|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
06-25-2007, 10:16 AM
|
#1 (permalink) |
|
Registered User
Join Date: Mar 2007
Posts: 28
OS: XP
|
Vundo virus and other popups
Good morning.
I've been fighting with my computer the past two days. I lookd on the website anddownloaded the Vundo fix on the site, running it after going through the various spyware programs I have at my disposal. The fix removes most of it, but still leaves a single dll file. It instructs me to restart my system to finish the cleaning, but each time I do, the file appears. I've gone through your 5 steps before posting. While i was running panda, the entire IE shut down, killing the scan. I have random popus and before the Panda shut down, it showed 2 viruses, dialers, hacker tools, and whatnaught. I was uable to get any specifics since I couldn't get the log. Also please note: In the log there is a fie titled chat.html for the ie homepage.This is a custom html page I wrote for my own use as my homepage. Here is the logfrom Deckard Deckard's System Scanner v20070611.50 Run by Robert Terry on 2007-06-25 at 13:07:56 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Robert Terry.exe) ---------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 1:09:04 PM, on 6/25/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\mgrs.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\mom.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Robert Terry\Desktop\dss.exe C:\HIJACK~1\ROBERT~1.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/Windows%20Reboot/Webpage/chat.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = : O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {0AEEB5A9-A77F-49E9-8CAA-B27B17F34073} - (no file) O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll O2 - BHO: (no name) - {43F7034D-313E-4763-B630-C025E178E76A} - C:\WINDOWS\system32\vtsqn.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {674DDFA6-BB3D-427B-961F-E9EEEF293004} - C:\WINDOWS\system32\iifdddd.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win34D.tmp.exe O4 - HKLM\..\Run: [smgr] mgrs.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework...ex/TmHcmsX.CAB O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1166399552390 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ws-i586-jc.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A257B4DE-E54D-4556-862E-EE2CF5BE60E6}: NameServer = 192.168.1.1 O20 - Winlogon Notify: iifdddd - C:\WINDOWS\SYSTEM32\iifdddd.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: vtsqn - C:\WINDOWS\system32\vtsqn.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winmmt32 - C:\WINDOWS\SYSTEM32\winmmt32.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing) O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\gpixafhy.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing) -- Files created between 2007-05-25 and 2007-06-25 ----------------------------- 2007-06-25 13:00:11 21312 --a------ C:\WINDOWS\choice.exe 2007-06-25 12:59:54 0 d-------- C:\ie-spyad 2007-06-25 12:57:37 0 d-------- C:\Program Files\SpywareBlaster 2007-06-25 12:41:56 0 d-------- C:\WINDOWS\LastGood 2007-06-24 23:02:11 0 d-------- C:\VundoFix Backups 2007-06-24 21:04:32 11776 --a------ C:\WINDOWS\mgrs.exe 2007-06-24 18:18:20 31254 --a------ C:\WINDOWS\system32\awtrpml.dll 2007-06-24 16:46:55 266336 -----n--- C:\WINDOWS\system32\vtsqn.dll 2007-06-24 15:26:08 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot 2007-06-22 15:28:03 4672 --a------ C:\WINDOWS\system32\kkvhryah.exe 2007-06-21 23  00 0 d-------- C:\NVIDIA2007-06-21 17 45 662 --a------ C:\atwsettl3.exe2007-06-21 17 36 662 --a------ C:\atwsettl2.exe2007-06-21 17 31 651 --a------ C:\atwsettl1.exe2007-06-20 19:39:00 0 d-------- C:\WINDOWS\system32\atwsettl 2007-06-20 19:34:47 0 dr------- C:\Documents and Settings\LocalService\Favorites 2007-06-20 19:31:12 0 d-------- C:\Program Files\Symantec AntiVirus 2007-06-20 19:14:29 31254 -----n--- C:\WINDOWS\system32\iifdddd.dll 2007-06-20 19:14:26 20480 --a------ C:\WINDOWS\system32\winmmt32.dll 2007-06-19 16:53:31 0 d-------- C:\WINDOWS\OPTIONS 2007-06-19 16:53:31 0 d-------- C:\Program Files\Realtek 2007-06-13 19:23:26 0 d-------- C:\Program Files\Vstep 2007-05-27 09:57:16 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Command & Conquer 3 Tiberium Wars -- Find3M Report --------------------------------------------------------------- 2007-06-25 12:49:57 0 d-------- C:\Program Files\Common Files\Symantec Shared 2007-06-25 12:49:42 0 d-------- C:\Program Files\GetRight 2007-06-25 12:49:40 0 d-------- C:\Program Files\DAEMON Tools 2007-06-22 08:58:00 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\uTorrent 2007-06-20 19:31:48 0 d-------- C:\Program Files\Symantec 2007-06-19 16:53:25 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-06-17 19:44:43 0 d-------- C:\Program Files\Steam 2007-06-13 17:38:21 0 d-------- C:\Program Files\TuneUp Utilities 2007 2007-06-09 03:23:22 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\DivX 2007-05-31 18:57:25 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Adobe 2007-05-31 18:55:29 0 d-------- C:\Program Files\Common Files\Adobe 2007-05-27 21:24:45 0 d-------- C:\Program Files\Winamp 2007-05-27 09:40:07 0 d-------- C:\Program Files\Electronic Arts 2007-05-24 22:45:52 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Mozilla 2007-05-24 22:45:36 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\SecondLife 2007-05-21 17:32:33 0 d-------- C:\Program Files\Common Files\LogiShrd 2007-05-20 15:38:45 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Ahead 2007-05-20 15:30:46 0 d-------- C:\Program Files\Nero 2007-05-20 15:30:46 0 d-------- C:\Program Files\Common Files\Ahead 2007-05-20 15:28:51 0 d-------- C:\Program Files\Ahead 2007-05-15 22:01:02 0 d-------- C:\Program Files\Webroot 2007-05-15 22:01:01 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Webroot 2007-05-14 00:03:46 0 d-------- C:\Program Files\AGEIA Technologies 2007-05-14 00:03:30 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-05-14 00:00:08 0 d-------- C:\Program Files\Timeline Interactive 2007-05-10 18:25:32 0 d-------- C:\Program Files\EA GAMES 2007-05-10 04:31:51 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\MusicIP 2007-05-07 11:22:58 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\IGN_DLM 2007-05-07 10:02:09 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Logitech 2007-05-07 10:00:42 0 d-------- C:\Program Files\Common Files\Logitech 2007-05-07 10:00:22 0 d-------- C:\Program Files\Logitech 2007-05-05 22:19:00 0 d-------- C:\Program Files\DivX 2007-05-02 14:04:19 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-05-02 14:02:06 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100> 2007-05-02 14:02:06 73728 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100> 2007-05-02 14:01:56 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?> 2007-05-02 14:01:56 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®> 2007-05-02 14:01:56 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®> 2007-05-02 14:01:56 740442 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®> 2007-05-01 22:33:57 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll 2007-05-01 13:07:40 0 d-------- C:\Program Files\Bethesda Softworks -- Registry Dump --------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {31FF080D-12A3-439A-A2EF-4BA95A3148E8} C:\Program Files\GetRight\xx2gr.dll {43F7034D-313E-4763-B630-C025E178E76A} C:\WINDOWS\system32\vtsqn.dll {53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll {674DDFA6-BB3D-427B-961F-E9EEEF293004} C:\WINDOWS\system32\iifdddd.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033" "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe" "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" "LogitechCommunicationsManager"="\"C:\\Program Files\\Common Files\\LogiShrd\\LComMgr\\Communications_Helper.exe\"" "LVCOMSX"="\"C:\\Program Files\\Common Files\\LogiShrd\\LComMgr\\LVComSX.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe" "avp"="C:\\WINDOWS\\TEMP\\win34D.tmp.exe" "smgr"="mgrs.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\"" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" "{674DDFA6-BB3D-427B-961F-E9EEEF293004}"="" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdddd HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqn HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmmt32 HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WdfLoadGroup [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk" "backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l" "item"="Microsoft Office" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKLM" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ADeck" "hkey"="HKLM" "command"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1 " "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ashDisp" "hkey"="HKLM" "command"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="BrMfcWnd" "hkey"="HKLM" "command"="C:\\Program Files\\Brother\\Brmfcmon\\BrMfcWnd.exe /AUTORUN" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="brctrcen" "hkey"="HKLM" "command"="C:\\Program Files\\Brother\\ControlCenter3\\brctrcen.exe /autorun" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="IndexSearch" "hkey"="HKLM" "command"="C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NeroCheck" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\NeroCheck.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="pptd40nt" "hkey"="HKLM" "command"="C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SnoopFreeUI] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SnoopFreeUI" "hkey"="HKLM" "command"="SnoopFreeUI.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SSBkgdupdate" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="CLIStart" "hkey"="HKCU" "command"="C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKCU" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="jusched" "hkey"="HKLM" "command"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="realsched" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wltray.exe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="wltray" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\wltray.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs* UxTuneUp -- End of Deckard's System Scanner: finished at 2007-06-25 at 13:09:28 --------- |
|
     |
| Sponsored Links |
|
06-25-2007, 12:07 PM
|
#2 (permalink) |
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 6,342
OS: XP Home SP3, XP MCE SP3, XP Pro SP3
|
Re: Vundo virus and other popups
Please download ComboFix
Note: It is important that it is saved directly to your desktop. Close all browsers.
