Poss. Trojan Horse - Qhost.gen

VicenteSD · 08-24-2007, 04:05 AM

Hi,

I've attached the Panda Log and the extra.txt. According to Panda, the trojan horse is 'qhost.gen'. Panda also claims that the trojan horse has been disinfected, but I thought it might be prudent to check with you to ensure that this indeed is the case.

Deckard's System Scanner v20070819.64
Run by Owner on 2007-08-24 10:39:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
32: 2007-08-24 17:40:26 UTC - RP78 - Deckard's System Scanner Restore Point
31: 2007-08-19 05:50:36 UTC - RP77 - System Checkpoint
30: 2007-08-17 17:36:48 UTC - RP76 - System Checkpoint
29: 2007-08-16 16:32:52 UTC - RP75 - Software Distribution Service 3.0
28: 2007-08-15 02:18:46 UTC - RP74 - System Checkpoint

-- First Restore Point --
1: 2007-05-24 22:33:33 UTC - RP47 - Software Distribution Service 2.0

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:12, on 24/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Genius\ioCentre\gTaskBar.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\802.11 Wireless LAN\802.11b Wireless Cardbus & PCI Adapter HW.11 V1.20\WlanCU.exe
C:\Program Files\802.11 Wireless LAN\WLAN Client Utility\WLANClientUtility.exe
C:\Genius\ioCentre\gMouseTask.exe
C:\Genius\ioCentre\gKbdTask.exe
C:\Genius\ioCentre\gAutoPan.exe
C:\Genius\ioCentre\gAutoScroll.exe
C:\Genius\ioCentre\gZoom.exe
C:\Genius\ioCentre\gMGlass.exe
C:\Genius\ioCentre\gIMMgm.exe
C:\Genius\ioCentre\gDeskMgm.exe
C:\Genius\ioCentre\gTaskSwitch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\My Documents\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {316D19F2-1C76-4508-85BA-D3942FCB6F06} - C:\WINDOWS\system32\ssqpo.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {CC358019-D328-40B4-8E2D-818CE142616C} - C:\WINDOWS\system32\ljjgfcb.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ioCentre] C:\Genius\ioCentre\gTaskBar.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: 802.11b Wireless Cardbus & PCI Adapter HW.11 V1.20
O4 - Startup: WLAN Client Utility
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11b Wireless Cardbus & PCI Adapter HW.11 V1.20\WlanCU.exe
O4 - Global Startup: WLAN Client Utility.lnk = C:\Program Files\802.11 Wireless LAN\WLAN Client Utility\WLANClientUtility.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O20 - Winlogon Notify: ljjgfcb - C:\WINDOWS\SYSTEM32\ljjgfcb.dll
O20 - Winlogon Notify: ssqpo - C:\WINDOWS\system32\ssqpo.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 7943 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 OEM FVNETusb (AR)(R) (OEM FVNETusb (AR)(R) Service for WLAN USB Adapter (AR)) - c:\windows\system32\drivers\vnetusbr.sys <Not Verified; ATMEL; 802.11b Compliant USB Wireless Network Adapter>
R3 PCANDIS5 (PCANDIS5 NDIS Protocol Driver) - c:\windows\system32\pcandis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 SAVAdminService (Sophos Anti-Virus status reporter) - "c:\program files\sophos\sophos anti-virus\savadminservice.exe" <Not Verified; Sophos Plc; Sophos Anti-Virus>
R2 SAVService (Sophos Anti-Virus) - "c:\program files\sophos\sophos anti-virus\savservice.exe" <Not Verified; Sophos Plc; Sophos Anti-Virus>
R2 Sophos AutoUpdate Service - "c:\program files\sophos\autoupdate\alsvc.exe" <Not Verified; Sophos Plc; Sophos AutoUpdate>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2007-08-17 12:17:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-07-24 and 2007-08-24 -----------------------------

2007-08-24 10:41:55 0 d-------- C:\Program Files\Trend Micro
2007-08-24 10:31:25 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2007-08-24 10:31:25 0 d-------- C:\Program Files\SpywareBlaster
2007-08-24 00:56:04 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-08-24 00:14:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-08-24 00:14:52 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-24 00:14:48 0 d-------- C:\WINDOWS\LastGood
2007-08-24 00:14:45 6473 ---hs---- C:\WINDOWS\system32\opqss.bak1
2007-08-24 00:14:35 298080 --a------ C:\WINDOWS\system32\ssqpo.dll
2007-08-24 00:10:15 43542 --a------ C:\WINDOWS\system32\gebxvus.dll
2007-08-24 00:10:10 188928 --a------ C:\Documents and Settings\Owner\kelly.exe <Not Verified; Microsoft Corporation; MSN Messenger>
2007-08-24 00:05:47 43542 --a------ C:\WINDOWS\system32\ljjklij.dll
2007-08-24 00:05:36 43542 --a------ C:\WINDOWS\system32\ljjgfcb.dll
2007-08-20 22:20:36 0 d-------- C:\Program Files\Musicnotes
2007-08-20 15:05:28 0 d-------- C:\Documents and Settings\Lindsay\Application Data\AdobeAUM
2007-08-20 15:05:26 0 d-------- C:\Documents and Settings\Lindsay\Application Data\AdobeUM
2007-08-20 15:05:22 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Leadertech
2007-08-17 12:28:19 0 d-------- C:\Program Files\iPod
2007-08-17 12:22:52 0 d-------- C:\Program Files\Common Files\Apple
2007-08-17 12:22:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-08-12 18:00:48 0 d-------- C:\Documents and Settings\Margaret\Contacts
2007-08-11 17:26:46 0 d-------- C:\Program Files\mIRC
2007-08-11 12:07:05 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Sun
2007-08-02 14:31:03 8704 --a------ C:\WINDOWS\system32\vidccleaner.exe <Not Verified; ; vidccleaner Application>
2007-08-02 14:30:40 217088 --a------ C:\WINDOWS\system32\skjpeg40.dll <Not Verified; STOIK Software; STOIK Software skjpeg>
2007-08-02 14:30:40 83968 --a------ C:\WINDOWS\system32\Skbase40.dll <Not Verified; STOIK Software Ltd.; STOIK Software Ltd. skbase>
2007-08-02 14:30:38 0 d-------- C:\Program Files\Samsung
2007-08-02 14:30:12 159744 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-08-02 14:30:12 552960 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-08-02 14:30:12 0 d-------- C:\Program Files\Xvid
2007-08-02 14:29:26 40960 --a------ C:\WINDOWS\unL270_.dll
2007-07-29 12:34:14 0 d-------- C:\Genius

-- Find3M Report ---------------------------------------------------------------

2007-08-24 04:44:10 0 d-------- C:\Program Files\QuickTime
2007-08-24 04:39:41 0 d-------- C:\Program Files\Microsoft LifeCam
2007-08-24 04:38:48 0 d-------- C:\Program Files\Messenger
2007-08-24 04:38:48 0 d-------- C:\Program Files\Last.fm
2007-08-24 04:32:37 0 d-------- C:\Program Files\iTunes
2007-08-24 00:05:40 0 d-------- C:\Program Files\MSN Messenger
2007-08-17 12:22:52 0 d-------- C:\Program Files\Common Files
2007-08-17 12:17:18 0 d-------- C:\Program Files\Apple Software Update
2007-08-02 14:30:37 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-07-22 16:41:27 9291 --a------ C:\WINDOWS\extend.dat
2007-07-21 16:44:28 0 d-------- C:\Documents and Settings\Owner\Application Data\Sun
2007-07-21 16:37:40 1586 --a------ C:\WINDOWS\mozver.dat
2007-07-21 16:37:25 0 d-------- C:\Program Files\Java
2007-07-21 16:35:23 0 d-------- C:\Program Files\Common Files\Java
2007-07-14 23:20:59 0 d-------- C:\Documents and Settings\Owner\Application Data\Help
2007-07-05 14:27:00 0 d-------- C:\Program Files\Google
2007-07-05 13:00:03 0 d-------- C:\Program Files\ART Inc

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{316D19F2-1C76-4508-85BA-D3942FCB6F06}]
24/08/2007 00:14 298080 --a------ C:\WINDOWS\system32\ssqpo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC358019-D328-40B4-8E2D-818CE142616C}]
24/08/2007 00:05 43542 --a------ C:\WINDOWS\system32\ljjgfcb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\WINDOWS\htpatch.exe" [30/10/2002 17:40]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [12/07/2002 18:15]
"Cmaudio"="cmicnfg.cpl" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 23:46]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [29/06/2006 16:54]
"VX3000"="C:\WINDOWS\vVX3000.exe" [29/06/2006 16:55]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/05/2007 16:06]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [12/07/2007 04:00]
"ioCentre"="C:\Genius\ioCentre\gTaskBar.exe" [08/12/2006 21:09]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [31/07/2007 18:44]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [28/02/2006 05:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [24/08/2007 00:05]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 09:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [02/08/2007 22:45:33]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [29/06/2007 21:43:00]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [11/07/1997]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [11/07/1997]
Wireless Configuration Utility.lnk - C:\Program Files\802.11 Wireless LAN\802.11b Wireless Cardbus & PCI Adapter HW.11 V1.20\WlanCU.exe [05/12/2003 12:25:34]
WLAN Client Utility.lnk - C:\Program Files\802.11 Wireless LAN\WLAN Client Utility\WLANClientUtility.exe [07/11/2002 17:37:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{CC358019-D328-40B4-8E2D-818CE142616C}"= C:\WINDOWS\system32\ljjgfcb.dll [24/08/2007 00:05 43542]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjgfcb]
ljjgfcb.dll 24/08/2007 00:05 43542 C:\WINDOWS\system32\ljjgfcb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpo]
C:\WINDOWS\system32\ssqpo.dll 24/08/2007 00:14 298080 C:\WINDOWS\system32\ssqpo.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

*Newly Created Service* - SISPORT

-- End of Deckard's System Scanner: finished at 2007-08-24 10:45:26 ------------

The extra.txt is attached.

Thank you very much in advance for any help you might be able to give.

VicenteSD · 08-25-2007, 04:37 PM

I have found that it is a Virtumonde trojan horse.

