun\command - H:\qd.cmd
\Shell\explore\Command - H:\qd.cmd
\Shell\open\Command - H:\qd.cmd

.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 19:21:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 00:31:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\Logitech\SetPoint\GameHook.dll
.
Completion time: 2008-01-29  0:32:41
ComboFix-quarantined-files.txt  2008-01-29 05:32:11
.
2008-01-13 01:42:12 --- E O F ---
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Vundo
« Reply #15 on: January 29, 2008, 01:16:03 AM »
Can you temporarily disable Avast's protections
Right click on the AVAST icon by the clock and select "Stop on Access protections"

I suggest that you access your add/remove programs and remove anything related to
ViewPoint
It usually get's unknowingly installed
You may have more than one entry


Do a System Scan only with Hijackthis and put a tick beside this entry
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\QooBox\Quarantine\C\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe.vir
With all other windows closed, including this one
click FIX CHECKED
Ok the prompts then exit Hijackthis
Afterwards:

Download the Flash_Disinfector.exe from here and save to desktop
http://www.techsupportforum.com/sectools/s...Disinfector.exe
Run Flash_Disinfector.exe, Follow the prompts
Insert any removable flash drives you may have when prompted

Leave any flash drive inserted
Then do the following:
==Open notepad and copy/paste the text in the quotebox below into it:
Don't use anything else than notepad or the script will not work

Quote
RenV::
C:\WINDOWS\system32\ctfmon .exe

File::
C:\ylr.exe
C:\xo8wr9.exe
C:\qd.cmd
C:\awda2.exe
C:\xn1i9x.com
C:\m1t8ta.com
C:\juok3st.bat
C:\d.com
C:\tio8x6.cmd
C:\usdeiect.com
C:\uxdeiect.com
C:\n1deiect.com
C:\WINDOWS\system32\avpo0.dll
C:\WINDOWS\system32\amvo2.dll
C:\nideiect.com
C:\WINDOWS\system32\avpo.exe
C:\ntde1ect.com
C:\WINDOWS\system32\avpo1.dll
C:\qd.cmd
H:\qd.cmd

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32bbff87-58c7-11dc-b00f-0011110d0680}]
Save this as txtfile on your desktop
CFScript

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Don't mouse click on it, let it complete

When finished, it shall produce a log for you again, with the same name C:\ComboFix.txt..

Post back all the following

1. Post the log from combofix >>C:\Combofix.txt
2. Run a fresh Scan>>save logfile with Hijackthis and post it's log too
« Last Edit: January 29, 2008, 01:17:27 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline ixjerryxi

  • Newbie
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Vundo
« Reply #16 on: January 29, 2008, 01:38:11 AM »
My printer driver installed after the combofix rebooted and started up windows.



ComboFix 08-01-29.3 - Administrator 2008-01-29  1:30:57.5 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.610 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
 * Created a new restore point

[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]

FILE
C:\awda2.exe
C:\d.com
C:\juok3st.bat
C:\m1t8ta.com
C:\n1deiect.com
C:\nideiect.com
C:\ntde1ect.com
C:\qd.cmd
C:\tio8x6.cmd
C:\usdeiect.com
C:\uxdeiect.com
C:\WINDOWS\system32\amvo2.dll
C:\WINDOWS\system32\avpo.exe
C:\WINDOWS\system32\avpo0.dll
C:\WINDOWS\system32\avpo1.dll
C:\xn1i9x.com
C:\xo8wr9.exe
C:\ylr.exe
H:\qd.cmd
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\awda2.exe
C:\d.com
C:\juok3st.bat
C:\m1t8ta.com
C:\n1deiect.com
C:\nideiect.com
C:\ntde1ect.com
C:\qd.cmd
C:\tio8x6.cmd
C:\usdeiect.com
C:\uxdeiect.com
C:\xn1i9x.com
C:\xo8wr9.exe
C:\ylr.exe
C:\awda2.exe
C:\d.com
C:\juok3st.bat
C:\m1t8ta.com
C:\n1deiect.com
C:\nideiect.com
C:\ntde1ect.com
C:\qd.cmd
C:\tio8x6.cmd
C:\usdeiect.com
C:\uxdeiect.com
C:\WINDOWS\system32\amvo2.dll
C:\WINDOWS\system32\avpo.exe
C:\WINDOWS\system32\avpo0.dll
C:\WINDOWS\system32\avpo1.dll
C:\xn1i9x.com
C:\xo8wr9.exe
C:\ylr.exe
H:\qd.cmd . . . . failed to delete

.
(((((((((((((((((((((((((   Files Created from 2007-12-28 to 2008-01-29  )))))))))))))))))))))))))))))))
.