__________________
My services are free. However, you can donate to TSF to help keep it running.   Member of ASAP since 2005 Member of UNITE since 2006 |
|
|
|
|
06-25-2007, 01:10 PM
|
#3 (permalink) |
|
Registered User
Join Date: Mar 2007
Posts: 28
OS: XP
|
Re: Vundo virus and other popups
Thank you for your help
First is the Log from combo fix the next is the hijack this "Robert Terry" - 2007-06-25 15:54:46 - ComboFix 07-06-26 - Service Pack 2 NTFS (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\awtrpml.dll C:\WINDOWS\system32\wvuvuut.dll C:\WINDOWS\system32\winmmt32.dll C:\WINDOWS\system32\nqstv.ini C:\WINDOWS\system32\vtsqn.dll C:\WINDOWS\system32\iifdddd.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\mgrs.exe C:\WINDOWS\retadpu1000272.exe C:\WINDOWS\svchost.exe C:\WINDOWS\wr.txt ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_DOMAINSERVICE -------\DomainService ((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 ))))))))))))))))))))))))))))))) 2007-06-25 15:54 56,832 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\yhypghyz.exe 2007-06-25 15:54 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-25 13:00 21,312 --a------ C:\WINDOWS\choice.exe 2007-06-25 12:59 <DIR> d-------- C:\ie-spyad 2007-06-25 12:57 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-06-24 23:45 <DIR> d-------- C:\Deckard 2007-06-24 23:02 <DIR> d-------- C:\VundoFix Backups 2007-06-24 15:26 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot 2007-06-22 15:28 4,672 --a------ C:\WINDOWS\system32\kkvhryah.exe 2007-06-21 23:06 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE 2007-06-21 23:06 <DIR> d-------- C:\NVIDIA 2007-06-21 17:06 662 --a------ C:\atwsettl3.exe 2007-06-21 17:06 662 --a------ C:\atwsettl2.exe 2007-06-21 17:06 651 --a------ C:\atwsettl1.exe 2007-06-20 19:39 <DIR> d-------- C:\WINDOWS\system32\atwsettl 2007-06-20 19:31 48,768 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2007-06-20 19:31 110,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-06-20 19:31 <DIR> d-------- C:\Program Files\Symantec AntiVirus 2007-06-19 16:53 83,968 -ra------ C:\WINDOWS\system32\drivers\Rtnicxp.sys 2007-06-19 16:53 <DIR> d-------- C:\WINDOWS\OPTIONS 2007-06-19 16:53 <DIR> d-------- C:\Program Files\Realtek 2007-06-13 19:23 <DIR> d-------- C:\Program Files\Vstep 2007-05-27 09:57 <DIR> d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\Command & Conquer 3 Tiberium Wars (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-25 16:49:57 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-06-25 16:49:42 -------- d-----w C:\Program Files\GetRight 2007-06-25 16:49:40 -------- d-----w C:\Program Files\DAEMON Tools 2007-06-22 12:58:00 -------- d-----w C:\DOCUME~1\ROBERT~1\APPLIC~1\uTorrent 2007-06-20 23:31:48 -------- d-----w C:\Program Files\Symantec 2007-06-19 20:53:25 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-06-17 23:44:43 -------- d-----w C:\Program Files\Steam 2007-06-13 21:38:21 -------- d-----w C:\Program Files\TuneUp Utilities 2007 2007-06-09 07:23:22 -------- d-----w C:\DOCUME~1\ROBERT~1\APPLIC~1\DivX 2007-05-28 01:24:45 -------- d-----w C:\Program Files\Winamp 2007-05-27 13:40:07 -------- d-----w C:\Program Files\Electronic Arts 2007-05-25 02:45:36 -------- d-----w C:\DOCUME~1\ROBERT~1\APPLIC~1\SecondLife 2007-05-21 21:32:33 -------- d-----w C:\Program Files\Common Files\LogiShrd 2007-05-20 19:38:45 -------- d-----w C:\DOCUME~1\ROBERT~1\APPLIC~1\Ahead 2007-05-20 19:30:46 -------- d-----w C:\Program Files\Nero 2007-05-20 19:30:46 -------- d-----w C:\Program Files\Common Files\Ahead 2007-05-20 19:28:51 -------- d-----w C:\Program Files\Ahead 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-05-16 02:01:02 -------- d-----w C:\Program Files\Webroot 2007-05-16 02:01:01 -------- d-----w C:\DOCUME~1\ROBERT~1\APPLIC~1\Webroot 2007-05-14 04:03:46 -------- d-----w C:\Program Files\AGEIA Technologies 2007-05-14 04:03:30 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-05-14 04:00:08 -------- d-----w C:\Program Files\Timeline Interactive 2007-05-10 22:25:32 -------- d-----w C:\Program Files\EA GAMES 2007-05-10 21:03:27 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-05-10 08:31:51 -------- d-----w C:\DOCUME~1\ROBERT~1\APPLIC~1\MusicIP 2007-05-07 15:22:58 -------- d-----w C:\DOCUME~1\ROBERT~1\APPLIC~1\IGN_DLM 2007-05-07 14:02:09 -------- d-----w C:\DOCUME~1\ROBERT~1\APPLIC~1\Logitech 2007-05-07 14:00:42 -------- d-----w C:\Program Files\Common Files\Logitech 2007-05-07 14:00:22 -------- d-----w C:\Program Files\Logitech 2007-05-06 02:19:00 -------- d-----w C:\Program Files\DivX 2007-05-02 18:04:23 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe 2007-05-02 18:04:19 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2007-05-02 18:04:14 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe 2007-05-02 18:04:14 116,472 ----a-w C:\WINDOWS\system32\pxcpyi64.exe 2007-05-02 18:04:06 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2007-05-02 18:04:05 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2007-05-02 18:02:06 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll 2007-05-02 18:02:06 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll 2007-05-02 18:02:04 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll 2007-05-02 18:02:02 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll 2007-05-02 18:02:02 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll 2007-05-02 18:02:02 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll 2007-05-02 18:02:02 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll 2007-05-02 18:02:02 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll 2007-05-02 18:01:56 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll 2007-05-02 18:01:56 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll 2007-05-02 18:01:56 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll 2007-05-02 18:01:56 740,442 ----a-w C:\WINDOWS\system32\DivX.dll 2007-05-02 02:33:57 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll 2007-05-02 02:33:56 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe 2007-05-01 17:07:40 -------- d-----w C:\Program Files\Bethesda Softworks 2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-04-04 22:55:00 261,480 ----a-w C:\WINDOWS\system32\xactengine2_7.dll 2007-04-04 22:53:42 81,768 ----a-w C:\WINDOWS\system32\xinput1_3.dll 2007-03-29 08:42:42 29,704 ----a-w C:\WINDOWS\system32\uxtuneup.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {31FF080D-12A3-439A-A2EF-4BA95A3148E8}=C:\Program Files\GetRight\xx2gr.dll [2006-12-08 18:45] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 06:48] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 15:44 C:\WINDOWS\KHALMNPR.Exe] "LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 03:09] "LVCOMSX"="C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 03:12] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-20 02:18] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 17:38] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 19:49] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] "yhypghyz.exe"="C:\Documents and Settings\All Users\Application Data\yhypghyz.exe" [2007-06-25 15:54] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-08 11:06] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WdfLoadGroup] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SnoopFreeUI] SnoopFreeUI.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wltray.exe] C:\WINDOWS\system32\wltray.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs UxTuneUp HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb Contents of the 'Scheduled Tasks' folder 2007-06-22 21:16:15 C:\WINDOWS\tasks\1-Click Maintenance.job ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-25 16:01:33 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-25 16:03:03 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-06-25 16:02 --- E O F --- Deckard's System Scanner v20070611.50 Run by Robert Terry on 2007-06-25 at 16:04:07 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Robert Terry.exe) ---------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 1:09:04 PM, on 6/25/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\mgrs.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\mom.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Robert Terry\Desktop\dss.exe C:\HIJACK~1\ROBERT~1.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/Windows%20Reboot/Webpage/chat.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = : O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {0AEEB5A9-A77F-49E9-8CAA-B27B17F34073} - (no file) O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll O2 - BHO: (no name) - {43F7034D-313E-4763-B630-C025E178E76A} - C:\WINDOWS\system32\vtsqn.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {674DDFA6-BB3D-427B-961F-E9EEEF293004} - C:\WINDOWS\system32\iifdddd.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win34D.tmp.exe O4 - HKLM\..\Run: [smgr] mgrs.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework...ex/TmHcmsX.CAB O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1166399552390 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ws-i586-jc.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A257B4DE-E54D-4556-862E-EE2CF5BE60E6}: NameServer = 192.168.1.1 O20 - Winlogon Notify: iifdddd - C:\WINDOWS\SYSTEM32\iifdddd.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: vtsqn - C:\WINDOWS\system32\vtsqn.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winmmt32 - C:\WINDOWS\SYSTEM32\winmmt32.