I have attempted to remove it with VirtumundoBegone and VundoFix, but neither have worked. I have also tried Spybot, which deleted all of the suspicious files - with the exception of Virtumonde. I have used CCleaner, msncleaner.zip (the file came from msn), which got rid of a file called 'sisport.sys'. Ad-Aware has also failed to get rid of it.

I have scanned with Kapersky, which detected 5 viruses and 25 infected files:

Friday, August 24, 2007 12:58:50 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 25/08/2007
Kaspersky Anti-Virus database records: 389769
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 239600
Number of viruses found 5
Number of infected objects 25
Number of suspicious objects 0
Duration of the scan process 03:07:18

Infected Object Name Virus Name Last Action
C:\Backup 30-4-07\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\370d84034061568baf36aefd7c231b74_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3d016fb03d86d2f0759d9f0605d49740_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\40a9624aeab265e2e22890d21e707872_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5be47ee6d05596b23314823e3de79c20_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c563643122128abc794db72436ea1ed9_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f79b4715d4ac298fdfcedb352a4645f0_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\interchk.chk Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\logs\SAV.txt Object is locked skipped
C:\Documents and Settings\Lindsay\Local Settings\Temporary Internet Files\Content.IE5\AKF8NUT4\poep[1].exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ll skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Margaret\Local Settings\Temporary Internet Files\Content.IE5\UOLKJB8S\poep[1].exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ll skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\UserData\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Adobe\Acrobat\8.0\Updater\updater.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Adobe\Updater5\aumLib.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Last.fm\Client\lastfmhelper.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007082420070825\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9GFDWADY\poep[1].exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ll skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\My Documents\Cyber Nations\mirc62.exe/stream/data0006 Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
C:\Documents and Settings\Owner\My Documents\Cyber Nations\mirc62.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
C:\Documents and Settings\Owner\My Documents\Cyber Nations\mirc62.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Owner\My Documents\mirc621.exe/stream/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\Documents and Settings\Owner\My Documents\mirc621.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\Documents and Settings\Owner\My Documents\mirc621.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Sergio\Local Settings\Temporary Internet Files\Content.IE5\TIT2Q500\poep[1].exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ll skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP78\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\byxutrp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\cbxwxvu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\gebxvus.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\iifdefc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\ljjgfcb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\ljjklij.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\mljiijg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\nnnklkk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\nnnnmnk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\pmnnklk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\tuvwtus.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xxyaxxv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\ydasxvoi.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

Latest HJT log:

Deckard's System Scanner v20070819.64
Run by Owner on 2007-08-25 23:33:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 79% (more than 75%).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:08:10, on 24/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Genius\ioCentre\gTaskBar.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Genius\ioCentre\gMouseTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Genius\ioCentre\gKbdTask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Genius\ioCentre\gAutoPan.exe
C:\Genius\ioCentre\gAutoScroll.exe
C:\Genius\ioCentre\gZoom.exe
C:\Genius\ioCentre\gMGlass.exe
C:\Genius\ioCentre\gIMMgm.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Genius\ioCentre\gDeskMgm.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\802.11 Wireless LAN\802.11b Wireless Cardbus & PCI Adapter HW.11 V1.20\WlanCU.exe
C:\Genius\ioCentre\gTaskSwitch.exe
C:\Program Files\802.11 Wireless LAN\WLAN Client Utility\WLANClientUtility.exe
C:\Genius\ioCentre\gTaskSwitch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ioCentre] C:\Genius\ioCentre\gTaskBar.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: 802.11b Wireless Cardbus & PCI Adapter HW.11 V1.20
O4 - Startup: WLAN Client Utility
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11b Wireless Cardbus & PCI Adapter HW.11 V1.20\WlanCU.exe
O4 - Global Startup: WLAN Client Utility.lnk = C:\Program Files\802.11 Wireless LAN\WLAN Client Utility\WLANClientUtility.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 7798 bytes

-- Files created between 2007-07-25 and 2007-08-25 -----------------------------

2007-08-25 23:29:55 70208 --a------ C:\WINDOWS\system32\kqxuufpk.dll
2007-08-25 23:29:40 125504 --a------ C:\WINDOWS\system32\aksawhwm.dll
2007-08-25 23:26:41 4672 --a------ C:\WINDOWS\system32\hhivmncs.exe
2007-08-25 23:26:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-08-25 23:25:52 1001649 ---hs---- C:\WINDOWS\system32\yyadd.bak2
2007-08-24 23:24:20 43542 --a------ C:\WINDOWS\system32\ljjggfd.dll
2007-08-24 23:19:29 43542 --a------ C:\WINDOWS\system32\gebbayv.dll
2007-08-24 23:14:26 43542 --a------ C:\WINDOWS\system32\xxyxuut.dll
2007-08-24 23:03:11 0 d-------- C:\QUARANTINE
2007-08-24 21:45:15 0 d-------- C:\WINDOWS\LastGood
2007-08-24 21:35:43 1495552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll <Not Verified; PGP Corporation; PGPsdk>
2007-08-24 21:35:42 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-08-24 21:33:09 0 d-------- C:\Program Files\McAfee
2007-08-24 21:33:09 0 d-------- C:\Program Files\Common Files\McAfee
2007-08-24 21:23:31 43542 --a------ C:\WINDOWS\system32\hggdaxv.dll
2007-08-24 21:23:10 155648 --a------ C:\Documents and Settings\Owner\tele.exe <Not Verified; Microsoft Corporation; MSN Messenger>
2007-08-24 20:48:33 0 dr-h----- C:\Documents and Settings\Owner\Recent
2007-08-24 20:47:09 0 d-------- C:\Program Files\Yahoo!
2007-08-24 20:46:06 0 d-------- C:\Program Files\CCleaner
2007-08-24 20:43:57 0 d-------- C:\BackUpMSNCleaner
2007-08-24 17:58:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-24 17:49:40 0 d-------- C:\Program Files\Lavasoft
2007-08-24 17:49:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-08-24 17:48:41 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-24 17:24:56 43542 --a------ C:\WINDOWS\system32\gebxyvs.dll
2007-08-24 17:20:52 43542 --a------ C:\WINDOWS\system32\xxyyxuu.dll
2007-08-24 17:20:51 188928 --a------ C:\chis.exe <Not Verified; Microsoft Corporation; MSN Messenger>
2007-08-24 17:14:37 6513 ---hs---- C:\WINDOWS\system32\yyadd.bak1
2007-08-24 17:14:29 298080 -----n--- C:\WINDOWS\system32\ddayy.dll
2007-08-24 17:09:25 43542 --a------ C:\WINDOWS\system32\ssqnkii.dll
2007-08-24 16:51:50 43542 --a------ C:\WINDOWS\system32\byxutrp.dll
2007-08-24 15:52:09 43542 --a------ C:\WINDOWS\system32\tuvwtus.dll
2007-08-24 15:51:53 188928 --a------ C:\Documents and Settings\Sergio\kelly.exe <Not Verified; Microsoft Corporation; MSN Messenger>
2007-08-24 15:46:27 43542 --a------ C:\WINDOWS\system32\nnnnmnk.dll
2007-08-24 13:22:56 6473 ---hs---- C:\WINDOWS\system32\dccdd.bak1
2007-08-24 13:16:25 43542 --a------ C:\WINDOWS\system32\efcaaax.dll
2007-08-24 13:07:59 0 d-------- C:\VundoFix Backups
2007-08-24 12:52:04 43542 --a------ C:\WINDOWS\system32\cbxwxvu.dll
2007-08-24 11:54:42 43542 --a------ C:\WINDOWS\system32\xxyaxxv.dll
2007-08-24 11:54:37 188928 --a------ C:\Documents and Settings\Lindsay\kelly.exe <Not Verified; Microsoft Corporation; MSN Messenger>
2007-08-24 10:41:55 0 d-------- C:\Program Files\Trend Micro
2007-08-24 10:40:15 43542 --a------ C:\WINDOWS\system32\pmnnklk.dll
2007-08-24 10:40:05 188928 --a------ C:\Documents and Settings\Margaret\kelly.exe <Not Verified; Microsoft Corporation; MSN Messenger>
2007-08-24 10:31:25 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2007-08-24 10:31:25 0 d-------- C:\Program Files\SpywareBlaster
2007-08-24 09:32:24 43542 --a------ C:\WINDOWS\system32\nnnklkk.dll
2007-08-24 09:32:17 188928 --a------ C:\Documents and Settings\Owner\chis.exe <Not Verified; Microsoft Corporation; MSN Messenger>
2007-08-24 07:56:21 43542 --a------ C:\WINDOWS\system32\iifdefc.dll
2007-08-24 02:51:29 188928 --a------ C:\Documents and Settings\Margaret\chis.exe <Not Verified; Microsoft Corporation; MSN Messenger>
2007-08-24 01:31:24 43542 --a------ C:\WINDOWS\system32\mljiijg.dll
2007-08-24 00:56:04 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-08-24 00:14:52 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-24 00:10:15 43542 --a------ C:\WINDOWS\system32\gebxvus.dll
2007-08-24 00:10:10 188928 --a------ C:\Documents and Settings\Owner\kelly.exe <Not Verified; Microsoft Corporation; MSN Messenger>
2007-08-24 00:05:47 43542 --a------ C:\WINDOWS\system32\ljjklij.dll
2007-08-20 22:20:36 0 d-------- C:\Program Files\Musicnotes
2007-08-20 15:05:28 0 d-------- C:\Documents and Settings\Lindsay\Application Data\AdobeAUM
2007-08-20 15:05:26 0 d-------- C:\Documents and Settings\Lindsay\Application Data\AdobeUM
2007-08-20 15:05:22 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Leadertech
2007-08-17 12:28:19 0 d-------- C:\Program Files\iPod
2007-08-17 12:22:52 0 d-------- C:\Program Files\Common Files\Apple
2007-08-17 12:22:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-08-12 18:00:48 0 d-------- C:\Documents and Settings\Margaret\Contacts
2007-08-11 12:07:05 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Sun
2007-08-02 14:31:03 8704 --a------ C:\WINDOWS\system32\vidccleaner.exe <Not Verified; ; vidccleaner Application>
2007-08-02 14:30:40 217088 --a------ C:\WINDOWS\system32\skjpeg40.dll <Not Verified; STOIK Software; STOIK Software skjpeg>
2007-08-02 14:30:40 83968 --a------ C:\WINDOWS\system32\Skbase40.dll <Not Verified; STOIK Software Ltd.; STOIK Software Ltd. skbase>
2007-08-02 14:30:38 0 d-------- C:\Program Files\Samsung
2007-08-02 14:29:26 40960 --a------ C:\WINDOWS\unL270_.dll
2007-07-29 12:34:14 0 d-------- C:\Genius