2008-01-25 09:11 . 2008-01-28 17:58 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-25 09:11 . 2008-01-28 17:58 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-24 04:16 . 2008-01-24 04:16 <DIR> d-------- C:\Program Files\Abexo
2008-01-24 00:38 . 2004-08-04 03:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-01-24 00:38 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-01-24 00:38 . 2004-08-04 07:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-01-24 00:38 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-01-24 00:38 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-01-24 00:38 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-01-24 00:38 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-01-24 00:38 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-01-24 00:36 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-01-24 00:35 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-01-24 00:34 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-01-24 00:33 . 2004-08-04 01:31 132,695 --a--c--- C:\WINDOWS\system32\dllcache\netwlan5.sys
2008-01-24 00:32 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-01-24 00:31 . 2001-08-17 13:28 907,456 --a--c--- C:\WINDOWS\system32\dllcache\hcf_msft.sys
2008-01-24 00:30 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-01-24 00:29 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-01-24 00:28 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-01-24 00:27 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-01-24 00:26 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-01-23 23:01 . 2008-01-28 22:17 <DIR> d-------- C:\VundoFix Backups
2008-01-23 00:45 . 2008-01-23 00:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-22 22:02 . 2008-01-22 22:02 435 --a------ C:\WINDOWS\system32\Shortcut to system32.lnk
2008-01-22 22:00 . 2008-01-22 23:55 289 --a------ C:\WINDOWS\wininit.ini
2008-01-22 20:40 . 2008-01-22 20:40 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-11 18:07 . 2008-01-11 18:07 <DIR> d-------- C:\Program Files\Jabra
2008-01-11 18:07 . 2008-01-11 18:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jabra

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 18:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-25 07:25 --------- d-----w C:\Program Files\HP
2008-01-24 08:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-24 00:38 --------- d-----w C:\Program Files\Winamp
2008-01-24 00:37 --------- d-----w C:\Program Files\QuickTime
2008-01-24 00:37 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-24 00:37 --------- d-----w C:\Program Files\iTunes
2008-01-17 04:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-01-16 02:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-01-15 23:41 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-03 05:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2008-01-03 02:22 --------- d-----w C:\Program Files\Creative
2008-01-03 02:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-16 23:27 --------- d-----w C:\Program Files\mIRC
2007-12-15 23:51 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-07 22:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-06 22:19 --------- d-----w C:\Program Files\iPod
2007-12-06 03:36 --------- d-----w C:\Program Files\Viewpoint
2007-12-06 03:36 --------- d-----w C:\Program Files\AIM6
2007-12-06 03:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-11-28 18:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-09-19 01:07 20,688 -c--a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-04-12 04:41 92,064 ----a-w C:\Documents and Settings\Administrator\mqdmmdm.sys
2007-04-12 04:41 9,232 ----a-w C:\Documents and Settings\Administrator\mqdmmdfl.sys
2007-04-12 04:41 79,328 ----a-w C:\Documents and Settings\Administrator\mqdmserd.sys
2007-04-12 04:41 66,656 ----a-w C:\Documents and Settings\Administrator\mqdmbus.sys
2007-04-12 04:41 6,208 ----a-w C:\Documents and Settings\Administrator\mqdmcmnt.sys
2007-04-12 04:41 5,936 ----a-w C:\Documents and Settings\Administrator\mqdmwhnt.sys
2007-04-12 04:41 4,048 ----a-w C:\Documents and Settings\Administrator\mqdmcr.sys
2007-04-12 04:41 25,600 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2007-04-12 04:41 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2005-01-14 06:28 0 -c-h--w C:\Program Files\ENYOLINK Settings
2004-11-19 05:05 3,546 -c--a-w C:\Program Files\uninstal.log
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-28 17:58 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-11-30 12:19 4628480]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-11-30 12:19 86016]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 11:45 49152 C:\WINDOWS\KHALMNPR.Exe]
"CTHelper"="CTHELPER.EXE" [2005-08-07 17:10 16384 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-08-07 17:10 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-07-22 15:50:16 577597]
Color Calibration.lnk - C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe [2005-01-17 21:40:40 36864]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2005-10-08 19:34:22 434176]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2005-01-17 21:40:17 155715]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-11-30 12:19 921600 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"x10nets"=3 (0x3)
"IDriverT"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 ATIDACXX;ATI DTV Wonder Analog Audio Capture Device;C:\WINDOWS\system32\drivers\atidacxx.sys [2005-09-26 20:21]
R3 ATIDDCXX;ATI DTV Wonder Digital BDA Capture Device;C:\WINDOWS\system32\drivers\atiddcxx.sys [2005-09-26 20:20]
R3 ATIDTUXX;ATI DTV Wonder Digital And Analog Tuner Device;C:\WINDOWS\system32\drivers\atidtuxx.sys [2005-09-26 20:21]
R3 ATIDVCXX;ATI DTV Wonder Analog AV Capture Device;C:\WINDOWS\system32\drivers\atidvcxx.sys [2005-09-26 20:20]
R3 ATIDXBXX;ATI DTV Wonder Analog AV Crossbar Device;C:\WINDOWS\system32\drivers\atidxbxx.sys [2005-09-26 20:20]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2005-08-07 16:54]
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 09:05]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 09:27]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 13:31]
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 09:05]
S3 S3SAV2K;S3SAV2K;C:\WINDOWS\system32\DRIVERS\s3sav2km.sys [2004-09-25 21:43]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 19:21:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 01:34:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\Logitech\SetPoint\GameHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-01-29  1:39:54 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-29 06:39:51
ComboFix2.txt  2008-01-29 05:32:42
.
2008-01-13 01:42:12 --- E O F ---  