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing) O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\gpixafhy.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing) -- Files created between 2007-05-25 and 2007-06-25 ----------------------------- 2007-06-25 16:00:41 0 d-------- C:\Avenger 2007-06-25 15:54:40 56832 --a------ C:\Documents and Settings\All Users\Application Data\yhypghyz.exe 2007-06-25 13:00:11 21312 --a------ C:\WINDOWS\choice.exe 2007-06-25 12:59:54 0 d-------- C:\ie-spyad 2007-06-25 12:57:37 0 d-------- C:\Program Files\SpywareBlaster 2007-06-24 23:02:11 0 d-------- C:\VundoFix Backups 2007-06-24 15:26:08 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot 2007-06-22 15:28:03 4672 --a------ C:\WINDOWS\system32\kkvhryah.exe 2007-06-21 23 00 0 d-------- C:\NVIDIA2007-06-21 17 45 662 --a------ C:\atwsettl3.exe2007-06-21 17 36 662 --a------ C:\atwsettl2.exe2007-06-21 17 31 651 --a------ C:\atwsettl1.exe2007-06-20 19:39:00 0 d-------- C:\WINDOWS\system32\atwsettl 2007-06-20 19:34:47 0 dr------- C:\Documents and Settings\LocalService\Favorites 2007-06-20 19:31:12 0 d-------- C:\Program Files\Symantec AntiVirus 2007-06-19 16:53:31 0 d-------- C:\WINDOWS\OPTIONS 2007-06-19 16:53:31 0 d-------- C:\Program Files\Realtek 2007-06-13 19:23:26 0 d-------- C:\Program Files\Vstep 2007-05-27 09:57:16 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Command & Conquer 3 Tiberium Wars -- Find3M Report --------------------------------------------------------------- 2007-06-25 12:49:57 0 d-------- C:\Program Files\Common Files\Symantec Shared 2007-06-25 12:49:42 0 d-------- C:\Program Files\GetRight 2007-06-25 12:49:40 0 d-------- C:\Program Files\DAEMON Tools 2007-06-22 08:58:00 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\uTorrent 2007-06-20 19:31:48 0 d-------- C:\Program Files\Symantec 2007-06-19 16:53:25 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-06-17 19:44:43 0 d-------- C:\Program Files\Steam 2007-06-13 17:38:21 0 d-------- C:\Program Files\TuneUp Utilities 2007 2007-06-09 03:23:22 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\DivX 2007-05-31 18:57:25 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Adobe 2007-05-31 18:55:29 0 d-------- C:\Program Files\Common Files\Adobe 2007-05-27 21:24:45 0 d-------- C:\Program Files\Winamp 2007-05-27 09:40:07 0 d-------- C:\Program Files\Electronic Arts 2007-05-24 22:45:52 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Mozilla 2007-05-24 22:45:36 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\SecondLife 2007-05-21 17:32:33 0 d-------- C:\Program Files\Common Files\LogiShrd 2007-05-20 15:38:45 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Ahead 2007-05-20 15:30:46 0 d-------- C:\Program Files\Nero 2007-05-20 15:30:46 0 d-------- C:\Program Files\Common Files\Ahead 2007-05-20 15:28:51 0 d-------- C:\Program Files\Ahead 2007-05-15 22:01:02 0 d-------- C:\Program Files\Webroot 2007-05-15 22:01:01 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Webroot 2007-05-14 00:03:46 0 d-------- C:\Program Files\AGEIA Technologies 2007-05-14 00:03:30 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-05-14 00:00:08 0 d-------- C:\Program Files\Timeline Interactive 2007-05-10 18:25:32 0 d-------- C:\Program Files\EA GAMES 2007-05-10 04:31:51 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\MusicIP 2007-05-07 11:22:58 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\IGN_DLM 2007-05-07 10:02:09 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Logitech 2007-05-07 10:00:42 0 d-------- C:\Program Files\Common Files\Logitech 2007-05-07 10:00:22 0 d-------- C:\Program Files\Logitech 2007-05-05 22:19:00 0 d-------- C:\Program Files\DivX 2007-05-02 14:04:19 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-05-02 14:02:06 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100> 2007-05-02 14:02:06 73728 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100> 2007-05-02 14:01:56 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?> 2007-05-02 14:01:56 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®> 2007-05-02 14:01:56 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®> 2007-05-02 14:01:56 740442 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®> 2007-05-01 22:33:57 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll 2007-05-01 13:07:40 0 d-------- C:\Program Files\Bethesda Softworks -- Registry Dump --------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {31FF080D-12A3-439A-A2EF-4BA95A3148E8} C:\Program Files\GetRight\xx2gr.dll {53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033" "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" "LogitechCommunicationsManager"="\"C:\\Program Files\\Common Files\\LogiShrd\\LComMgr\\Communications_Helper.exe\"" "LVCOMSX"="\"C:\\Program Files\\Common Files\\LogiShrd\\LComMgr\\LVComSX.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe" "Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\"" "yhypghyz.exe"="C:\\Documents and Settings\\All Users\\Application Data\\yhypghyz.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\"" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WdfLoadGroup [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk" "backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l" "item"="Microsoft Office" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKLM" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ADeck" "hkey"="HKLM" "command"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1 " "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ashDisp" "hkey"="HKLM" "command"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="BrMfcWnd" "hkey"="HKLM" "command"="C:\\Program Files\\Brother\\Brmfcmon\\BrMfcWnd.exe /AUTORUN" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="brctrcen" "hkey"="HKLM" "command"="C:\\Program Files\\Brother\\ControlCenter3\\brctrcen.exe /autorun" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="IndexSearch" "hkey"="HKLM" "command"="C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NeroCheck" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\NeroCheck.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="pptd40nt" "hkey"="HKLM" "command"="C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SnoopFreeUI] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SnoopFreeUI" "hkey"="HKLM" "command"="SnoopFreeUI.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SSBkgdupdate" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="CLIStart" "hkey"="HKCU" "command"="C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKCU" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="jusched" "hkey"="HKLM" "command"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="realsched" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wltray.exe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="wltray" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\wltray.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs* UxTuneUp -- End of Deckard's System Scanner: finished at 2007-06-25 at 16:07:40 --------- |
|
|
|
|
06-25-2007, 02:49 PM
|
#4 (permalink) | |
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 6,342
OS: XP Home SP3, XP MCE SP3, XP Pro SP3
|
Re: Vundo virus and other popups
Hi,
I see that you are using uTorrent, a p2p file sharing program. I would like to warn you that the nature of P2P filesharing is so that even if one is using a "clean" program, many of the files downloaded from non-documented sources have the potential of being infected. Even if the program you use is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove it from your system via Add/Remove Programs in Control Panel. ====================================== Please delete Avenger from your desktop, or wherever you downloaded it. It's a dangerous tool to use casually. It can cause serious damage to your system if not used properly. ====================================== Scan with HijackThis and put a checkmark against the following entries: O2 - BHO: (no name) - {0AEEB5A9-A77F-49E9-8CAA-B27B17F34073} - (no file) O2 - BHO: (no name) - {43F7034D-313E-4763-B630-C025E178E76A} - C:\WINDOWS\system32\vtsqn.dll O2 - BHO: (no name) - {674DDFA6-BB3D-427B-961F-E9EEEF293004} - C:\WINDOWS\system32\iifdddd.dll O4 - HKLM\..\Run: [smgr] mgrs.exe O20 - Winlogon Notify: iifdddd - C:\WINDOWS\SYSTEM32\iifdddd.dll O20 - Winlogon Notify: vtsqn - C:\WINDOWS\system32\vtsqn.dll O20 - Winlogon Notify: winmmt32 - C:\WINDOWS\SYSTEM32\winmmt32.dll O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\gpixafhy.exe (file missing) Close all browsers/windows except HijackThis and click on "fix checked". Exit HijackThis. ====================================== Open notepad and copy/paste the text in the quotebox below into it: Quote:
 Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe . This will start ComboFix again. After reboot, post the contents of Combofix.txt along with a fresh HijackThis log in your next reply.
__________________
My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 |
|
|
|
|
|
06-25-2007, 03:21 PM
|
#5 (permalink) |
|
Registered User
Join Date: Mar 2007
Posts: 28
OS: XP
|
Re: Vundo virus and other popups
I uninstalled Utorrent as per your instructions. As for the Avenger, I believe it was a part of a old fix and the directory on the c drive is empty. I ran a scan for avenger in my computer and all it came up with files associated to the various games that I have installed on my computer.