-- Find3M Report ---------------------------------------------------------------

2007-08-24 23:21:05 0 d-------- C:\Program Files\MSN Messenger
2007-08-24 21:33:09 0 d-------- C:\Program Files\Common Files
2007-08-24 04:44:10 0 d-------- C:\Program Files\QuickTime
2007-08-24 04:39:41 0 d-------- C:\Program Files\Microsoft LifeCam
2007-08-24 04:38:48 0 d-------- C:\Program Files\Messenger
2007-08-24 04:38:48 0 d-------- C:\Program Files\Last.fm
2007-08-24 04:32:37 0 d-------- C:\Program Files\iTunes
2007-08-17 12:17:18 0 d-------- C:\Program Files\Apple Software Update
2007-08-02 14:30:37 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-07-22 16:41:27 9291 --a------ C:\WINDOWS\extend.dat
2007-07-21 16:44:28 0 d-------- C:\Documents and Settings\Owner\Application Data\Sun
2007-07-21 16:37:40 1586 --a------ C:\WINDOWS\mozver.dat
2007-07-21 16:37:25 0 d-------- C:\Program Files\Java
2007-07-21 16:35:23 0 d-------- C:\Program Files\Common Files\Java
2007-07-14 23:20:59 0 d-------- C:\Documents and Settings\Owner\Application Data\Help
2007-07-05 14:27:00 0 d-------- C:\Program Files\Google
2007-07-05 13:00:03 0 d-------- C:\Program Files\ART Inc

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7023ECEE-0B5B-4700-B084-7B1916DB03DF}]
C:\WINDOWS\system32\ssqpo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AD2AB685-8B18-4711-AF44-8F90C28B53CA}]
C:\WINDOWS\system32\ssqpo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}]
25/08/2007 23:29 70208 --a------ C:\WINDOWS\system32\kqxuufpk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC358019-D328-40B4-8E2D-818CE142616C}]
24/08/2007 17:09 43542 --a------ C:\WINDOWS\system32\ssqnkii.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CCA1E968-6BD0-4354-AB44-5C1F4FB5F12C}]
24/08/2007 17:14 298080 --------- C:\WINDOWS\system32\ddayy.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\WINDOWS\htpatch.exe" [30/10/2002 17:40]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [12/07/2002 18:15]
"Cmaudio"="cmicnfg.cpl" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 23:46]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [29/06/2006 16:54]
"VX3000"="C:\WINDOWS\vVX3000.exe" [29/06/2006 16:55]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/05/2007 16:06]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [12/07/2007 04:00]
"ioCentre"="C:\Genius\ioCentre\gTaskBar.exe" [08/12/2006 21:09]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [31/07/2007 18:44]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [22/02/2007 20:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [19/12/2006 11:27]
"SystemOptimizer"="C:\WINDOWS\system32\aksawhwm.dll" [25/08/2007 23:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [28/02/2006 05:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 09:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [29/06/2007 21:43:00]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [11/07/1997]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [11/07/1997]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{CC358019-D328-40B4-8E2D-818CE142616C}"= C:\WINDOWS\system32\ssqnkii.dll [24/08/2007 17:09 43542]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddayy]
C:\WINDOWS\system32\ddayy.dll 24/08/2007 17:14 298080 C:\WINDOWS\system32\ddayy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnkii]
ssqnkii.dll 24/08/2007 17:09 43542 C:\WINDOWS\system32\ssqnkii.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

*Newly Created Service* - MCAFEEFRAMEWORK
*Newly Created Service* - MCSHIELD
*Newly Created Service* - MCTASKMANAGER
*Newly Created Service* - MFEAPFK
*Newly Created Service* - MFEAVFK
*Newly Created Service* - MFEBOPK
*Newly Created Service* - MFEHIDK
*Newly Created Service* - MFERKDK
*Newly Created Service* - MFETDIK

-- End of Deckard's System Scanner: finished at 2007-08-25 23:36:49 ------------

Any advice would be very much appreciated.

(Apologies for the double-post, it wouldn't let me edit the first one!)

tetonbob · 08-26-2007, 08:05 PM

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Note:

Please don't wrap your logs in bbcode tags....it makes them more difficult to read.

Thanks,

---------------------------------------------------------------------------------------------

Download combofix.exe to your desktop.
Disconnect from the internet....pull the plug!
Disable your real time protection of your Anti-Virus. Exit the program via the SystemTray icon.
Double click on combofix.exe & follow the prompts. Type "1" and press Enter to begin the scan.
When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------
Re-enable your Anti-Virus if it is not active...a reboot should have re-activated it.
Re-establish an internet connection.
Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

VicenteSD · 08-28-2007, 06:03 AM

Thank you very much for your reply.

ComboFix log:

ComboFix 07-08-26 - "Owner" 2007-08-28 12:40:16.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.158 [GMT -7:00]

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aksawhwm.dll
C:\WINDOWS\system32\awturss.dll
C:\WINDOWS\system32\byxutrp.dll
C:\WINDOWS\system32\cbxwxvu.dll
C:\WINDOWS\system32\ddayy.dll
C:\WINDOWS\system32\efcaaax.dll
C:\WINDOWS\system32\gebbayv.dll
C:\WINDOWS\system32\gebxvus.dll
C:\WINDOWS\system32\gebxyvs.dll
C:\WINDOWS\system32\hggdaxv.dll
C:\WINDOWS\system32\hhivmncs.exe
C:\WINDOWS\system32\iifdefc.dll
C:\WINDOWS\system32\kqxuufpk.dll
C:\WINDOWS\system32\ljjggfd.dll
C:\WINDOWS\system32\ljjklij.dll
C:\WINDOWS\system32\mljiijg.dll
C:\WINDOWS\system32\mwhwaska.ini
C:\WINDOWS\system32\nnnklkk.dll
C:\WINDOWS\system32\nnnnmnk.dll
C:\WINDOWS\system32\nnnonom.dll
C:\WINDOWS\system32\nswmnyvv.dll
C:\WINDOWS\system32\pmnnklk.dll
C:\WINDOWS\system32\rxspcvex.exe
C:\WINDOWS\system32\ssqnkii.dll
C:\WINDOWS\system32\tuvwtus.dll
C:\WINDOWS\system32\xxyaxxv.dll
C:\WINDOWS\system32\xxyxuut.dll
C:\WINDOWS\system32\xxyyxuu.dll
C:\WINDOWS\system32\yyadd.bak1
C:\WINDOWS\system32\yyadd.bak2
C:\WINDOWS\system32\yyadd.ini

((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-28 )))))))))))))))))))))))))))))))

2007-08-26 00:35 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-25 23:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-08-24 23:03 <DIR> d-------- C:\QUARANTINE
2007-08-24 21:35 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-08-24 21:35 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2007-08-24 21:35 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2007-08-24 21:35 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-08-24 21:35 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-08-24 21:35 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2007-08-24 21:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-08-24 21:34 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-08-24 21:33 <DIR> d-------- C:\Program Files\McAfee
2007-08-24 21:33 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-08-24 21:23 155,648 --a------ C:\DOCUME~1\Owner\tele.exe
2007-08-24 20:47 <DIR> d-------- C:\Program Files\Yahoo!
2007-08-24 20:46 <DIR> d-------- C:\Program Files\CCleaner
2007-08-24 20:43 <DIR> d-------- C:\BackUpMSNCleaner
2007-08-24 17:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-24 17:49 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-24 17:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-24 17:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-24 17:20 188,928 --a------ C:\chis.exe
2007-08-24 15:51 188,928 --a------ C:\DOCUME~1\Sergio\kelly.exe
2007-08-24 13:22 6,473 --ahs---- C:\WINDOWS\system32\dccdd.bak1
2007-08-24 13:20 298,080 --a------ C:\WINDOWS\system32\ddccd.dll.vir
2007-08-24 13:07 <DIR> d-------- C:\VundoFix Backups
2007-08-24 11:54 188,928 --a------ C:\DOCUME~1\Lindsay\kelly.exe
2007-08-24 10:41 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-24 10:40 188,928 --a------ C:\DOCUME~1\Margaret\kelly.exe
2007-08-24 10:39 <DIR> d-------- C:\Deckard
2007-08-24 10:31 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2007-08-24 10:31 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-24 09:32 188,928 --a------ C:\DOCUME~1\Owner\chis.exe
2007-08-24 02:51 188,928 --a------ C:\DOCUME~1\Margaret\chis.exe
2007-08-24 00:56 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-24 00:14 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-24 00:10 188,928 --a------ C:\DOCUME~1\Owner\kelly.exe
2007-08-24 00:05 43,542 --a------ C:\WINDOWS\system32\ljjgfcb.dll.vir
2007-08-20 22:20 <DIR> d-------- C:\Program Files\Musicnotes
2007-08-20 15:05 <DIR> d-------- C:\DOCUME~1\Lindsay\APPLIC~1\Leadertech
2007-08-20 15:05 <DIR> d-------- C:\DOCUME~1\Lindsay\APPLIC~1\AdobeUM
2007-08-20 15:05 <DIR> d-------- C:\DOCUME~1\Lindsay\APPLIC~1\AdobeAUM
2007-08-17 12:28 <DIR> d-------- C:\Program Files\iPod
2007-08-17 12:22 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-08-17 12:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-12 18:00 <DIR> d-------- C:\DOCUME~1\Margaret\Contacts
2007-08-02 14:31 8,704 --a------ C:\WINDOWS\system32\vidccleaner.exe
2007-08-02 14:30 83,968 --a------ C:\WINDOWS\system32\Skbase40.dll
2007-08-02 14:30 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-08-02 14:30 217,088 --a------ C:\WINDOWS\system32\skjpeg40.dll
2007-08-02 14:30 <DIR> d-------- C:\Program Files\Samsung
2007-08-02 14:29 40,960 --a------ C:\WINDOWS\unL270_.dll
2007-07-31 13:19 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-07-29 12:35 9,984 --a------ C:\WINDOWS\system32\drivers\gMouUsb.sys
2007-07-29 12:35 17,408 --a------ C:\WINDOWS\system32\drivers\gMouPS2.sys
2007-07-29 12:35 14,848 --a------ C:\WINDOWS\system32\drivers\gHidPnp.sys
2007-07-29 12:34 <DIR> d-------- C:\Genius
2007-07-28 15:39 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-07-28 15:39 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-07-28 15:39 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-24 23:21 --------- d-------- C:\Program Files\MSN Messenger
2007-08-24 17:53 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-24 17:53 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-24 04:44 --------- d-------- C:\Program Files\QuickTime
2007-08-24 04:39 --------- d-------- C:\Program Files\Microsoft LifeCam
2007-08-24 04:38 --------- d-------- C:\Program Files\Last.fm
2007-08-24 04:32 --------- d-------- C:\Program Files\iTunes
2007-08-17 12:17 --------- d-------- C:\Program Files\Apple Software Update
2007-08-02 14:30 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-15 11:20 --------- d-------- C:\DOCUME~1\Manuela\APPLIC~1\Real
2007-07-14 23:20 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Help
2007-07-05 14:32 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-05 14:27 --------- d-------- C:\Program Files\Google
2007-07-05 13:00 --------- d-------- C:\Program Files\ART Inc
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7023ECEE-0B5B-4700-B084-7B1916DB03DF}]
C:\WINDOWS\system32\ssqpo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AD2AB685-8B18-4711-AF44-8F90C28B53CA}]
C:\WINDOWS\system32\ssqpo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\WINDOWS\htpatch.exe" [2002-10-30 17:40]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 18:15]
"Cmaudio"="cmicnfg.cpl" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2006-06-29 16:54]
"VX3000"="C:\WINDOWS\vVX3000.exe" [2006-06-29 16:55]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-06 16:06]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ioCentre"="C:\Genius\ioCentre\gTaskBar.exe" [2006-12-08 21:09]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]