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:42:13 AM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <a href="http://www.Email Removed.com/" target="_blank" rel="nofollow">http://www.Email Removed.com/</a>
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = forbin.qc.edu:3128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095300908968
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7420 bytes
« Last Edit: January 29, 2008, 01:39:31 AM by ixjerryxi »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Vundo
« Reply #17 on: January 29, 2008, 01:59:18 AM »
I see you opted to keep Viewpoint installed, that is your option

use the Internet Explorer browser (or FireFox with IETab), and do an online scan with [color=\"blue\"]Kaspersky Online Scanner[/color]

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet [color=\"#3333FF\"]Explorer 7[/color] users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%[/i].)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
        [color=\"#6666CC\"]Extended[/color]
    • Scan Options:
        [color=\"#6666CC\"]Scan Archives[/color]
        [color=\"#6666CC\"]Scan Mail Bases[/color]
        [/list]
        [/list]
        • Click OK and, under select a target to scan, select My Computer
        When the scan is done, in the [color=\"Navy\"]Scan is completed [/color]window (below), any infection is displayed.
        There is no option to clean/disinfect, however, we need to analyze the information on the report.


        To obtain the report:
        Click on: Save Report As (above - red blinking arrow)
        Next, in the [color=\"Navy\"]Save as [/color]prompt, [color=\"navy\"]Save in[/color] area, select: Desktop
        In the [color=\"navy\"]File name[/color] area, use KScan, or something similar
        In [color=\"navy\"]Save as type[/color], click the drop arrow and select: Text file [*.txt]
        Then, click: Save
        Please post the [color=\"Navy\"]Kaspersky Online Scanner Report [/color]in your reply.
        Logged

        Do you want to post your own logs from FRST?

        Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

        Offline ixjerryxi

        • Newbie
        • *
        • Posts: 44
        • Karma: +0/-0
          • View Profile
        Vundo
        « Reply #18 on: January 29, 2008, 08:13:29 AM »
        -------------------------------------------------------------------------------
         KASPERSKY ONLINE SCANNER REPORT
         Tuesday, January 29, 2008 8:16:22 AM
         Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
         Kaspersky Online Scanner version: 5.0.98.0
         Kaspersky Anti-Virus database last update: 29/01/2008
         Kaspersky Anti-Virus database records: 535353
        -------------------------------------------------------------------------------

        Scan Settings:
         Scan using the following antivirus database: extended
         Scan Archives: true
         Scan Mail Bases: true

        Scan Target - My Computer:
         A:\
         C:\
         D:\
         F:\
         G:\
         H:\

        Scan Statistics:
         Total number of scanned objects: 109208
         Number of viruses found: 79
         Number of infected objects: 804
         Number of suspicious objects: 0
         Duration of the scan process: 01:43:33