As for the hijackthis fix: there were only two of the 02's to fix and the other entries weren't on the hijackthis scan I ran prior to the fix. I corrected what I could. "Robert Terry" - 2007-06-25 18:07:08 - ComboFix 07-06-26 - Service Pack 2 NTFS Command switches used :: C:\Documents and Settings\Robert Terry\Desktop\ComboFix-Do.txt ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\atwsettl1.exe C:\atwsettl2.exe C:\atwsettl3.exe C:\Avenger C:\Documents and Settings\All Users\Application Data\yhypghyz.exe C:\VundoFix Backups C:\VundoFix Backups\awtsp.dll.bad C:\VundoFix Backups\nqstv.bak1.bad C:\VundoFix Backups\nqstv.bak2.bad C:\VundoFix Backups\nqstv.ini.bad C:\VundoFix Backups\nqstv.ini2.bad C:\VundoFix Backups\nqstv.tmp.bad C:\VundoFix Backups\pstwa.bak1.bad C:\VundoFix Backups\pstwa.bak2.bad C:\VundoFix Backups\pstwa.ini.bad C:\VundoFix Backups\pstwa.ini2.bad C:\VundoFix Backups\pstwa.tmp.bad C:\VundoFix Backups\vtsqn.dll.bad C:\WINDOWS\system32\atwsettl C:\WINDOWS\system32\atwsettl\bg1.gif C:\WINDOWS\system32\atwsettl\bgtop.gif C:\WINDOWS\system32\atwsettl\bottom1.gif C:\WINDOWS\system32\atwsettl\essentials.gif C:\WINDOWS\system32\atwsettl\icon1.ico C:\WINDOWS\system32\atwsettl\install1.gif C:\WINDOWS\system32\atwsettl\left1.gif C:\WINDOWS\system32\atwsettl\li.gif C:\WINDOWS\system32\atwsettl\logo.gif C:\WINDOWS\system32\atwsettl\main.htm C:\WINDOWS\system32\atwsettl\mainframe.htm C:\WINDOWS\system32\atwsettl\reinstall1.gif C:\WINDOWS\system32\atwsettl\right1.gif C:\WINDOWS\system32\atwsettl\s1.htm C:\WINDOWS\system32\atwsettl\s2.htm C:\WINDOWS\system32\atwsettl\s3.htm C:\WINDOWS\system32\atwsettl\SMTop1.gif C:\WINDOWS\system32\atwsettl\SMTop2.gif C:\WINDOWS\system32\atwsettl\SMTop3.gif C:\WINDOWS\system32\atwsettl\SMTop4.gif C:\WINDOWS\system32\atwsettl\soft1_off.gif C:\WINDOWS\system32\atwsettl\soft1_off_ext.gif C:\WINDOWS\system32\atwsettl\soft1_on.gif C:\WINDOWS\system32\atwsettl\soft1_on_ext.gif C:\WINDOWS\system32\atwsettl\soft2_off.gif C:\WINDOWS\system32\atwsettl\soft2_off_ext.gif C:\WINDOWS\system32\atwsettl\soft2_on.gif C:\WINDOWS\system32\atwsettl\soft2_on_ext.gif C:\WINDOWS\system32\atwsettl\soft3_off.gif C:\WINDOWS\system32\atwsettl\soft3_off_ext.gif C:\WINDOWS\system32\atwsettl\soft3_on.gif C:\WINDOWS\system32\atwsettl\soft3_on_ext.gif C:\WINDOWS\system32\atwsettl\softbottom_off.gif C:\WINDOWS\system32\atwsettl\softbottom_on.gif C:\WINDOWS\system32\atwsettl\softleft_off.gif C:\WINDOWS\system32\atwsettl\softleft_on.gif C:\WINDOWS\system32\atwsettl\top1.gif C:\WINDOWS\system32\atwsettl\top2.gif C:\WINDOWS\system32\atwsettl\turnoff1.gif C:\WINDOWS\system32\atwsettl\turnon1.gif C:\WINDOWS\system32\kkvhryah.exe ((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 ))))))))))))))))))))))))))))))) 2007-06-25 15:54 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-25 13:00 21,312 --a------ C:\WINDOWS\choice.exe 2007-06-25 12:59 <DIR> d-------- C:\ie-spyad 2007-06-25 12:57 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-06-24 23:45 <DIR> d-------- C:\Deckard 2007-06-24 15:26 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot 2007-06-21 23:06 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE 2007-06-21 23:06 <DIR> d-------- C:\NVIDIA 2007-06-20 19:31 48,768 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2007-06-20 19:31 110,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-06-20 19:31 <DIR> d-------- C:\Program Files\Symantec AntiVirus 2007-06-19 16:53 83,968 -ra------ C:\WINDOWS\system32\drivers\Rtnicxp.sys 2007-06-19 16:53 <DIR> d-------- C:\WINDOWS\OPTIONS 2007-06-19 16:53 <DIR> d-------- C:\Program Files\Realtek 2007-06-13 19:23 <DIR> d-------- C:\Program Files\Vstep 2007-05-27 09:57 <DIR> d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\Command & Conquer 3 Tiberium Wars (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-25 16:49:57 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-06-25 16:49:42 -------- d-----w C:\Program Files\GetRight 2007-06-25 16:49:40 -------- d-----w C:\Program Files\DAEMON Tools 2007-06-22 12:58:00 -------- d-----w C:\DOCUME~1\ROBERT~1\APPLIC~1\uTorrent 2007-06-20 23:31:48 -------- d-----w C:\Program Files\Symantec 2007-06-19 20:53:25 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-06-17 23:44:43 -------- d-----w C:\Program Files\Steam 2007-06-13 21:38:21 -------- d-----w C:\Program Files\TuneUp Utilities 2007 2007-06-09 07:23:22 -------- d-----w C:\DOCUME~1\ROBERT~1\APPLIC~1\DivX 2007-05-28 01:24:45 -------- d-----w C:\Program Files\Winamp 2007-05-27 13:40:07 -------- d-----w C:\Program Files\Electronic Arts 2007-05-25 02:45:36 -------- d-----w C:\DOCUME~1\ROBERT~1\APPLIC~1\SecondLife 2007-05-21 21:32:33 -------- d-----w C:\Program Files\Common Files\LogiShrd 2007-05-20 19:38:45 -------- d-----w C:\DOCUME~1\ROBERT~1\APPLIC~1\Ahead 2007-05-20 19:30:46 -------- d-----w C:\Program Files\Nero 2007-05-20 19:30:46 -------- d-----w C:\Program Files\Common Files\Ahead 2007-05-20 19:28:51 -------- d-----w C:\Program Files\Ahead 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-05-16 02:01:02 -------- d-----w C:\Program Files\Webroot 2007-05-16 02:01:01 -------- d-----w C:\DOCUME~1\ROBERT~1\APPLIC~1\Webroot 2007-05-14 04:03:46 -------- d-----w C:\Program Files\AGEIA Technologies 2007-05-14 04:03:30 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-05-14 04:00:08 -------- d-----w C:\Program Files\Timeline Interactive 2007-05-10 22:25:32 -------- d-----w C:\Program Files\EA GAMES 2007-05-10 21:03:27 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-05-10 08:31:51 -------- d-----w C:\DOCUME~1\ROBERT~1\APPLIC~1\MusicIP 2007-05-07 15:22:58 -------- d-----w C:\DOCUME~1\ROBERT~1\APPLIC~1\IGN_DLM 2007-05-07 14:02:09 -------- d-----w C:\DOCUME~1\ROBERT~1\APPLIC~1\Logitech 2007-05-07 14:00:42 -------- d-----w C:\Program Files\Common Files\Logitech 2007-05-07 14:00:22 -------- d-----w C:\Program Files\Logitech 2007-05-06 02:19:00 -------- d-----w C:\Program Files\DivX 2007-05-02 18:04:23 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe 2007-05-02 18:04:19 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2007-05-02 18:04:14 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe 2007-05-02 18:04:14 116,472 ----a-w C:\WINDOWS\system32\pxcpyi64.exe 2007-05-02 18:04:06 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2007-05-02 18:04:05 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2007-05-02 18:02:06 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll 2007-05-02 18:02:06 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll 2007-05-02 18:02:04 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll 2007-05-02 18:02:02 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll 2007-05-02 18:02:02 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll 2007-05-02 18:02:02 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll 2007-05-02 18:02:02 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll 2007-05-02 18:02:02 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll 2007-05-02 18:01:56 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll 2007-05-02 18:01:56 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll 2007-05-02 18:01:56 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll 2007-05-02 18:01:56 740,442 ----a-w C:\WINDOWS\system32\DivX.dll 2007-05-02 02:33:57 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll 2007-05-02 02:33:56 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe 2007-05-01 17:07:40 -------- d-----w C:\Program Files\Bethesda Softworks 2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-04-04 22:55:00 261,480 ----a-w C:\WINDOWS\system32\xactengine2_7.dll 2007-04-04 22:53:42 81,768 ----a-w C:\WINDOWS\system32\xinput1_3.dll 2007-03-29 08:42:42 29,704 ----a-w C:\WINDOWS\system32\uxtuneup.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {31FF080D-12A3-439A-A2EF-4BA95A3148E8}=C:\Program Files\GetRight\xx2gr.dll [2006-12-08 18:45] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 06:48] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 15:44 C:\WINDOWS\KHALMNPR.Exe] "LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 03:09] "LVCOMSX"="C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 03:12] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-20 02:18] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 17:38] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 19:49] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-08 11:06] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WdfLoadGroup] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SnoopFreeUI] SnoopFreeUI.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wltray.exe] C:\WINDOWS\system32\wltray.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs UxTuneUp HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb Contents of the 'Scheduled Tasks' folder 2007-06-22 21:16:15 C:\WINDOWS\tasks\1-Click Maintenance.job ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-25 18:08:25 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-25 18:08:59 C:\ComboFix-quarantined-files.txt ... 2007-06-25 18:08 C:\ComboFix2.txt ... 2007-06-25 16:03 --- E O F --- Deckard's System Scanner v20070611.50 Run by Robert Terry on 2007-06-25 at 18:18:54 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Robert Terry.exe) ---------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 6:19:55 PM, on 6/25/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Robert Terry\Desktop\dss.exe C:\HIJACK~1\ROBERT~1.EXE C:\WINDOWS\system32\spider.