R1 mfetdik;McAfee Inc.;C:\WINDOWS\system32\drivers\mfetdik.sys
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamSvc.exe"
R3 gHidPnp;USB Device Enhanced Function Driver;C:\WINDOWS\system32\Drivers\gHidPnp.Sys
R3 gMouUsb;USB Mouse Device Drv;C:\WINDOWS\system32\DRIVERS\gMouUsb.sys
R3 mfeapfk;McAfee Inc.;C:\WINDOWS\system32\drivers\mfeapfk.sys
R3 VX3000;VX-3000;C:\WINDOWS\system32\DRIVERS\VX3000.sys
S3 gMouPS2;PS2 Scroll Mouse Device;C:\WINDOWS\system32\DRIVERS\gMouPS2.sys
S3 OEM FVNETusb (AR)(R);OEM FVNETusb (AR)(R) Service for WLAN USB Adapter (AR);C:\WINDOWS\system32\DRIVERS\vnetusbr.sys

Contents of the 'Scheduled Tasks' folder
2007-08-24 19:17:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-28 12:55:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-28 12:58:18 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-28 12:58

--- E O F ---

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:01:44, on 28/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Genius\ioCentre\gTaskBar.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Genius\ioCentre\gMouseTask.exe
C:\Genius\ioCentre\gKbdTask.exe
C:\Genius\ioCentre\gAutoPan.exe
C:\Genius\ioCentre\gAutoScroll.exe
C:\Genius\ioCentre\gZoom.exe
C:\Genius\ioCentre\gMGlass.exe
C:\Genius\ioCentre\gIMMgm.exe
C:\Genius\ioCentre\gDeskMgm.exe
C:\Genius\ioCentre\gTaskSwitch.exe
C:\Genius\ioCentre\gMouseTask.exe
C:\Genius\ioCentre\gKbdTask.exe
C:\Genius\ioCentre\gZoom.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7023ECEE-0B5B-4700-B084-7B1916DB03DF} - C:\WINDOWS\system32\ssqpo.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {AD2AB685-8B18-4711-AF44-8F90C28B53CA} - C:\WINDOWS\system32\ssqpo.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ioCentre] C:\Genius\ioCentre\gTaskBar.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 8176 bytes

Thanks once more for all of your help.

tetonbob · 08-28-2007, 06:51 AM

Please go to: VirusTotal

On the page you'll find a "Browse" button.
Next to the browse button you'll see a box to enter text.
Please copy/paste the following in BOLD:

C:\Documents and Settings\Margaret\kelly.exe
Then click the "Send File " button just below.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.
Repeat for this file:

C:\Documents and Settings\Owner\chis.exe

VicenteSD · 08-28-2007, 07:20 AM

C:\Documents and Settings\Margaret\kelly.exe

AhnLab-V3 2007.8.29.0 2007.08.28 -
AntiVir 7.4.1.63 2007.08.28 HEUR/Crypted
Authentium 4.93.8 2007.08.28 -
Avast 4.7.1029.0 2007.08.27 Win32:Agent-HOP
AVG 7.5.0.484 2007.08.27 -
BitDefender 7.2 2007.08.28 -
CAT-QuickHeal 9.00 2007.08.25 (Suspicious) - DNAScan
ClamAV 0.91.2 2007.08.28 -
DrWeb 4.33 2007.08.28 -
eSafe 7.0.15.0 2007.08.28 Suspicious Trojan/Worm
eTrust-Vet 31.1.5091 2007.08.28 -
Ewido 4.0 2007.08.28 -
FileAdvisor 1 2007.08.28 -
Fortinet 2.91.0.0 2007.08.28 -
F-Prot 4.3.2.48 2007.08.28 -
F-Secure 6.70.13030.0 2007.08.28 -
Ikarus T3.1.1.12 2007.08.28 -
Kaspersky 4.0.2.24 2007.08.28 -
McAfee 5106 2007.08.27 -
Microsoft 1.2803 2007.08.28 -
NOD32v2 2488 2007.08.28 a variant of Win32/Agent.NBJ
Norman 5.80.02 2007.08.28 -
Panda 9.0.0.4 2007.08.28 Suspicious file
Prevx1 V2 2007.08.28 -
Rising 19.38.12.00 2007.08.28 Worm.IM.Agent.l
Sophos 4.21.0 2007.08.28 -
Sunbelt 2.2.907.0 2007.08.25 VIPRE.Suspicious
Symantec 10 2007.08.28 -
TheHacker 6.1.9.175 2007.08.28 -
VBA32 3.12.2.3 2007.08.28 -
VirusBuster 4.3.26:9 2007.08.27 -
Webwasher-Gateway 6.0.1 2007.08.28 Heuristic.Crypted
Additional information
File size: 188928 bytes
MD5: 538cd05e0fa58ce2caf38c03b6797aa4
SHA1: 7e180b3289144f52a7bd3c78297bbca44b0b610c
packers: ASProtect
packers: PE_Patch, Aspack
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

C:\Documents and Settings\Owner\chis.exe

AhnLab-V3 2007.8.29.0 2007.08.28 -
AntiVir 7.4.1.63 2007.08.28 Worm/Garm.D
Authentium 4.93.8 2007.08.28 -
Avast 4.7.1029.0 2007.08.27 Win32:Agent-HOP
AVG 7.5.0.484 2007.08.27 -
BitDefender 7.2 2007.08.28 -
CAT-QuickHeal 9.00 2007.08.25 (Suspicious) - DNAScan
ClamAV 0.91.2 2007.08.28 -
DrWeb 4.33 2007.08.28 -
eSafe 7.0.15.0 2007.08.28 Suspicious Trojan/Worm
eTrust-Vet 31.1.5091 2007.08.28 -
Ewido 4.0 2007.08.28 -
FileAdvisor 1 2007.08.28 -
Fortinet 2.91.0.0 2007.08.28 -
F-Prot 4.3.2.48 2007.08.28 -
F-Secure 6.70.13260.0 2007.08.28 IM-Worm.Win32.Garm.d
Ikarus T3.1.1.12 2007.08.28 IM-Worm.Win32.Garm.d
Kaspersky 4.0.2.24 2007.08.28 IM-Worm.Win32.Garm.d
McAfee 5106 2007.08.27 -
Microsoft 1.2803 2007.08.28 -
NOD32v2 2488 2007.08.28 a variant of Win32/Agent.NBJ
Norman 5.80.02 2007.08.28 -
Panda 9.0.0.4 2007.08.28 Suspicious file
Prevx1 V2 2007.08.28 -
Rising 19.38.12.00 2007.08.28 -
Sophos 4.21.0 2007.08.28 -
Sunbelt 2.2.907.0 2007.08.25 VIPRE.Suspicious
Symantec 10 2007.08.28 -
TheHacker 6.1.9.175 2007.08.28 -
VBA32 3.12.2.3 2007.08.28 -
VirusBuster 4.3.26:9 2007.08.27 -
Webwasher-Gateway 6.0.1 2007.08.28 Worm.Garm.D
Additional information
File size: 188928 bytes
MD5: c10891e7ba2be0e245779f6d36f5928a
SHA1: 144482c20fe45502fc0da80a591793c54c495a47
packers: ASProtect
packers: PE_Patch, Aspack
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

tetonbob · 08-28-2007, 07:23 AM

Thank you....please do the same for this file:

C:\Documents and Settings\Owner\tele.exe

I'll have instructions for you after that return.