        Infected Object Name / Virus Name / Last Action
        C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8y9vh.dll Infected: Trojan-PSW.Win32.OnLineGames.nnq skipped
        C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\MVYD290H\new3[1].htm Infected: Constructor.Perl.Msdds.b skipped
        C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-2cd22d5b/vmain.class Infected: Exploit.Java.Gimsh.b skipped
        C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-2cd22d5b ZIP: infected - 1 skipped
        C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\34\63206922-5a358be2/vmain.class Infected: Exploit.Java.Gimsh.b skipped
        C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\34\63206922-5a358be2 ZIP: infected - 1 skipped
        C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-63f0439f/vmain.class Infected: Exploit.Java.Gimsh.b skipped
        C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-63f0439f ZIP: infected - 1 skipped
        C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-5f4b50bb/vmain.class Infected: Exploit.Java.Gimsh.b skipped
        C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-5f4b50bb ZIP: infected - 1 skipped
        C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-2f7699e9/vmain.class Infected: Exploit.Java.Gimsh.b skipped
        C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-2f7699e9 ZIP: infected - 1 skipped
        C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-74206b0c.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
        C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-74206b0c.zip ZIP: infected - 1 skipped
        C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-42399452.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
        C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-42399452.zip ZIP: infected - 1 skipped
        C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-1dadae47.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
        C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-1dadae47.zip ZIP: infected - 1 skipped
        C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-15327e32.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
        C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-15327e32.zip ZIP: infected - 1 skipped
        C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-b825669-6c9447f2.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
        C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-b825669-6c9447f2.zip ZIP: infected - 1 skipped
        C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
        C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
        C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
        C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
        C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008012920080130\index.dat Object is locked skipped
        C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
        C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZOPNRGNC\bind[1].htm Object is locked skipped
        C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
        C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
        C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
        C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
        C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
        C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
        C:\Documents and Settings\LocalService\Local Settings\temp\Cookies\index.dat Object is locked skipped
        C:\Documents and Settings\LocalService\Local Settings\temp\History\History.IE5\index.dat Object is locked skipped
        C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
        C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
        C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
        C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
        C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
        C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
        C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
        C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
        C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
        C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
        C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
        C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
        C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
        C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
        C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
        C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
        C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
        C:\Program Files\Apache Group\Apache\logs\access.log Object is locked skipped
        C:\Program Files\Apache Group\Apache\logs\error.log Object is locked skipped
        C:\Program Files\Apache Group\Apache\logs\ssl.log Object is locked skipped
        C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
        C:\QooBox\Quarantine\C\WINDOWS\system32\amvo2.dll.vir Infected: Trojan-PSW.Win32.WOW.agx skipped
        C:\QooBox\Quarantine\C\WINDOWS\system32\avpo.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\QooBox\Quarantine\C\WINDOWS\system32\avpo0.dll.vir Infected: Packed.Win32.NSAnti.r skipped
        C:\QooBox\Quarantine\C\WINDOWS\system32\avpo1.dll.vir Infected: Packed.Win32.NSAnti.r skipped
        C:\QooBox\Quarantine\catchme2008-01-29_ 03142.29.zip/jkhhe.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dyx skipped
        C:\QooBox\Quarantine\catchme2008-01-29_ 03142.29.zip ZIP: infected - 1 skipped
        C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/awda2.exe Infected: Worm.Win32.AutoRun.ccs skipped
        C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/d.com Infected: Worm.Win32.AutoRun.bua skipped
        C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/juok3st.bat Infected: Worm.Win32.AutoRun.bur skipped
        C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/m1t8ta.com Infected: Trojan-PSW.Win32.OnLineGames.oob skipped
        C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/n1deiect.com Infected: Trojan-PSW.Win32.OnLineGames.lfi skipped
        C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/nideiect.com Infected: Trojan-PSW.Win32.OnLineGames.knb skipped
        C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/ntde1ect.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/qd.cmd Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/tio8x6.cmd Infected: Worm.Win32.AutoRun.bpn skipped
        C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/usdeiect.com Infected: Worm.Win32.AutoRun.bep skipped
        C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/uxdeiect.com Infected: Trojan-PSW.Win32.OnLineGames.lsy skipped
        C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/xn1i9x.com Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/xo8wr9.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/ylr.exe Infected: Trojan-PSW.Win32.OnLineGames.psv skipped
        C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip/qd.cmd.1 Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\QooBox\Quarantine\catchme2008-01-29_ 13419.00.zip ZIP: infected - 15 skipped