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/Windows%20Reboot/Webpage/chat.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = : O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: (no name) - {A1770FD6-A7CB-44DA-AD2C-692D2A2B521B} - (no file) O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework...ex/TmHcmsX.CAB O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1166399552390 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ws-i586-jc.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A257B4DE-E54D-4556-862E-EE2CF5BE60E6}: NameServer = 192.168.1.1 O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing) O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing) -- Files created between 2007-05-25 and 2007-06-25 ----------------------------- 2007-06-25 13:00:11 21312 --a------ C:\WINDOWS\choice.exe 2007-06-25 12:59:54 0 d-------- C:\ie-spyad 2007-06-25 12:57:37 0 d-------- C:\Program Files\SpywareBlaster 2007-06-24 15:26:08 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot 2007-06-21 23 00 0 d-------- C:\NVIDIA2007-06-20 19:34:47 0 dr------- C:\Documents and Settings\LocalService\Favorites 2007-06-20 19:31:12 0 d-------- C:\Program Files\Symantec AntiVirus 2007-06-19 16:53:31 0 d-------- C:\WINDOWS\OPTIONS 2007-06-19 16:53:31 0 d-------- C:\Program Files\Realtek 2007-06-13 19:23:26 0 d-------- C:\Program Files\Vstep 2007-05-27 09:57:16 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Command & Conquer 3 Tiberium Wars -- Find3M Report --------------------------------------------------------------- 2007-06-25 12:49:57 0 d-------- C:\Program Files\Common Files\Symantec Shared 2007-06-25 12:49:42 0 d-------- C:\Program Files\GetRight 2007-06-25 12:49:40 0 d-------- C:\Program Files\DAEMON Tools 2007-06-22 08:58:00 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\uTorrent 2007-06-20 19:31:48 0 d-------- C:\Program Files\Symantec 2007-06-19 16:53:25 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-06-17 19:44:43 0 d-------- C:\Program Files\Steam 2007-06-13 17:38:21 0 d-------- C:\Program Files\TuneUp Utilities 2007 2007-06-09 03:23:22 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\DivX 2007-05-31 18:57:25 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Adobe 2007-05-31 18:55:29 0 d-------- C:\Program Files\Common Files\Adobe 2007-05-27 21:24:45 0 d-------- C:\Program Files\Winamp 2007-05-27 09:40:07 0 d-------- C:\Program Files\Electronic Arts 2007-05-24 22:45:52 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Mozilla 2007-05-24 22:45:36 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\SecondLife 2007-05-21 17:32:33 0 d-------- C:\Program Files\Common Files\LogiShrd 2007-05-20 15:38:45 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Ahead 2007-05-20 15:30:46 0 d-------- C:\Program Files\Nero 2007-05-20 15:30:46 0 d-------- C:\Program Files\Common Files\Ahead 2007-05-20 15:28:51 0 d-------- C:\Program Files\Ahead 2007-05-15 22:01:02 0 d-------- C:\Program Files\Webroot 2007-05-15 22:01:01 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Webroot 2007-05-14 00:03:46 0 d-------- C:\Program Files\AGEIA Technologies 2007-05-14 00:03:30 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-05-14 00:00:08 0 d-------- C:\Program Files\Timeline Interactive 2007-05-10 18:25:32 0 d-------- C:\Program Files\EA GAMES 2007-05-10 04:31:51 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\MusicIP 2007-05-07 11:22:58 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\IGN_DLM 2007-05-07 10:02:09 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Logitech 2007-05-07 10:00:42 0 d-------- C:\Program Files\Common Files\Logitech 2007-05-07 10:00:22 0 d-------- C:\Program Files\Logitech 2007-05-05 22:19:00 0 d-------- C:\Program Files\DivX 2007-05-02 14:04:19 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-05-02 14:02:06 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100> 2007-05-02 14:02:06 73728 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100> 2007-05-02 14:01:56 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?> 2007-05-02 14:01:56 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®> 2007-05-02 14:01:56 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®> 2007-05-02 14:01:56 740442 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®> 2007-05-01 22:33:57 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll 2007-05-01 13:07:40 0 d-------- C:\Program Files\Bethesda Softworks -- Registry Dump --------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {31FF080D-12A3-439A-A2EF-4BA95A3148E8} C:\Program Files\GetRight\xx2gr.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033" "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" "LogitechCommunicationsManager"="\"C:\\Program Files\\Common Files\\LogiShrd\\LComMgr\\Communications_Helper.exe\"" "LVCOMSX"="\"C:\\Program Files\\Common Files\\LogiShrd\\LComMgr\\LVComSX.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe" "Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\"" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\"" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WdfLoadGroup [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk" "backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l" "item"="Microsoft Office" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKLM" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ADeck" "hkey"="HKLM" "command"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1 " "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ashDisp" "hkey"="HKLM" "command"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="BrMfcWnd" "hkey"="HKLM" "command"="C:\\Program Files\\Brother\\Brmfcmon\\BrMfcWnd.exe /AUTORUN" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="brctrcen" "hkey"="HKLM" "command"="C:\\Program Files\\Brother\\ControlCenter3\\brctrcen.exe /autorun" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="IndexSearch" "hkey"="HKLM" "command"="C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NeroCheck" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\NeroCheck.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="pptd40nt" "hkey"="HKLM" "command"="C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SnoopFreeUI] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SnoopFreeUI" "hkey"="HKLM" "command"="SnoopFreeUI.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SSBkgdupdate" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="CLIStart" "hkey"="HKCU" "command"="C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKCU" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="jusched" "hkey"="HKLM" "command"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="realsched" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wltray.exe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="wltray" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\wltray.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs* UxTuneUp -- End of Deckard's System Scanner: finished at 2007-06-25 at 18:20:15 --------- |
|
|
|
|
06-25-2007, 05:33 PM
|
#6 (permalink) |
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 6,342
OS: XP Home SP3, XP MCE SP3, XP Pro SP3
|
Re: Vundo virus and other popups
Hi,
It's looking good.  You might like to print these instructions so that you can have access to them later when you're in Safe Mode.I see that you already have AVG Anti Spyware installed. Please set and update it as instructed below:
==================================== Please download Ccleaner and save it to your desktop. Tutorial for CCleaner During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it. Do not scan with it yet. ==================================== Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". (Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them unaccessible for doing a scan. If this is the case, press the WINKEY + M key or Alt + Spacebar to "Minimize" the AVG display. Then right-click on AVG in the Task Bar and select "Maximize". If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.) ======================================= Scan with HijackThis and put a checkmark against the following entry: O2 - BHO: (no name) - {A1770FD6-A7CB-44DA-AD2C-692D2A2B521B} - (no file) Close all windows. Click on "fix checked". Exit HijackThis. ======================================= From Safe Mode run Ccleaner
If you have more than one users, run Ccleaner for every user ========================================
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection. ========================================= Reboot in Normal Mode. ========================================= Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Updating Java:
========================================= Perform an online scan using Internet Explorer with Panda ActiveScan
========================================== Please post back the results from AVG Anti-Spyware and Panda online scans, and a fresh HijackThis log. Also let me know how the system is running now.
__________________
My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 |
|
|
|
|
06-25-2007, 09:30 PM
|
#7 (permalink) |
|
Registered User
Join Date: Mar 2007
Posts: 28
OS: XP
|
Re: Vundo virus and other popups
Done and done.