VicenteSD · 08-28-2007, 07:46 AM

AhnLab-V3 2007.8.29.0 2007.08.28 -
AntiVir 7.4.1.63 2007.08.28 Worm/Garm.C
Authentium 4.93.8 2007.08.28 -
Avast 4.7.1029.0 2007.08.27 Win32:Agent-HOP
AVG 7.5.0.484 2007.08.27 -
BitDefender 7.2 2007.08.28 -
CAT-QuickHeal 9.00 2007.08.25 (Suspicious) - DNAScan
ClamAV 0.91.2 2007.08.28 -
DrWeb 4.33 2007.08.28 -
eSafe 7.0.15.0 2007.08.28 -
eTrust-Vet 31.1.5091 2007.08.28 Win32/VMalum.IJR
Ewido 4.0 2007.08.28 -
FileAdvisor 1 2007.08.28 -
Fortinet 2.91.0.0 2007.08.28 -
F-Prot 4.3.2.48 2007.08.28 -
F-Secure 6.70.13030.0 2007.08.28 IM-Worm.Win32.Garm.c
Ikarus T3.1.1.12 2007.08.28 Backdoor.Win32.Rbot
Kaspersky 4.0.2.24 2007.08.28 IM-Worm.Win32.Garm.c
McAfee 5106 2007.08.27 -
Microsoft 1.2803 2007.08.28 Worm:Win32/Smees.A
NOD32v2 2488 2007.08.28 a variant of Win32/Agent.NBJ
Norman 5.80.02 2007.08.28 -
Panda 9.0.0.4 2007.08.28 -
Prevx1 V2 2007.08.28 -
Rising 19.38.12.00 2007.08.28 Worm.IM.Agent.l
Sophos 4.21.0 2007.08.28 -
Sunbelt 2.2.907.0 2007.08.25 -
Symantec 10 2007.08.28 -
TheHacker 6.1.9.175 2007.08.28 -
VBA32 3.12.2.3 2007.08.28 -
VirusBuster 4.3.26:9 2007.08.27 -
Webwasher-Gateway 6.0.1 2007.08.28 Worm.Garm.C

tetonbob · 08-28-2007, 07:47 AM

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O2 - BHO: (no name) - {7023ECEE-0B5B-4700-B084-7B1916DB03DF} - C:\WINDOWS\system32\ssqpo.dll (file missing)
O2 - BHO: (no name) - {AD2AB685-8B18-4711-AF44-8F90C28B53CA} - C:\WINDOWS\system32\ssqpo.dll (file missing)

Close HijackThis now.

---------------------------------------------------------------------------------------------

Please download the OTMoveIt by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\DOCUME~1\Owner\tele.exe
C:\chis.exe
C:\DOCUME~1\Sergio\kelly.exe
C:\WINDOWS\system32\dccdd.bak1
C:\WINDOWS\system32\ddccd.dll.vir
C:\VundoFix Backups
C:\DOCUME~1\Lindsay\kelly.exe
C:\DOCUME~1\Margaret\kelly.exe
C:\DOCUME~1\Owner\chis.exe
C:\DOCUME~1\Margaret\chis.exe
C:\DOCUME~1\Owner\kelly.exe
C:\WINDOWS\system32\ljjgfcb.dll.vir
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the log from OTMoveIt, located here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

---------------------------------------------------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the licence, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

VicenteSD · 08-28-2007, 02:56 PM

Sorry for the delay, KOS took especially long to scan this time (just for future reference, do I need to scan the entire of My Computer, or is critical mass enough?)

MoveIt! Report

C:\DOCUME~1\Owner\tele.exe moved successfully.
C:\chis.exe moved successfully.
C:\DOCUME~1\Sergio\kelly.exe moved successfully.
C:\WINDOWS\system32\dccdd.bak1 moved successfully.
C:\WINDOWS\system32\ddccd.dll.vir moved successfully.
C:\VundoFix Backups moved successfully.
C:\DOCUME~1\Lindsay\kelly.exe moved successfully.
C:\DOCUME~1\Margaret\kelly.exe moved successfully.
C:\DOCUME~1\Owner\chis.exe moved successfully.
C:\DOCUME~1\Margaret\chis.exe moved successfully.
C:\DOCUME~1\Owner\kelly.exe moved successfully.
C:\WINDOWS\system32\ljjgfcb.dll.vir moved successfully.

Created on 08/28/2007 15:03:22

Kaspersky Online Scanner Report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, August 28, 2007 9:55:18 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 28/08/2007
Kaspersky Anti-Virus database records: 394397
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 172284
Number of viruses found: 6
Number of infected objects: 62
Number of suspicious objects: 0
Duration of the scan process: 03:52:02

Infected Object Name / Virus Name / Last Action
C:\Backup 30-4-07\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_OWNER-1CB67CF49.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_OWNER-1CB67CF49.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\370d84034061568baf36aefd7c231b74_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3d016fb03d86d2f0759d9f0605d49740_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\40a9624aeab265e2e22890d21e707872_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5be47ee6d05596b23314823e3de79c20_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c563643122128abc794db72436ea1ed9_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f79b4715d4ac298fdfcedb352a4645f0_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Last.fm\Client\lastfmhelper.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\NAILogs\UpdaterUI_OWNER-1CB67CF49.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\awturss.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\byxutrp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cbxwxvu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\efcaaax.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gebbayv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gebxvus.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gebxyvs.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hggdaxv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hhivmncs.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\iifdefc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ljjggfd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ljjklij.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mljiijg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nnnklkk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nnnnmnk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nnnonom.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnnklk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rxspcvex.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tuvwtus.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xxyaxxv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xxyxuut.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xxyyxuu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\catchme2007-08-28_125525.37.zip/ssqnkii.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\catchme2007-08-28_125525.37.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP78\A0084577.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP78\A0084583.exe Infected: IM-Worm.Win32.Garm.d skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP78\A0084597.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP78\A0084776.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP78\A0084787.exe Infected: IM-Worm.Win32.Garm.d skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP78\A0085788.exe Infected: IM-Worm.Win32.Garm.d skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP81\A0086624.exe Infected: IM-Worm.Win32.Garm.c skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP82\A0086626.exe Infected: IM-Worm.Win32.Garm.c skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP83\A0086693.exe Infected: IM-Worm.Win32.Garm.c skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086818.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086819.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086820.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086821.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086822.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086823.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086824.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086825.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086826.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086828.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086829.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086830.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086831.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086832.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086833.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086834.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086835.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086836.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086837.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086838.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086839.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086841.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP85\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\chis.exe Infected: IM-Worm.Win32.Garm.d skipped
C:\_OTMoveIt\MovedFiles\DOCUME~1\Margaret\chis.exe Infected: IM-Worm.Win32.Garm.d skipped
C:\_OTMoveIt\MovedFiles\DOCUME~1\Owner\chis.exe Infected: IM-Worm.Win32.Garm.d skipped
C:\_OTMoveIt\MovedFiles\DOCUME~1\Owner\tele.exe Infected: IM-Worm.Win32.Garm.c skipped
C:\_OTMoveIt\MovedFiles\VundoFix Backups\ydasxvoi.exe.bad Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\ljjgfcb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped

Scan process completed.

tetonbob · 08-28-2007, 03:05 PM

It's important to scan My Computer, it's more thorough.

Run OTMoveIt, and click on the Cleanup button. Follow the prompts. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. The system may require a reboot to complete this step. Please allow it.

Also post a new HijackThis log.

How is your system behaving, please?

tetonbob · 08-28-2007, 03:07 PM

Also, is your McAfee subscription current?

VicenteSD · 08-28-2007, 03:30 PM

I ran the CleanUp - the system rebooted, and when it did so, OTMoveIt had disappeared from the desktop. Is that normal, or did I do something foolish?

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:27:52, on 28/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Genius\ioCentre\gTaskBar.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Genius\ioCentre\gMouseTask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Genius\ioCentre\gKbdTask.exe
C:\Genius\ioCentre\gAutoPan.exe
C:\Genius\ioCentre\gAutoScroll.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Genius\ioCentre\gZoom.exe
C:\Genius\ioCentre\gMGlass.exe
C:\Genius\ioCentre\gIMMgm.exe
C:\Genius\ioCentre\gDeskMgm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Genius\ioCentre\gTaskSwitch.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\MSN Messenger\usnsvc.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ioCentre] C:\Genius\ioCentre\gTaskBar.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 8201 bytes

Re. McAfee:

I have the Enterprise 8.5i version - it was downloaded from the Cambridge University website (all students get access to the university's antivirus), so presumably it is up to date. I downloaded all of the updates before scanning, and it still found nothing though.

Thanks once more for your help.

tetonbob · 08-28-2007, 03:32 PM

Quote:

OTMoveIt had disappeared from the desktop. Is that normal?

Yes, it self-deleted, hence the reboot...also cleans up other tools and logs.

Your logs appear clean.You should be good to go. We still have a few items to address.

C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while.

Reset hidden/system files and folders

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Clear & Reset System Restore's Cache

click Start >> Run - type SYSDM.CPL & press Enter
select the System Restore Tab
tick on the checkbox - "Turn off System Restore on all drives"
click Apply
then untick the same checkbox & click OK

Enable Windows Auto Update

Go to Start>Run - type wuaucpl.cpl
tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't have them already:

SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
SpywareGuard to catch and block spyware before it can execute.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
- Download IE-SpyAD - Extract the contents to a new folder
  From within the folder, double-click install.bat
  Select Option #2 - Install the new IE-SPYAD list.
  Then return to the main menu.
  Select option #4 - Add the old porn sites domain
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
- Once updated you should see another prompt that the task was completed.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

Here are a few very good free Antivirus products which are available:
Select one of these, or another of your choice. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

See this link for a listing of some online antivirus scanners:

Anti-Spyware Tutorial
FIREWALL
If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:

Do not install more than one firewall program because they will conflict with each other.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

VicenteSD · 08-28-2007, 03:44 PM

All is running well - the trojan has gone as far as I can tell. I've done as suggested above, and all is working fine.

This is the second time you guys have bailed me out of a sticky situation. You people are incredible, and really restore the faith in the human race :)

*goes to paypal to donate*

Thanks :D

tetonbob · 08-28-2007, 03:46 PM

You're welcome!

Surf Safely out there.