        C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000785.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000802.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000804.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000815.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000817.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000828.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000830.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000841.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000843.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000857.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000859.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000870.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000872.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000883.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP10\A0000885.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP11\A0000888.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002405.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002409.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002413.exe Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002427.dll Infected: Virus.Win32.AutoRun.akr skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002428.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002430.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002431.com Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002436.exe Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002437.dll Infected: Virus.Win32.AutoRun.akr skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002438.exe Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002455.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002456.dll Infected: Virus.Win32.AutoRun.akr skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002459.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002460.com Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002463.exe Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002464.exe Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002489.dll Infected: Virus.Win32.AutoRun.akr skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002490.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002492.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002493.com Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002498.exe Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002499.dll Infected: Virus.Win32.AutoRun.akr skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002513.dll Infected: Virus.Win32.AutoRun.akr skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002515.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002516.com Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002518.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP12\A0002521.exe Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP13\A0002524.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP13\A0002554.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP13\A0002556.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP13\A0002557.com Infected: Trojan-PSW.Win32.OnLineGames.kan skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP13\A0002561.dll Infected: Virus.Win32.AutoRun.akr skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002582.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002584.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002585.com Infected: Trojan-PSW.Win32.OnLineGames.kdp skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002589.exe Infected: Trojan-PSW.Win32.OnLineGames.kdp skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002590.dll Infected: Trojan-PSW.Win32.OnLineGames.kow skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002664.dll Infected: Worm.Win32.AutoRun.ci skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002665.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002667.com Infected: Worm.Win32.AutoRun.ci skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002669.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002673.exe Infected: Worm.Win32.AutoRun.ci skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP14\A0002674.dll Infected: Worm.Win32.AutoRun.ci skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002687.com Infected: Trojan-PSW.Win32.OnLineGames.knb skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002689.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002715.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002716.dll Infected: Trojan-PSW.Win32.WOW.hu skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002718.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002720.com Infected: Trojan-PSW.Win32.OnLineGames.knb skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002724.exe Infected: Trojan-PSW.Win32.OnLineGames.knb skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002725.dll Infected: Trojan-PSW.Win32.WOW.hu skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002741.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP15\A0002745.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP16\A0002765.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002874.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002879.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002899.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002901.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002927.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002929.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002951.dll Infected: Trojan-PSW.Win32.WOW.agt skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002952.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002954.com Infected: Trojan-PSW.Win32.OnLineGames.ksh skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002955.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP17\A0002961.exe Infected: Trojan-PSW.Win32.OnLineGames.ksh skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0002985.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0002987.com Infected: Trojan-PSW.Win32.OnLineGames.ksh skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003003.dll Infected: Trojan-PSW.Win32.WOW.agt skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003004.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003006.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003007.com Infected: Trojan-PSW.Win32.OnLineGames.ksh skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003012.exe Infected: Trojan-PSW.Win32.OnLineGames.ksh skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003029.dll Infected: Trojan-PSW.Win32.WOW.agt skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003030.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003032.com Infected: Trojan-PSW.Win32.OnLineGames.ksh skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003034.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003037.exe Infected: Trojan-PSW.Win32.OnLineGames.ksh skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003038.dll Infected: Trojan-PSW.Win32.WOW.agt skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003054.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003057.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP18\A0003062.dll Infected: Trojan-PSW.Win32.OnLineGames.kuo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003077.