One Problem THough: Panda Scan died on me again, half way through the process. I can't provide you a log. I have NO idea why it does it but when I tried to scan with panda from the website, it gets about half way through the scan and shuts down all of my internet explorers up and running. Here are the logs from the AVS scan and the Hijackthis --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 12:00:35 AM 6/26/2007 + Scan result: C:\QooBox\Quarantine\C\WINDOWS\system32\iifdddd.dll.vir -> Adware.Virtumonde : Cleaned with backup (quarantined). C:\System Volume Information\_restore{5500310A-13C0-49C0-886B-124831D15FF1}\RP1\A0005065.dll -> Adware.Virtumonde : Cleaned with backup (quarantined). C:\QooBox\Quarantine\C\WINDOWS\mgrs.exe.vir -> Downloader.Alphabet : Cleaned with backup (quarantined). C:\System Volume Information\_restore{5500310A-13C0-49C0-886B-124831D15FF1}\RP1\A0005060.exe -> Downloader.Alphabet : Cleaned with backup (quarantined). C:\Deckard\System Scanner\20070625123714\backup\WINDOWS\temp\win34D.tmp.exe -> Downloader.Alphabet.b : Cleaned with backup (quarantined). C:\QooBox\Quarantine\C\WINDOWS\svchost.exe.vir -> Logger.Agent.or : Cleaned with backup (quarantined). C:\Deckard\System Scanner\20070625123714\backup\WINDOWS\temp\win353.tmp.exe -> Trojan.Agent.qt : Cleaned with backup (quarantined). ::Report end Deckard's System Scanner v20070611.50 Run by Robert Terry on 2007-06-26 at 00:26:22 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Robert Terry.exe) ---------------------------------------- dLogfile of HijackThis v1.99.1 Scan saved at 12:27:31 AM, on 6/26/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\Explorer.EXE C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE C:\WINDOWS\system32\spider.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Robert Terry\Desktop\dss.exe C:\HIJACK~1\ROBERT~1.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/Windows%20Reboot/Webpage/chat.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = : O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework...ex/TmHcmsX.CAB O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1166399552390 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A257B4DE-E54D-4556-862E-EE2CF5BE60E6}: NameServer = 192.168.1.1 O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing) O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing) -- Files created between 2007-05-26 and 2007-06-26 ----------------------------- 2007-06-26 00:10:35 0 d-------- C:\Program Files\Java 2007-06-26 00:10:34 0 d-------- C:\Program Files\Common Files\Java 2007-06-25 21:27:55 0 dr-h----- C:\Documents and Settings\Robert Terry\Recent 2007-06-25 13:00:11 21312 --a------ C:\WINDOWS\choice.exe 2007-06-25 12:59:54 0 d-------- C:\ie-spyad 2007-06-25 12:57:37 0 d-------- C:\Program Files\SpywareBlaster 2007-06-24 15:26:08 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot 2007-06-21 23 00 0 d-------- C:\NVIDIA2007-06-20 19:34:47 0 dr------- C:\Documents and Settings\LocalService\Favorites 2007-06-20 19:31:12 0 d-------- C:\Program Files\Symantec AntiVirus 2007-06-19 16:53:31 0 d-------- C:\WINDOWS\OPTIONS 2007-06-19 16:53:31 0 d-------- C:\Program Files\Realtek 2007-06-13 19:23:26 0 d-------- C:\Program Files\Vstep 2007-05-27 09:57:16 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Command & Conquer 3 Tiberium Wars -- Find3M Report --------------------------------------------------------------- 2007-06-25 21:27:56 0 d-------- C:\Program Files\GetRight 2007-06-25 12:49:57 0 d-------- C:\Program Files\Common Files\Symantec Shared 2007-06-25 12:49:40 0 d-------- C:\Program Files\DAEMON Tools 2007-06-22 08:58:00 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\uTorrent 2007-06-20 19:31:48 0 d-------- C:\Program Files\Symantec 2007-06-19 16:53:25 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-06-17 19:44:43 0 d-------- C:\Program Files\Steam 2007-06-13 17:38:21 0 d-------- C:\Program Files\TuneUp Utilities 2007 2007-06-09 03:23:22 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\DivX 2007-05-31 18:57:25 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Adobe 2007-05-31 18:55:29 0 d-------- C:\Program Files\Common Files\Adobe 2007-05-27 21:24:45 0 d-------- C:\Program Files\Winamp 2007-05-27 09:40:07 0 d-------- C:\Program Files\Electronic Arts 2007-05-24 22:45:52 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Mozilla 2007-05-24 22:45:36 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\SecondLife 2007-05-21 17:32:33 0 d-------- C:\Program Files\Common Files\LogiShrd 2007-05-20 15:38:45 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Ahead 2007-05-20 15:30:46 0 d-------- C:\Program Files\Nero 2007-05-20 15:30:46 0 d-------- C:\Program Files\Common Files\Ahead 2007-05-20 15:28:51 0 d-------- C:\Program Files\Ahead 2007-05-15 22:01:02 0 d-------- C:\Program Files\Webroot 2007-05-15 22:01:01 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Webroot 2007-05-14 00:03:46 0 d-------- C:\Program Files\AGEIA Technologies 2007-05-14 00:03:30 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-05-14 00:00:08 0 d-------- C:\Program Files\Timeline Interactive 2007-05-10 18:25:32 0 d-------- C:\Program Files\EA GAMES 2007-05-10 04:31:51 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\MusicIP 2007-05-07 11:22:58 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\IGN_DLM 2007-05-07 10:02:09 0 d-------- C:\Documents and Settings\Robert Terry\Application Data\Logitech 2007-05-07 10:00:42 0 d-------- C:\Program Files\Common Files\Logitech 2007-05-07 10:00:22 0 d-------- C:\Program Files\Logitech 2007-05-05 22:19:00 0 d-------- C:\Program Files\DivX 2007-05-02 14:04:19 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-05-02 14:02:06 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100> 2007-05-02 14:02:06 73728 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100> 2007-05-02 14:01:56 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?> 2007-05-02 14:01:56 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®> 2007-05-02 14:01:56 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®> 2007-05-02 14:01:56 740442 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®> 2007-05-01 22:33:57 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll 2007-05-01 13:07:40 0 d-------- C:\Program Files\Bethesda Softworks -- Registry Dump --------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {31FF080D-12A3-439A-A2EF-4BA95A3148E8} C:\Program Files\GetRight\xx2gr.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033" "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" "LogitechCommunicationsManager"="\"C:\\Program Files\\Common Files\\LogiShrd\\LComMgr\\Communications_Helper.exe\"" "LVCOMSX"="\"C:\\Program Files\\Common Files\\LogiShrd\\LComMgr\\LVComSX.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe" "Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\"" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\"" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\"" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WdfLoadGroup [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk" "backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l" "item"="Microsoft Office" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKLM" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ADeck" "hkey"="HKLM" "command"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1 " "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ashDisp" "hkey"="HKLM" "command"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="BrMfcWnd" "hkey"="HKLM" "command"="C:\\Program Files\\Brother\\Brmfcmon\\BrMfcWnd.exe /AUTORUN" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="brctrcen" "hkey"="HKLM" "command"="C:\\Program Files\\Brother\\ControlCenter3\\brctrcen.exe /autorun" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="IndexSearch" "hkey"="HKLM" "command"="C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NeroCheck" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\NeroCheck.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="pptd40nt" "hkey"="HKLM" "command"="C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SnoopFreeUI] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SnoopFreeUI" "hkey"="HKLM" "command"="SnoopFreeUI.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SSBkgdupdate" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="CLIStart" "hkey"="HKCU" "command"="C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKCU" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="jusched" "hkey"="HKLM" "command"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="realsched" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wltray.exe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="wltray" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\wltray.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs* UxTuneUp -- End of Deckard's System Scanner: finished at 2007-06-26 at 00:28:03 --------- |
|
|
|
|
06-26-2007, 04:44 AM
|
#9 (permalink) | ||
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 6,342
OS: XP Home SP3, XP MCE SP3, XP Pro SP3
|
Re: Vundo virus and other popups
Quote:
Quote:
Go to Start>Control Panel>Add/Remove Programs and remove if Kaspersky online scanner is present prior to downloading the most up-to-date one. (This is important) Now run this online scan using Internet Explorer: Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner Next Click on Launch Kaspersky Online Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
__________________
My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 Last edited by amateur; 06-26-2007 at 04:46 AM. |
||
|
|
|
|
06-26-2007, 12:28 PM
|
#10 (permalink) |
|
Registered User
Join Date: Mar 2007
Posts: 28
OS: XP
|
Re: Vundo virus and other popups
Tuesday, June 26, 2007 3:26:30 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 26/06/2007 Kaspersky Anti-Virus database records: 353548 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer A:\ C:\ D:\ E:\ G:\ H:\ Scan Statistics Total number of scanned objects 169966 Number of viruses found 27 Number of infected objects 63 Number of suspicious objects 0 Duration of the scan process 04:48:23 Infected Object Name Virus Name Last Action C:\Deckard\System Scanner\20070625123714\backup\DOCUME~1\ROBERT~1\LOCALS~1\Temp\wnd1F3.tmp Infected: Trojan.Win32.Dialer.qn skipped C:\Deckard\System Scanner\20070625123714\backup\WINDOWS\temp\win351.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-06-26_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05900000\47FAFB44.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.kj skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09080000.VBN Infected: Trojan-Downloader.Win32.Agent.bls skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09200000\4F7C2391.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09A40000\4FFEF7C6.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B880007.VBN/data.rar/keygen.exe Infected: Trojan.Win32.Agent.qt skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B880007.VBN/data.rar/patch.exe Infected: Trojan.Win32.Agent.qt skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B880007.VBN/data.rar/crack.exe Infected: Trojan.Win32.Inject.br skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B880007.VBN/data.rar/install.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B880007.VBN/data.rar Infected: Trojan-Downloader.Win32.Agent.bls skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B880007.VBN RarSFX: infected - 5 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B880007.VBN CryptZ: infected - 5 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F2C0000\4F7D5E08.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FBC0000\4FFC2602.