08-25-2007, 04:37 PM	#2 (permalink)
VicenteSD Registered User Join Date: Aug 2007 Posts: 8 OS: XP	Virtumonde I have found that it is a Virtumonde trojan horse. I have attempted to remove it with VirtumundoBegone and VundoFix, but neither have worked. I have also tried Spybot, which deleted all of the suspicious files - with the exception of Virtumonde. I have used CCleaner, msncleaner.zip (the file came from msn), which got rid of a file called 'sisport.sys'. Ad-Aware has also failed to get rid of it. I have scanned with Kapersky, which detected 5 viruses and 25 infected files: Friday, August 24, 2007 12:58:50 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 25/08/2007 Kaspersky Anti-Virus database records: 389769 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer A:\ C:\ D:\ E:\ Scan Statistics Total number of scanned objects 239600 Number of viruses found 5 Number of infected objects 25 Number of suspicious objects 0 Duration of the scan process 03:07:18 Infected Object Name Virus Name Last Action C:\Backup 30-4-07\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\370d84034061568baf36aefd7c231b74_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3d016fb03d86d2f0759d9f0605d49740_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\40a9624aeab265e2e22890d21e707872_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5be47ee6d05596b23314823e3de79c20_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c563643122128abc794db72436ea1ed9_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f79b4715d4ac298fdfcedb352a4645f0_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\interchk.chk Object is locked skipped C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\logs\SAV.txt Object is locked skipped C:\Documents and Settings\Lindsay\Local Settings\Temporary Internet Files\Content.IE5\AKF8NUT4\poep[1].exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ll skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Margaret\Local Settings\Temporary Internet Files\Content.IE5\UOLKJB8S\poep[1].exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ll skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\UserData\index.dat Object is locked skipped C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Adobe\Acrobat\8.0\Updater\updater.log Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Adobe\Updater5\aumLib.log Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Last.fm\Client\lastfmhelper.log Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007082420070825\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9GFDWADY\poep[1].exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ll skipped C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Owner\My Documents\Cyber Nations\mirc62.exe/stream/data0006 Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped C:\Documents and Settings\Owner\My Documents\Cyber Nations\mirc62.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped C:\Documents and Settings\Owner\My Documents\Cyber Nations\mirc62.exe NSIS: infected - 2 skipped C:\Documents and Settings\Owner\My Documents\mirc621.exe/stream/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped C:\Documents and Settings\Owner\My Documents\mirc621.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped C:\Documents and Settings\Owner\My Documents\mirc621.exe NSIS: infected - 2 skipped C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Sergio\Local Settings\Temporary Internet Files\Content.IE5\TIT2Q500\poep[1].exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ll skipped C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP78\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\byxutrp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\WINDOWS\system32\cbxwxvu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\gebxvus.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\iifdefc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\WINDOWS\system32\ljjgfcb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\WINDOWS\system32\ljjklij.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\WINDOWS\system32\mljiijg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\WINDOWS\system32\nnnklkk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\WINDOWS\system32\nnnnmnk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\WINDOWS\system32\pmnnklk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\WINDOWS\system32\tuvwtus.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\system32\xxyaxxv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\WINDOWS\system32\ydasxvoi.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. Latest HJT log: Deckard's System Scanner v20070819.64 Run by Owner on 2007-08-25 23:33:26 Computer is in Normal Mode. -------------------------------------------------------------------------------- Percentage of Memory in Use: 79% (more than 75%). -- HijackThis (run as Owner.exe) ----------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:08:10, on 24/08/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Microsoft LifeCam\MSCamSvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\htpatch.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\WINDOWS\vVX3000.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Genius\ioCentre\gTaskBar.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Genius\ioCentre\gMouseTask.exe C:\WINDOWS\system32\ctfmon.exe C:\Genius\ioCentre\gKbdTask.exe C:\Program Files\Messenger\msmsgs.exe C:\Genius\ioCentre\gAutoPan.exe C:\Genius\ioCentre\gAutoScroll.exe C:\Genius\ioCentre\gZoom.exe C:\Genius\ioCentre\gMGlass.exe C:\Genius\ioCentre\gIMMgm.exe C:\Program Files\Last.fm\LastFMHelper.exe C:\Genius\ioCentre\gDeskMgm.exe C:\Program Files\Microsoft Office\Office\OSA.EXE C:\Program Files\802.11 Wireless LAN\802.11b Wireless Cardbus & PCI Adapter HW.11 V1.20\WlanCU.exe C:\Genius\ioCentre\gTaskSwitch.exe C:\Program Files\802.11 Wireless LAN\WLAN Client Utility\WLANClientUtility.exe C:\Genius\ioCentre\gTaskSwitch.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe" O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [ioCentre] C:\Genius\ioCentre\gTaskBar.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: 802.11b Wireless Cardbus & PCI Adapter HW.11 V1.20 O4 - Startup: WLAN Client Utility O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11b Wireless Cardbus & PCI Adapter HW.11 V1.20\WlanCU.exe O4 - Global Startup: WLAN Client Utility.lnk = C:\Program Files\802.11 Wireless LAN\WLAN Client Utility\WLANClientUtility.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe -- End of file - 7798 bytes -- Files created between 2007-07-25 and 2007-08-25 ----------------------------- 2007-08-25 23:29:55 70208 --a------ C:\WINDOWS\system32\kqxuufpk.dll 2007-08-25 23:29:40 125504 --a------ C:\WINDOWS\system32\aksawhwm.dll 2007-08-25 23:26:41 4672 --a------ C:\WINDOWS\system32\hhivmncs.exe 2007-08-25 23:26:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion 2007-08-25 23:25:52 1001649 ---hs---- C:\WINDOWS\system32\yyadd.bak2 2007-08-24 23:24:20 43542 --a------ C:\WINDOWS\system32\ljjggfd.dll 2007-08-24 23:19:29 43542 --a------ C:\WINDOWS\system32\gebbayv.dll 2007-08-24 23:14:26 43542 --a------ C:\WINDOWS\system32\xxyxuut.dll 2007-08-24 23:03:11 0 d-------- C:\QUARANTINE 2007-08-24 21:45:15 0 d-------- C:\WINDOWS\LastGood 2007-08-24 21:35:43 1495552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll <Not Verified; PGP Corporation; PGPsdk> 2007-08-24 21:35:42 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee 2007-08-24 21:33:09 0 d-------- C:\Program Files\McAfee 2007-08-24 21:33:09 0 d-------- C:\Program Files\Common Files\McAfee 2007-08-24 21:23:31 43542 --a------ C:\WINDOWS\system32\hggdaxv.dll 2007-08-24 21:23:10 155648 --a------ C:\Documents and Settings\Owner\tele.exe <Not Verified; Microsoft Corporation; MSN Messenger> 2007-08-24 20:48:33 0 dr-h----- C:\Documents and Settings\Owner\Recent 2007-08-24 20:47:09 0 d-------- C:\Program Files\Yahoo! 