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003100.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003102.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003120.dll Infected: Trojan-PSW.Win32.OnLineGames.kuo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003173.dll Infected: Trojan-PSW.Win32.WOW.agx skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003174.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003176.com Infected: Trojan-PSW.Win32.Nilage.bvu skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003177.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP19\A0003182.exe Infected: Trojan-PSW.Win32.Nilage.bvu skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP20\A0003195.com Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP20\A0003213.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP21\A0003217.com Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP21\A0003254.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP22\A0003264.com Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP22\A0003266.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP23\A0003268.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP23\A0003270.com Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP23\A0003430.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP23\A0003431.dll Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP23\A0003434.exe Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP23\A0003435.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP23\A0003439.com Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP23\A0003443.dll Infected: Trojan-PSW.Win32.WOW.agx skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003472.dll Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003473.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003477.com Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003479.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003483.exe Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003484.dll Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003564.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003565.dll Infected: Trojan-PSW.Win32.OnLineGames.kxk skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003569.com Infected: Trojan-PSW.Win32.OnLineGames.jkq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP24\A0003573.dll Infected: Trojan-PSW.Win32.OnLineGames.lff skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003795.dll Infected: Trojan-PSW.Win32.OnLineGames.lff skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003801.dll Infected: Trojan-PSW.Win32.OnLineGames.lff skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003814.com Infected: Trojan-PSW.Win32.Nilage.bvw skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003817.exe Infected: Trojan-PSW.Win32.Nilage.bvw skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003828.com Infected: Trojan-PSW.Win32.OnLineGames.lfi skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003841.dll Infected: Trojan-PSW.Win32.WOW.ahe skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003843.com Infected: Trojan-PSW.Win32.OnLineGames.lfi skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003846.exe Infected: Trojan-PSW.Win32.OnLineGames.lfi skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003847.dll Infected: Trojan-PSW.Win32.WOW.ahe skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003857.com Infected: Trojan-PSW.Win32.OnLineGames.llw skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003862.exe Infected: Trojan-PSW.Win32.OnLineGames.llw skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003863.dll Infected: Trojan-PSW.Win32.OnLineGames.pjp skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003874.com Infected: Trojan-PSW.Win32.OnLineGames.lov skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003887.dll Infected: Trojan-PSW.Win32.WOW.aho skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003889.com Infected: Trojan-PSW.Win32.OnLineGames.lov skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003892.exe Infected: Trojan-PSW.Win32.OnLineGames.lov skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003893.dll Infected: Trojan-PSW.Win32.WOW.aho skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003931.com Infected: Worm.Win32.AutoRun.bcw skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003940.dll Infected: Trojan-PSW.Win32.WOW.ahs skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003942.sys Infected: Rootkit.Win32.Vanti.gz skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003943.com Infected: Worm.Win32.AutoRun.bcw skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003947.exe Infected: Worm.Win32.AutoRun.bcw skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP25\A0003948.dll Infected: Trojan-PSW.Win32.WOW.ahs skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP26\A0003951.com Infected: Worm.Win32.AutoRun.bdg skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP26\A0003970.dll Infected: Trojan-PSW.Win32.WOW.ahs skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP26\A0003972.com Infected: Worm.Win32.AutoRun.bdg skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP26\A0003976.exe Infected: Worm.Win32.AutoRun.bdg skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP26\A0003977.dll Infected: Trojan-PSW.Win32.OnLineGames.lwp skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP27\A0003996.com Infected: Trojan-PSW.Win32.OnLineGames.lsy skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP27\A0004008.dll Infected: Trojan-PSW.Win32.OnLineGames.ons skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP27\A0004010.com Infected: Trojan-PSW.Win32.OnLineGames.lsy skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP27\A0004014.exe Infected: Trojan-PSW.Win32.OnLineGames.lsy skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP27\A0004015.dll Infected: Trojan-PSW.Win32.OnLineGames.ons skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP27\A0004025.com Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP27\A0004039.dll Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP27\A0004041.com Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP28\A0004045.com Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP28\A0004061.dll Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP28\A0004063.com Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP29\A0004068.com Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP29\A0004085.dll Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP29\A0004087.com Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP29\A0004093.exe Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP29\A0004094.dll Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP29\A0004105.dll Infected: Trojan-PSW.Win32.OnLineGames.lvs skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP29\A0004107.com Infected: Worm.Win32.AutoRun.bep skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP30\A0004114.com Infected: Worm.Win32.AutoRun.bep skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP30\A0004130.dll Infected: Worm.Win32.AutoRun.bep skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP30\A0004132.com Infected: Worm.Win32.AutoRun.bep skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP30\A0004136.exe Infected: Worm.Win32.AutoRun.bep skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP30\A0004149.dll