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FBC0001\4FFC6F80.VBN Infected: Rootkit.Win32.Agent.eq skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Robert Terry\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Robert Terry\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped C:\Documents and Settings\Robert Terry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Robert Terry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Robert Terry\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Robert Terry\Local Settings\History\History.IE5\MSHist012007062620070627\index.dat Object is locked skipped C:\Documents and Settings\Robert Terry\Local Settings\Temp\~ROMFN_000009C8 Object is locked skipped C:\Documents and Settings\Robert Terry\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Robert Terry\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Robert Terry\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Robert Terry\NTUSER.DAT.LOG Object is locked skipped C:\Program Files\BitGrabber\ZM\minime.exe Infected: Trojan.Win32.Obfuscated.en skipped C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped C:\Program Files\Symantec AntiVirus\SAVRT\0135NAV~.TMP Object is locked skipped C:\Program Files\Symantec AntiVirus\SAVRT\0160NAV~.TMP Object is locked skipped C:\QooBox\Quarantine\C\WINDOWS\system32\awtrpml.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\C\WINDOWS\system32\winmmt32.dll.vir Infected: Trojan.Win32.Dialer.qn skipped C:\QooBox\Quarantine\C\WINDOWS\system32\wvuvuut.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{5500310A-13C0-49C0-886B-124831D15FF1}\RP1\A0005061.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{5500310A-13C0-49C0-886B-124831D15FF1}\RP1\A0005062.dll Infected: Trojan.Win32.Dialer.qn skipped C:\System Volume Information\_restore{5500310A-13C0-49C0-886B-124831D15FF1}\RP1\A0009186.exe Infected: Trojan-Downloader.Win32.Alphabet.b skipped C:\System Volume Information\_restore{5500310A-13C0-49C0-886B-124831D15FF1}\RP1\A0009187.exe Infected: Trojan.Win32.Agent.qt skipped C:\System Volume Information\_restore{5500310A-13C0-49C0-886B-124831D15FF1}\RP3\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\034cae83538843a68d8eb07f7dd7b8d9_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\05e42303faca9af783a054426a48de9a_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0a0cf7afe0e6a52f5ba3190658dfb0b0_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0a5c42e01562352d7f0d676ab5748e25_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0dd9079b929cfca7ddc1a413d19281de_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\108078477f53006f16d919207d7c2739_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1163de8db17366edcfa112be236f955a_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\142be8a070b2939a4f518c465c6dcdd8_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\147f5d9d64b67d2911bd864f62f0315d_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1597a648be804d9fa3c5d8675ef8d5f1_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\16b655d3b0b50576e214756cf851832f_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\16fc98b47b519977c55afb9a68cc85d4_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1711a3a9476fae556fd75c18ee39c7c4_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\171f8dfe5b103767406d358b128450fa_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\19d7a9d3c222537dd578de4264413810_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1a5bec26878e389001eca12a871df818_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1b4c4c1c947f01f86ba1734c50bde456_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1dafeda026f0568454e5411def03adf5_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1f8090fcae23f5622e2e77a88da7f8a8_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1fe7888da2521d280898d0e21a9b5054_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2063f818169636df22142044df004de8_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\20a9074da4fbcfe20a4c2b67ca77f3be_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2145aa7d29d5a74d7fe63be96778234f_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\21a64f41683661665bcdf0c2798dd521_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2655c4da10c655b82f4a7f9ec9ed6631_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\28851a88bebb471251fddf6c75537473_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2ac511bf650c44ed3afd7592c7368a00_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2b29d4371e760dda6b3fca7a6a83c2ea_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2d8c68b9854ce2f52c725cafd4415a94_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2ed7cbc0d62b482f8692a781b4a51a5e_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\30123bd9bbdc41767fb05ff00cca199d_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\311df46b27c4730cbe3ef44b7b475119_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\326c70d0a43b902c66a23c215eebe8c2_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\353929b29ac5e4e24f7184fd79f0a356_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3566b5b328cd097379658f8b44d3b8e3_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\36ac5dd40184baf188f6c12a1c38c9be_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\38dea59d88195a370bafce55f4cce9c5_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3c4279035d25e95ba78eca3db172c557_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3e7a5f31849a9f1c2d749f8e749da072_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3e88253c5878ad99974f39335a98a235_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4006782d4b3be493c5007cb00371ce4f_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\405c61bddeac187ddd977e1664d4569d_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\41942df2f49597ebcc45530090ab5ae4_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\41a90cb3707998995bf3e290c27eb997_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\421f8af7b2c913f09b1f31dd9e665bc8_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\435360fa2e88edbd8820c97641fa54b8_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4360c6f121bcee2cd95305d24e91f789_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\43cbf1aa6102bdfedfa1974e40d3f7ff_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\486ab90f43001e86a839baa756053dca_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\48739d03303d2b0dbef4bb50467b336f_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\48d6487a1bc4716cffac6ae6a08a5714_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\49f2495f0c7476a90c3807e12295b7b0_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\49f42341f932b5578e6636b5e96ab820_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4af471d20196bb04aea59cc7f157d948_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4cb20bac8bccf3c4f654f0fcb29d41d6_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4d043248e4e722f514e70026bbdd1574_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4e6ea25954a95d782c070f48167b4a4b_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\526086c16db354d8e59d887d2474918b_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\538557a08bde1390831ac8f79dc46e89_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\550a47762726da8b533b8fe446b53f49_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\55a26d5bce60e16ed6c3c46a208318dd_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5618db2ddc967d4fd8908741a7b30665_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5688f80fa5d9a354a610ec814bae9929_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5846df164fb1917f06871392c3d1c21a_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\58897f8e7905c3ee2016cd7098fe0d60_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5ac278904b88fed6f69fb71bddf68b49_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5d356561a5da56f428ccc1401655b18c_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5ef4a04d464316f23315713869fbc4ea_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\60719eaa3e1c50a4915ac55dca3ca6b7_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6139981ca46cbd70170b07a0bddbff9e_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\61e551a11da86193ce10126c2366e6a5_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\626490abc59af54dc5480d5d8558f220_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\62c36de173d376df02214cacfc7d41af_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\646f9ff987a0882424c5d6031ff804fc_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6566d5edbab14407e0fc06c7d026b8d0_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\68f538c887ec6b0839c9df1396fc92fd_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6b9dfefb19ccfc4e23400f7214ae9656_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6d16610867f786e6073c8f72e116146e_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6d7951ecc507b8f178936541df5f9843_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\70082ed5e5ac24c322d0ec26960c0cc6_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\714c2e77049f713f59aefc6fa7308279_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\72a9031354525b57ed785d8e003cce6f_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\73075de73aff0a7f263d5ac169176cc0_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\736aae60fc15445a42e26b77c9989d11_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\73cdbfb5556ecbd4ada62709583d2808_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\74d156ec9060c35bb3eb34b88a96a49a_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\788f22654dc5fd0be0f645a528d76f68_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7910858ef8f8aaa676acc6525aa50396_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7a982b7597edae0d96e1b03e39937792_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7abdb78fd491061c361ad19bc19c4ea6_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7cd9fd6580c29c8a4a4239e2900dbaf1_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7e01253a3afca9699aae417d45700e71_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7f91afbef5f16dbee404a0210a0a85f7_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\82ccf7e12067cde2dd8133bfcb662142_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\84b36a782830a11f89949d33a6e3ad93_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\89272bcf16b0e9ebf0a982011e3f7ff8_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8c31cfdccbfebd752ed24890cd8bde54_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8e86b35349851ea276d7b3253d4b94f8_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8f68e5f8f887ff34d0dd156f2a284dfb_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8f957f1a737611c8284cb7d7b8842452_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\94e9d8f7fc56ec20ac087c65085b4f04_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\964697a1f05d9f5fb6dff965b7eecfde_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9734b40605fe9eaa92c9dd6c8f869244_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\979965b4ff1f12f3faeee8aa2224d6ab_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\988f3810018a1a6c9fae996d8990b472_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9c69a1adf111b50ea1c9422c62f80c75_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9c7ee24534e76ac88f70573803f16eea_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9cd0ada6a57cb9a846effab42ba6c961_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9d2fae466ac0a234219a240ed6aa3279_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a08e50ec740c208774b2b0d7e080d0aa_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a2cc2b20d1f94b4515ea4984204eba2c_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a8c374e73082034f5521321711d62fda_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a8cb6dd81f260bc98d7e999821608139_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\aa138f8f74076dcbfd0870cba0daee92_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\aaed789fca8431a0f8e46a15c468838e_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\acfe100336b6bf16e187d75a3acb707f_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\afe4bae102bf5b6037303a6518577757_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b07af0baa3a9a1bfd07a59690b6e5ea0_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b35339b327e7f368ecacba3e38b18b9a_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b43ef8ad400fadb341cad7aa7db7520a_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b4463a54cbe38970ae221fe4328bc5a4_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b5750500e7a5c0b7d400ae664e2448bc_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b61c392f1f709341fd6963bd10fd0b85_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b6d8317b930cd7ef458f6553a82b60a3_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b78ae36e794dec5a62c169f67fd43fef_