2007-08-24 20:46:06 0 d-------- C:\Program Files\CCleaner 2007-08-24 20:43:57 0 d-------- C:\BackUpMSNCleaner 2007-08-24 17:58:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-08-24 17:49:40 0 d-------- C:\Program Files\Lavasoft 2007-08-24 17:49:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-08-24 17:48:41 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-08-24 17:24:56 43542 --a------ C:\WINDOWS\system32\gebxyvs.dll 2007-08-24 17:20:52 43542 --a------ C:\WINDOWS\system32\xxyyxuu.dll 2007-08-24 17:20:51 188928 --a------ C:\chis.exe <Not Verified; Microsoft Corporation; MSN Messenger> 2007-08-24 17:14:37 6513 ---hs---- C:\WINDOWS\system32\yyadd.bak1 2007-08-24 17:14:29 298080 -----n--- C:\WINDOWS\system32\ddayy.dll 2007-08-24 17:09:25 43542 --a------ C:\WINDOWS\system32\ssqnkii.dll 2007-08-24 16:51:50 43542 --a------ C:\WINDOWS\system32\byxutrp.dll 2007-08-24 15:52:09 43542 --a------ C:\WINDOWS\system32\tuvwtus.dll 2007-08-24 15:51:53 188928 --a------ C:\Documents and Settings\Sergio\kelly.exe <Not Verified; Microsoft Corporation; MSN Messenger> 2007-08-24 15:46:27 43542 --a------ C:\WINDOWS\system32\nnnnmnk.dll 2007-08-24 13:22:56 6473 ---hs---- C:\WINDOWS\system32\dccdd.bak1 2007-08-24 13:16:25 43542 --a------ C:\WINDOWS\system32\efcaaax.dll 2007-08-24 13:07:59 0 d-------- C:\VundoFix Backups 2007-08-24 12:52:04 43542 --a------ C:\WINDOWS\system32\cbxwxvu.dll 2007-08-24 11:54:42 43542 --a------ C:\WINDOWS\system32\xxyaxxv.dll 2007-08-24 11:54:37 188928 --a------ C:\Documents and Settings\Lindsay\kelly.exe <Not Verified; Microsoft Corporation; MSN Messenger> 2007-08-24 10:41:55 0 d-------- C:\Program Files\Trend Micro 2007-08-24 10:40:15 43542 --a------ C:\WINDOWS\system32\pmnnklk.dll 2007-08-24 10:40:05 188928 --a------ C:\Documents and Settings\Margaret\kelly.exe <Not Verified; Microsoft Corporation; MSN Messenger> 2007-08-24 10:31:25 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library> 2007-08-24 10:31:25 0 d-------- C:\Program Files\SpywareBlaster 2007-08-24 09:32:24 43542 --a------ C:\WINDOWS\system32\nnnklkk.dll 2007-08-24 09:32:17 188928 --a------ C:\Documents and Settings\Owner\chis.exe <Not Verified; Microsoft Corporation; MSN Messenger> 2007-08-24 07:56:21 43542 --a------ C:\WINDOWS\system32\iifdefc.dll 2007-08-24 02:51:29 188928 --a------ C:\Documents and Settings\Margaret\chis.exe <Not Verified; Microsoft Corporation; MSN Messenger> 2007-08-24 01:31:24 43542 --a------ C:\WINDOWS\system32\mljiijg.dll 2007-08-24 00:56:04 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-08-24 00:14:52 0 d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-08-24 00:10:15 43542 --a------ C:\WINDOWS\system32\gebxvus.dll 2007-08-24 00:10:10 188928 --a------ C:\Documents and Settings\Owner\kelly.exe <Not Verified; Microsoft Corporation; MSN Messenger> 2007-08-24 00:05:47 43542 --a------ C:\WINDOWS\system32\ljjklij.dll 2007-08-20 22:20:36 0 d-------- C:\Program Files\Musicnotes 2007-08-20 15:05:28 0 d-------- C:\Documents and Settings\Lindsay\Application Data\AdobeAUM 2007-08-20 15:05:26 0 d-------- C:\Documents and Settings\Lindsay\Application Data\AdobeUM 2007-08-20 15:05:22 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Leadertech 2007-08-17 12:28:19 0 d-------- C:\Program Files\iPod 2007-08-17 12:22:52 0 d-------- C:\Program Files\Common Files\Apple 2007-08-17 12:22:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple 2007-08-12 18:00:48 0 d-------- C:\Documents and Settings\Margaret\Contacts 2007-08-11 12:07:05 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Sun 2007-08-02 14:31:03 8704 --a------ C:\WINDOWS\system32\vidccleaner.exe <Not Verified; ; vidccleaner Application> 2007-08-02 14:30:40 217088 --a------ C:\WINDOWS\system32\skjpeg40.dll <Not Verified; STOIK Software; STOIK Software skjpeg> 2007-08-02 14:30:40 83968 --a------ C:\WINDOWS\system32\Skbase40.dll <Not Verified; STOIK Software Ltd.; STOIK Software Ltd. skbase> 2007-08-02 14:30:38 0 d-------- C:\Program Files\Samsung 2007-08-02 14:29:26 40960 --a------ C:\WINDOWS\unL270_.dll 2007-07-29 12:34:14 0 d-------- C:\Genius -- Find3M Report --------------------------------------------------------------- 2007-08-24 23:21:05 0 d-------- C:\Program Files\MSN Messenger 2007-08-24 21:33:09 0 d-------- C:\Program Files\Common Files 2007-08-24 04:44:10 0 d-------- C:\Program Files\QuickTime 2007-08-24 04:39:41 0 d-------- C:\Program Files\Microsoft LifeCam 2007-08-24 04:38:48 0 d-------- C:\Program Files\Messenger 2007-08-24 04:38:48 0 d-------- C:\Program Files\Last.fm 2007-08-24 04:32:37 0 d-------- C:\Program Files\iTunes 2007-08-17 12:17:18 0 d-------- C:\Program Files\Apple Software Update 2007-08-02 14:30:37 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-07-22 16:41:27 9291 --a------ C:\WINDOWS\extend.dat 2007-07-21 16:44:28 0 d-------- C:\Documents and Settings\Owner\Application Data\Sun 2007-07-21 16:37:40 1586 --a------ C:\WINDOWS\mozver.dat 2007-07-21 16:37:25 0 d-------- C:\Program Files\Java 2007-07-21 16:35:23 0 d-------- C:\Program Files\Common Files\Java 2007-07-14 23:20:59 0 d-------- C:\Documents and Settings\Owner\Application Data\Help 2007-07-05 14:27:00 0 d-------- C:\Program Files\Google 2007-07-05 13:00:03 0 d-------- C:\Program Files\ART Inc -- Registry Dump --------------------------------------------------------------- Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7023ECEE-0B5B-4700-B084-7B1916DB03DF}] C:\WINDOWS\system32\ssqpo.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AD2AB685-8B18-4711-AF44-8F90C28B53CA}] C:\WINDOWS\system32\ssqpo.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}] 25/08/2007 23:29 70208 --a------ C:\WINDOWS\system32\kqxuufpk.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC358019-D328-40B4-8E2D-818CE142616C}] 24/08/2007 17:09 43542 --a------ C:\WINDOWS\system32\ssqnkii.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CCA1E968-6BD0-4354-AB44-5C1F4FB5F12C}] 24/08/2007 17:14 298080 --------- C:\WINDOWS\system32\ddayy.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HTpatch"="C:\WINDOWS\htpatch.exe" [30/10/2002 17:40] "SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [12/07/2002 18:15] "Cmaudio"="cmicnfg.cpl" [] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 23:46] "LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [29/06/2006 16:54] "VX3000"="C:\WINDOWS\vVX3000.exe" [29/06/2006 16:55] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/05/2007 16:06] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [12/07/2007 04:00] "ioCentre"="C:\Genius\ioCentre\gTaskBar.exe" [08/12/2006 21:09] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 06:24] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [31/07/2007 18:44] "ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [22/02/2007 20:50] "McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [19/12/2006 11:27] "SystemOptimizer"="C:\WINDOWS\system32\aksawhwm.dll" [25/08/2007 23:29] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [28/02/2006 05:00] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 09:24] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [29/06/2007 21:43:00] Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [11/07/1997] Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [11/07/1997] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{CC358019-D328-40B4-8E2D-818CE142616C}"= C:\WINDOWS\system32\ssqnkii.dll [24/08/2007 17:09 43542] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddayy] C:\WINDOWS\system32\ddayy.dll 24/08/2007 17:14 298080 C:\WINDOWS\system32\ddayy.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnkii] ssqnkii.dll 24/08/2007 17:09 43542 C:\WINDOWS\system32\ssqnkii.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" Newly Created Service - MCAFEEFRAMEWORK Newly Created Service - MCSHIELD Newly Created Service - MCTASKMANAGER Newly Created Service - MFEAPFK Newly Created Service - MFEAVFK Newly Created Service - MFEBOPK Newly Created Service - MFEHIDK Newly Created Service - MFERKDK Newly Created Service - MFETDIK -- End of Deckard's System Scanner: finished at 2007-08-25 23:36:49 ------------ Any advice would be very much appreciated. (Apologies for the double-post, it wouldn't let me edit the first one!) Last edited by tetonbob; 08-26-2007 at 07:42 PM.