Infected: Trojan-PSW.Win32.OnLineGames.mqw skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP30\A0004151.com Infected: Trojan-PSW.Win32.OnLineGames.mqw skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP31\A0004163.com Infected: Trojan-PSW.Win32.OnLineGames.mqw skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP31\A0005151.dll Infected: Trojan-PSW.Win32.OnLineGames.mqw skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP31\A0005154.com Infected: Trojan-PSW.Win32.OnLineGames.mqw skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP31\A0005160.exe Infected: Trojan-PSW.Win32.OnLineGames.mqw skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP31\A0005161.dll Infected: Worm.Win32.AutoRun.bep skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP31\A0005170.dll Infected: Trojan-PSW.Win32.OnLineGames.mqw skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP31\A0005172.com Infected: Trojan-PSW.Win32.OnLineGames.mrq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP31\A0005176.exe Infected: Trojan-PSW.Win32.OnLineGames.mrq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP31\A0005177.dll Infected: Trojan-PSW.Win32.OnLineGames.mrq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP32\A0005182.com Infected: Worm.Win32.AutoRun.bld skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP32\A0005200.dll Infected: Trojan-PSW.Win32.OnLineGames.mrq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP32\A0005202.com Infected: Worm.Win32.AutoRun.bld skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP32\A0005218.dll Infected: Worm.Win32.AutoRun.bld skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP32\A0005220.com Infected: Worm.Win32.AutoRun.bld skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP32\A0005224.exe Infected: Worm.Win32.AutoRun.bld skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP32\A0005225.dll Infected: Worm.Win32.AutoRun.bld skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP33\A0005226.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP34\A0005232.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP36\A0005236.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP38\A0005240.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP39\A0005248.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP40\A0005251.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP40\A0005285.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP40\A0005315.dll Infected: Trojan-PSW.Win32.OnLineGames.mwc skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP40\A0005317.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP40\A0005319.exe Infected: Trojan-PSW.Win32.OnLineGames.muu skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP41\A0005325.bat Infected: Worm.Win32.AutoRun.bmz skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP41\A0005344.dll Infected: Worm.Win32.AutoRun.bmz skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP41\A0005346.bat Infected: Worm.Win32.AutoRun.bmz skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP41\A0005349.exe Infected: Worm.Win32.AutoRun.bmz skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP41\A0005350.dll Infected: Trojan-PSW.Win32.OnLineGames.mwc skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP42\A0005354.bat Infected: Worm.Win32.AutoRun.bnq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP42\A0005381.bat Infected: Worm.Win32.AutoRun.bnq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP42\A0005385.exe Infected: Worm.Win32.AutoRun.bnq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP42\A0005386.dll Infected: Worm.Win32.AutoRun.bnq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005407.dll Infected: Worm.Win32.AutoRun.bnq skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005430.cmd Infected: Worm.Win32.AutoRun.bpn skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005455.dll Infected: Worm.Win32.AutoRun.bpn skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005457.cmd Infected: Worm.Win32.AutoRun.bpn skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005461.dll Infected: Worm.Win32.AutoRun.bpn skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005475.cmd Infected: Worm.Win32.AutoRun.bpn skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005489.dll Infected: Worm.Win32.AutoRun.bpn skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005491.cmd Infected: Worm.Win32.AutoRun.bpn skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005495.exe Infected: Worm.Win32.AutoRun.bpn skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005496.dll Infected: Trojan-PSW.Win32.WOW.aiy skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP43\A0005497.com Infected: Worm.Win32.AutoRun.bpn skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP44\A0005501.com Infected: Trojan-PSW.Win32.OnLineGames.nqv skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP44\A0005528.com Infected: Trojan-PSW.Win32.OnLineGames.nqv skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP44\A0005532.exe Infected: Trojan-PSW.Win32.OnLineGames.nqv skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP44\A0005533.dll Infected: Trojan-PSW.Win32.OnLineGames.nqv skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP45\A0005666.com Infected: Worm.Win32.AutoRun.brz skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP45\A0005670.exe Infected: Worm.Win32.AutoRun.brz skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP45\A0005671.dll Infected: Trojan-PSW.Win32.OnLineGames.nwl skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP45\A0005685.dll Infected: Trojan-PSW.Win32.OnLineGames.nwl skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP45\A0005687.com Infected: Worm.Win32.AutoRun.bss skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP45\A0005691.dll Infected: Trojan-PSW.Win32.OnLineGames.okv skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005695.com Infected: Worm.Win32.AutoRun.bss skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005717.com Infected: Worm.Win32.AutoRun.bss skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005729.dll Infected: Trojan-PSW.Win32.OnLineGames.okv skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005731.com Infected: Worm.Win32.AutoRun.bss skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005745.dll Infected: Trojan-PSW.Win32.OnLineGames.okv skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005747.com Infected: Worm.Win32.AutoRun.bss skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005751.exe Infected: Worm.Win32.AutoRun.bss skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005752.dll Infected: Trojan-PSW.Win32.OnLineGames.oby skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005772.com Infected: Worm.Win32.AutoRun.btv skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005776.exe Infected: Worm.Win32.AutoRun.btv skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005777.dll Infected: Trojan-PSW.Win32.OnLineGames.ojg skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005787.com Infected: Worm.Win32.AutoRun.bua skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005791.exe Infected: Worm.Win32.AutoRun.bua skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005792.dll Infected: Worm.Win32.AutoRun.bua skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005806.bat Infected: Worm.Win32.AutoRun.bun skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005818.dll Infected: Trojan-PSW.Win32.OnLineGames.pbf skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP46\A0005820.bat Infected: Worm.Win32.AutoRun.bun skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP47\A0005882.bat Infected: Worm.Win32.AutoRun.bun skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP47\A0005956.exe Infected: Worm.Win32.AutoRun.bun skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP47\A0005957.dll Infected: Trojan-PSW.Win32.OnLineGames.pbf skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP47\A0005958.dll Infected: Trojan-PSW.Win32.OnLineGames.pbf skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP47\A0005959.bat Infected: Worm.Win32.AutoRun.bun skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0005961.bat Infected: Worm.Win32.AutoRun.bur skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0005996.bat Infected: Worm.Win32.AutoRun.bur skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006000.exe Infected: Worm.Win32.AutoRun.bur skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006001.dll Infected: Worm.Win32.AutoRun.bur skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006011.dll Infected: Worm.Win32.AutoRun.bur skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006012.com Infected: Trojan-PSW.Win32.OnLineGames.oob skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006024.dll Infected: Trojan-PSW.Win32.OnLineGames.oob skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006026.com Infected: Trojan-PSW.Win32.OnLineGames.oob skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006042.dll Infected: Trojan-PSW.Win32.OnLineGames.oob skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006044.com Infected: Trojan-PSW.Win32.OnLineGames.oob skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006050.exe Infected: Trojan-PSW.Win32.OnLineGames.oob skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP48\A0006051.dll Infected: Trojan-PSW.Win32.OnLineGames.oob skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP49\A0006053.com Infected: Worm.Win32.AutoRun.bvz skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP49\A0006072.dll Infected: Trojan-PSW.Win32.OnLineGames.oob skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP49\A0006073.com Infected: Worm.Win32.AutoRun.bvz skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP49\A0006077.exe Infected: Worm.Win32.AutoRun.bvz skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP49\A0006078.dll Infected: Trojan-PSW.Win32.OnLineGames.oti skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP49\A0006088.com Infected: Worm.Win32.AutoRun.byx skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP5\A0000184.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP5\A0000370.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP5\A0000387.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP5\A0000439.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP5\A0000461.dll Infected: Packed.Win32.NSAnti.r skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP50\A0006092.com Infected: Worm.Win32.AutoRun.byx skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP50\A0006108.dll Infected: Trojan-PSW.Win32.OnLineGames.owi skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP50\A0006110.com Infected: Worm.Win32.AutoRun.byx skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP50\A0006114.dll Infected: Trojan-PSW.Win32.OnLineGames.owi skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP50\A0006124.com Infected: Worm.Win32.AutoRun.byx skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP50\A0006140.dll Infected: Trojan-PSW.Win32.OnLineGames.owi skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP50\A0006142.com Infected: Worm.Win32.AutoRun.byx skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP51\A0006148.com Infected: Worm.Win32.AutoRun.byx skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP51\A0006164.dll Infected: Trojan-PSW.Win32.OnLineGames.owi skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP51\A0006166.com Infected: Worm.Win32.AutoRun.byx skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP51\A0006170.exe Infected: Worm.Win32.AutoRun.byx skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP51\A0006171.dll Infected: Worm.Win32.AutoRun.cag skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP51\A0006186.com Infected: Worm.Win32.AutoRun.cas skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP51\A0006189.dll Infected: Trojan-PSW.Win32.OnLineGames.pcf skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP52\A0006191.com Infected: Worm.Win32.AutoRun.cas skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP52\A0006208.com Infected: Worm.Win32.AutoRun.cas skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP52\A0006210.exe Infected: Worm.Win32.AutoRun.cas skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP52\A0006211.dll Infected: Worm.Win32.AutoRun.cbi skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP52\A0006225.com Infected: Trojan-PSW.Win32.OnLineGames.pfm skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP52\A0006237.exe Infected: Trojan-PSW.Win32.OnLineGames.pfm skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006253.com Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006270.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006271.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006273.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006274.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006276.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006277.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006278.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006279.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006280.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006281.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006282.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006283.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006284.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006285.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006286.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006287.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006288.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006289.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006290.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006291.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006292.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006293.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
        C:\System Volume Information\_restore{40A9FE23-7728-40A3-A0D6-E183A3548376}\RP53\A0006294.dll Infected: Trojan-PSW.Win32.OnLineGames.pfm
        Logged

        Offline guestolo

        • Site Donator
        • Administrator
        • Hero Member
        • *****
        • Posts: 16034
        • Karma: +1/-0
          • View Profile
          • http://
        Vundo
        « Reply #19 on: January 29, 2008, 07:12:02 PM »
        Looks as if Kaspersky's still found bad guys in your F:\ and H:\ drives
        What drives do those letters represent?
        eg... Such as an External harddrive
        Logged

        Do you want to post your own logs from FRST?

        Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

        Pages: [1] 2 3
        « previous next »