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b845f66de67a7a232d36e734b1bc215f_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b8edf4d455ba59c2736899a856c45067_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\badd9f98391c86aa9410fe8b18f31cfc_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bbf114b69559eb8d4adc6c4b81b91a4b_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bc9d6ddad84eef4fd088b1baede2427e_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\be77ea93eae17cbadea4e43fedf327a9_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bed39988f826717abece52e333c93a79_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bf53291067de92063cfa436c8daa0324_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bff5ef72f797e48220718a301aa48744_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c0b3e512135b9fa6eb879d886e0cbe8c_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c203feb505a857c4a60da5b95880e74b_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c331b09d43439d0f13a0edde8f3c2076_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c34e584069c671bf261fd1cf4fd51581_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c6a4292f39fcf0ba0ce2352ff70037b2_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c7a650a41b19828371297fa6f080d98f_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c7b82320760b255a0022ae54eb1e6ebf_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c82b8928e9665a3f094a53b3a13a2943_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c8fc889df74fb7d009725713a23247ec_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c932474ae427d47ef6af1b75ea88ddd7_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cc7a5a2e374f09d97261419e71d0626d_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cf2df969547aa7e74ed207999ede0e49_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d0b09cb555fa76ee83200a545a2e84bf_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d0b777a8bea03a1ef13a4b674e4fe5ff_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d1a80bcb8901620fa940be3c12940d06_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d1f135ee6540740b8e698a272bfd48c1_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d260b09b6925e0dcf9a7d47c18358430_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d2eacf13ba1459443263759bcba7b503_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d359a3cc613c75916539f1c0dcf28c3e_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d36571f981fee457f95e9cf09d7ed33c_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d4791d28fda8020389ad525d8438b135_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d4fdb9ed7d266c69473098a6efbc9144_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d5b7bd227853457f7068328b7b58dc2d_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d6e4ca6fcb4051e76a5214b67186ff8d_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d7bdef49f70d4d95545f0ed249f23a11_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d9d12f56c1e8e63f20e179fe68785204_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\da30b9f00e694e0b82d26749582a545f_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\da3b798633631041ea3d5a8be159f85d_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\dc2da9cba454bdf9404450350d889531_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\dc49d5f1dd33d7c6e91ac1863b1f5330_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\dd472195cb9431e12c5c5091ab2c2743_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e007e0624c3a42f0986d8dbae389b86d_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e20cd8b3c9e4eaf8dd791b46043cd2f2_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e229d893f8ae35b631b6ef0c3b2fdbf3_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e2725b82d6bc64f65d76c7b9a3ad1c0b_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e3e48db41ef822a18e780d100b841175_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e3ef759b3ecb92c992a0ab440e8d99a9_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e584032126970f1beb75d92d6f64185e_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e71ec00ca03dff637252b037ec5e8e2d_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e96a0317acd03294a52e1d0a14b10292_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ebde52b856062dcc1d0d0dc396efa53e_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ebecaf8a5c9244b9ccccfbbdaf413f68_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eda7664ccd70381481e6c2ea81b04592_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\edbc1085ba1f49cf742d601656ea6a6c_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\edd914939fd0c9ee4818cc050510f267_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ee93fff9ec78530fa65f60c19460c6f7_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eec8a83d78aec4d92b13800b33268f85_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f37328498bb9d0163cdfbaa4e35c20c7_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f4ecd4118707af508748ea676a8544eb_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f572388a81d6da34b4411736133d4273_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f5d4f91b57c851ca6b87ef6a4bd07628_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f7a65beca55dff3eb300b93f6bf609b2_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f8231ae033d95e350d21fee471a6e319_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fa1c191581e2b5c40a14bb7af2a8b530_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fd3ed6b33f48efaf560fc6fd96b43dc5_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ff8db578789ec0ff8d58436a45c56f0f_15161007-127b-494e-9e74-8c438494c132 Object is locked skipped D:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped D:\RECYCLER\NPROTECT\00004936.ZIP/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped D:\RECYCLER\NPROTECT\00004936.ZIP/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped D:\RECYCLER\NPROTECT\00004936.ZIP/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped D:\RECYCLER\NPROTECT\00004936.ZIP ZIP: infected - 3 skipped D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0003/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0003/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cydoor skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0009 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0010/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.aa skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0010/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0010 Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0011/data0002 Infected: not-a-virus:AdWare.Win32.CommonName.g skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0011 Infected: not-a-virus:AdWare.Win32.CommonName.g skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0013/bdedetect1.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0013 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0016 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0017 Infected: not-a-virus:AdWare.Win32.Altnet.a skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0023/bdeinstall.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1044 skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0023 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1044 skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0024/bde3d_ref2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0024 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0027/bdeload.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0027 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0028/bdeplayer2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0028 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0031/BDESac10.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0031 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0032/bdeviewer.exe Infected: Trojan.Win32.Krepper.y skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0032 Infected: Trojan.Win32.Krepper.y skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0034/BDEVerify.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.a skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0034/BDEVerify.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe/data0034 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd133_en.exe Inno: infected - 28 skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd171gu_en.exe/data0004/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd171gu_en.exe/data0004/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd171gu_en.exe/data0004 Infected: not-a-virus:AdWare.Win32.Cydoor skipped E:\downloads\Finished Torrents\porn\othermovies\Programs\kmd171gu_en.exe Inno: infected - 3 skipped E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped E:\Windows Reboot\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped E:\Windows Reboot\SmitfraudFix.zip ZIP: infected - 1 skipped Scan process completed. |
|
|
|
|
06-26-2007, 02:08 PM
|
#11 (permalink) |
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 6,342
OS: XP Home SP3, XP MCE SP3, XP Pro SP3
|
Re: Vundo virus and other popups
Hi,
The infections reported by Kaspersky are mostly in "E:\downloads\Finished Torrents\porn\othermovies" directory which indicates that you have been infected by the downloaded porn and other movies via torrents; most probably, the source of your problems. I recommend that you remove BitGrabber via Add/Remove Programs in Control Panel. It's usually bundled with the malware. You can go ahead and delete Deckard's System Scanner and Combofix from your desktop now, if you haven't already. Using Windows Explorer (right click on Start, click on Explore), navigate to locate and delete the following folders: E:\downloads\Finished Torrents\porn\othermovies\Programs ( If you have nothing you would like to keep, you can actually delete the whole downloads folder. C:\Program Files\BitGrabber\ <== if you removed it. C:\Deckard C:\Qoobox C:\Combofix E:\Windows Reboot\SmitfraudFix.zip C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine<=== empty the contents of this folder, but not the folder itself. D:\RECYCLER <===== empty the contents of this folder, but not the folder itself. ==================================== Since AVG Anti Spyware is a trial version, the realtime guard and automatic update will stop functioning after the trial period. That is why we are not installing the guard so it will not interfere with the cleanup or the malware removal process. You can use AVG-AS as an on-demand scanner (recommended) but you will have to manually update the definition file each time you scan. Ccleaner is also a useful tool to keep for cleaning your cookies and temp files on a regular basis. Create a new System Restore point to prevent reinfection from old restore points. Go to Start>Run and type sysdm.cpl. Press Enter
Windows XP System Restore Guide Enable Windows Auto Update
================================================== A colleague of ours has excellent information and tips on the prevention of malware here and more on improving speed/system performance after malware removal here . If you want to fight back the Malware Writers, please take a look here and read what you can do against it. Happy Surfing!
__________________
My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 |
|
|
|
|
06-26-2007, 02:36 PM
|
#12 (permalink) |
|
Registered User
Join Date: Mar 2007
Posts: 28
OS: XP
|
Re: Vundo virus and other popups
OKay, All done. :)
A few things though: I didn't find bitgrabber in the installed files, nor did I find the d:\recycler. I followed the other steps though without any problem whatsoever. Thank you so much for your help. :) I really do appreciate it. |
|
|
|
|
06-26-2007, 03:02 PM
|
#13 (permalink) | |||
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 6,342
OS: XP Home SP3, XP MCE SP3, XP Pro SP3
|
Re: Vundo virus and other popups
Quote:
and you're welcome.Quote:
Quote:
D:\RECYCLER\NPROTECT\ Try this: Go to Start>Run> and type cmd and press Enter. A DOS window will popup. Then, copy/paste the following command and hit Enter: del \\?\D:\recycler\nprotect\*.* this should empty the folder apart from a few files that would not be accessable.
__________________
My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 |
|||
|
|
|
| Thread Tools | |
|
|
located at the bottom of the page.
then click 
and post back the contents please.