08-26-2007, 08:05 PM	#3 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,757 OS: 2000 Pro; XP Pro; XP Home	Re: Poss. Trojan Horse - Qhost.gen Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. Note: Please don't wrap your logs in bbcode tags....it makes them more difficult to read. Thanks, --------------------------------------------------------------------------------------------- Download combofix.exe to your desktop. Disconnect from the internet....pull the plug! Disable your real time protection of your Anti-Virus. Exit the program via the SystemTray icon. Double click on combofix.exe & follow the prompts. Type "1" and press Enter to begin the scan. When finished, it shall produce a log for you. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall --------------------------------------------------------------------------------------------- Re-enable your Anti-Virus if it is not active...a reboot should have re-activated it. Re-establish an internet connection. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

08-28-2007, 06:03 AM	#4 (permalink)
VicenteSD Registered User Join Date: Aug 2007 Posts: 8 OS: XP	Re: Poss. Trojan Horse - Qhost.gen Thank you very much for your reply. ComboFix log: ComboFix 07-08-26 - "Owner" 2007-08-28 12:40:16.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.158 [GMT -7:00] ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\cookies.ini C:\WINDOWS\system32\aksawhwm.dll C:\WINDOWS\system32\awturss.dll C:\WINDOWS\system32\byxutrp.dll C:\WINDOWS\system32\cbxwxvu.dll C:\WINDOWS\system32\ddayy.dll C:\WINDOWS\system32\efcaaax.dll C:\WINDOWS\system32\gebbayv.dll C:\WINDOWS\system32\gebxvus.dll C:\WINDOWS\system32\gebxyvs.dll C:\WINDOWS\system32\hggdaxv.dll C:\WINDOWS\system32\hhivmncs.exe C:\WINDOWS\system32\iifdefc.dll C:\WINDOWS\system32\kqxuufpk.dll C:\WINDOWS\system32\ljjggfd.dll C:\WINDOWS\system32\ljjklij.dll C:\WINDOWS\system32\mljiijg.dll C:\WINDOWS\system32\mwhwaska.ini C:\WINDOWS\system32\nnnklkk.dll C:\WINDOWS\system32\nnnnmnk.dll C:\WINDOWS\system32\nnnonom.dll C:\WINDOWS\system32\nswmnyvv.dll C:\WINDOWS\system32\pmnnklk.dll C:\WINDOWS\system32\rxspcvex.exe C:\WINDOWS\system32\ssqnkii.dll C:\WINDOWS\system32\tuvwtus.dll C:\WINDOWS\system32\xxyaxxv.dll C:\WINDOWS\system32\xxyxuut.dll C:\WINDOWS\system32\xxyyxuu.dll C:\WINDOWS\system32\yyadd.bak1 C:\WINDOWS\system32\yyadd.bak2 C:\WINDOWS\system32\yyadd.ini ((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-28 ))))))))))))))))))))))))))))))) 2007-08-26 00:35 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-25 23:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion 2007-08-24 23:03 <DIR> d-------- C:\QUARANTINE 2007-08-24 21:35 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys 2007-08-24 21:35 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys 2007-08-24 21:35 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys 2007-08-24 21:35 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll 2007-08-24 21:35 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys 2007-08-24 21:35 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll 2007-08-24 21:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee 2007-08-24 21:34 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys 2007-08-24 21:33 <DIR> d-------- C:\Program Files\McAfee 2007-08-24 21:33 <DIR> d-------- C:\Program Files\Common Files\McAfee 2007-08-24 21:23 155,648 --a------ C:\DOCUME~1\Owner\tele.exe 2007-08-24 20:47 <DIR> d-------- C:\Program Files\Yahoo! 2007-08-24 20:46 <DIR> d-------- C:\Program Files\CCleaner 2007-08-24 20:43 <DIR> d-------- C:\BackUpMSNCleaner 2007-08-24 17:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2007-08-24 17:49 <DIR> d-------- C:\Program Files\Lavasoft 2007-08-24 17:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft 2007-08-24 17:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-08-24 17:20 188,928 --a------ C:\chis.exe 2007-08-24 15:51 188,928 --a------ C:\DOCUME~1\Sergio\kelly.exe 2007-08-24 13:22 6,473 --ahs---- C:\WINDOWS\system32\dccdd.bak1 2007-08-24 13:20 298,080 --a------ C:\WINDOWS\system32\ddccd.dll.vir 2007-08-24 13:07 <DIR> d-------- C:\VundoFix Backups 2007-08-24 11:54 188,928 --a------ C:\DOCUME~1\Lindsay\kelly.exe 2007-08-24 10:41 <DIR> d-------- C:\Program Files\Trend Micro 2007-08-24 10:40 188,928 --a------ C:\DOCUME~1\Margaret\kelly.exe 2007-08-24 10:39 <DIR> d-------- C:\Deckard 2007-08-24 10:31 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL 2007-08-24 10:31 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-08-24 09:32 188,928 --a------ C:\DOCUME~1\Owner\chis.exe 2007-08-24 02:51 188,928 --a------ C:\DOCUME~1\Margaret\chis.exe 2007-08-24 00:56 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-08-24 00:14 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-08-24 00:10 188,928 --a------ C:\DOCUME~1\Owner\kelly.exe 2007-08-24 00:05 43,542 --a------ C:\WINDOWS\system32\ljjgfcb.dll.vir 2007-08-20 22:20 <DIR> d-------- C:\Program Files\Musicnotes 2007-08-20 15:05 <DIR> d-------- C:\DOCUME~1\Lindsay\APPLIC~1\Leadertech 2007-08-20 15:05 <DIR> d-------- C:\DOCUME~1\Lindsay\APPLIC~1\AdobeUM 2007-08-20 15:05 <DIR> d-------- C:\DOCUME~1\Lindsay\APPLIC~1\AdobeAUM 2007-08-17 12:28 <DIR> d-------- C:\Program Files\iPod 2007-08-17 12:22 <DIR> d-------- C:\Program Files\Common Files\Apple 2007-08-17 12:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple 2007-08-12 18:00 <DIR> d-------- C:\DOCUME~1\Margaret\Contacts 2007-08-02 14:31 8,704 --a------ C:\WINDOWS\system32\vidccleaner.exe 2007-08-02 14:30 83,968 --a------ C:\WINDOWS\system32\Skbase40.dll 2007-08-02 14:30 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll 2007-08-02 14:30 217,088 --a------ C:\WINDOWS\system32\skjpeg40.dll 2007-08-02 14:30 <DIR> d-------- C:\Program Files\Samsung 2007-08-02 14:29 40,960 --a------ C:\WINDOWS\unL270_.dll 2007-07-31 13:19 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2007-07-29 12:35 9,984 --a------ C:\WINDOWS\system32\drivers\gMouUsb.sys 2007-07-29 12:35 17,408 --a------ C:\WINDOWS\system32\drivers\gMouPS2.sys 2007-07-29 12:35 14,848 --a------ C:\WINDOWS\system32\drivers\gHidPnp.sys 2007-07-29 12:34 <DIR> d-------- C:\Genius 2007-07-28 15:39 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys 2007-07-28 15:39 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys 2007-07-28 15:39 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-24 23:21 --------- d-------- C:\Program Files\MSN Messenger 2007-08-24 17:53 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys 2007-08-24 17:53 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys 2007-08-24 04:44 --------- d-------- C:\Program Files\QuickTime 2007-08-24 04:39 --------- d-------- C:\Program Files\Microsoft LifeCam 2007-08-24 04:38 --------- d-------- C:\Program Files\Last.fm 2007-08-24 04:32 --------- d-------- C:\Program Files\iTunes 2007-08-17 12:17 --------- d-------- C:\Program Files\Apple Software Update 2007-08-02 14:30 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-15 11:20 --------- d-------- C:\DOCUME~1\Manuela\APPLIC~1\Real 2007-07-14 23:20 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Help 2007-07-05 14:32 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google 2007-07-05 14:27 --------- d-------- C:\Program Files\Google 2007-07-05 13:00 --------- d-------- C:\Program Files\ART Inc 2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll 2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll 2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7023ECEE-0B5B-4700-B084-7B1916DB03DF}] C:\WINDOWS\system32\ssqpo.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AD2AB685-8B18-4711-AF44-8F90C28B53CA}] C:\WINDOWS\system32\ssqpo.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HTpatch"="C:\WINDOWS\htpatch.exe" [2002-10-30 17:40] "SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 18:15] "Cmaudio"="cmicnfg.cpl" [] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46] "LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2006-06-29 16:54] "VX3000"="C:\WINDOWS\vVX3000.exe" [2006-06-29 16:55] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-06 16:06] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00] "ioCentre"="C:\Genius\ioCentre\gTaskBar.exe" [2006-12-08 21:09] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44] "ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50] "McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24] R1 mfetdik;McAfee Inc.;C:\WINDOWS\system32\drivers\mfetdik.sys R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamSvc.exe" R3 gHidPnp;USB Device Enhanced Function Driver;C:\WINDOWS\system32\Drivers\gHidPnp.Sys R3 gMouUsb;USB Mouse Device Drv;C:\WINDOWS\system32\DRIVERS\gMouUsb.sys R3 mfeapfk;McAfee Inc.;C:\WINDOWS\system32\drivers\mfeapfk.sys R3 VX3000;VX-3000;C:\WINDOWS\system32\DRIVERS\VX3000.sys S3 gMouPS2;PS2 Scroll Mouse Device;C:\WINDOWS\system32\DRIVERS\gMouPS2.sys S3 OEM FVNETusb (AR)(R);OEM FVNETusb (AR)(R) Service for WLAN USB Adapter (AR);C:\WINDOWS\system32\DRIVERS\vnetusbr.sys Contents of the 'Scheduled Tasks' folder 2007-08-24 19:17:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe ************************************************************************ catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-28 12:55:29 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ Completion time: 2007-08-28 12:58:18 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-08-28 12:58 --- E O F --- HijackThis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:01:44, on 28/08/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe C:\Program Files\Microsoft LifeCam\MSCamSvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\htpatch.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\WINDOWS\vVX3000.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Genius\ioCentre\gTaskBar.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\Program Files\Last.fm\LastFMHelper.exe C:\Program Files\Microsoft Office\Office\OSA.EXE C:\Genius\ioCentre\gMouseTask.exe C:\Genius\ioCentre\gKbdTask.exe C:\Genius\ioCentre\gAutoPan.exe C:\Genius\ioCentre\gAutoScroll.exe C:\Genius\ioCentre\gZoom.exe C:\Genius\ioCentre\gMGlass.exe C:\Genius\ioCentre\gIMMgm.exe C:\Genius\ioCentre\gDeskMgm.exe C:\Genius\ioCentre\gTaskSwitch.exe C:\Genius\ioCentre\gMouseTask.exe C:\Genius\ioCentre\gKbdTask.exe C:\Genius\ioCentre\gZoom.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {7023ECEE-0B5B-4700-B084-7B1916DB03DF} - C:\WINDOWS\system32\ssqpo.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll O2 - BHO: (no name) - {AD2AB685-8B18-4711-AF44-8F90C28B53CA} - C:\WINDOWS\system32\ssqpo.dll (file missing) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe" O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [ioCentre] C:\Genius\ioCentre\gTaskBar.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe -- End of file - 8176 bytes Thanks once more for all of your help.

08-28-2007, 06:51 AM	#5 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,757 OS: 2000 Pro; XP Pro; XP Home	Re: Poss. Trojan Horse - Qhost.gen Please go to: VirusTotal On the page you'll find a "Browse" button. Next to the browse button you'll see a box to enter text. Please copy/paste the following in BOLD: C:\Documents and Settings\Margaret\kelly.exe Then click the "Send File " button just below. This will scan the file. Please be patient. Once scanned, copy and paste the results in your next reply. Repeat for this file: C:\Documents and Settings\Owner\chis.exe __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

08-28-2007, 07:20 AM	#6 (permalink)
VicenteSD Registered User Join Date: Aug 2007 Posts: 8 OS: XP	Re: Poss. Trojan Horse - Qhost.gen C:\Documents and Settings\Margaret\kelly.exe AhnLab-V3 2007.8.29.0 2007.08.28 - AntiVir 7.4.1.63 2007.08.28 HEUR/Crypted Authentium 4.93.8 2007.08.28 - Avast 4.7.1029.0 2007.08.27 Win32:Agent-HOP AVG 7.5.0.484 2007.08.27 - BitDefender 7.2 2007.08.28 - CAT-QuickHeal 9.00 2007.08.25 (Suspicious) - DNAScan ClamAV 0.91.2 2007.08.28 - DrWeb 4.33 2007.08.28 - eSafe 7.0.15.0 2007.08.28 Suspicious Trojan/Worm eTrust-Vet 31.1.5091 2007.08.28 - Ewido 4.0 2007.08.28 - FileAdvisor 1 2007.08.28 - Fortinet 2.91.0.0 2007.08.28 - F-Prot 4.3.2.48 2007.08.28 - F-Secure 6.70.13030.0 2007.08.28 - Ikarus T3.1.1.12 2007.08.28 - Kaspersky 4.0.2.24 2007.08.28 - McAfee 5106 2007.08.27 - Microsoft 1.2803 2007.08.28 - NOD32v2 2488 2007.08.28 a variant of Win32/Agent.NBJ Norman 5.80.02 2007.08.28 - Panda 9.0.0.4 2007.08.28 Suspicious file Prevx1 V2 2007.08.28 - Rising 19.38.12.00 2007.08.28 Worm.IM.Agent.l Sophos 4.21.0 2007.08.28 - Sunbelt 2.2.907.0 2007.08.25 VIPRE.Suspicious Symantec 10 2007.08.28 - TheHacker 6.1.9.175 2007.08.28 - VBA32 3.12.2.3 2007.08.28 - VirusBuster 4.3.26:9 2007.08.27 - Webwasher-Gateway 6.0.1 2007.08.28 Heuristic.Crypted Additional information File size: 188928 bytes MD5: 538cd05e0fa58ce2caf38c03b6797aa4 SHA1: 7e180b3289144f52a7bd3c78297bbca44b0b610c packers: ASProtect packers: PE_Patch, Aspack Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics. C:\Documents and Settings\Owner\chis.exe AhnLab-V3 2007.8.29.0 2007.08.28 - AntiVir 7.4.1.63 2007.08.28 Worm/Garm.D Authentium 4.93.8 2007.08.28 - Avast 4.7.1029.0 2007.08.27 Win32:Agent-HOP AVG 7.5.0.484 2007.08.27 - BitDefender 7.2 2007.08.28 - CAT-QuickHeal 9.00 2007.08.25 (Suspicious) - DNAScan ClamAV 0.91.2 2007.08.28 - DrWeb 4.33 2007.08.28 - eSafe 7.0.15.0 2007.08.28 Suspicious Trojan/Worm eTrust-Vet 31.1.5091 2007.08.28 - Ewido 4.0 2007.08.28 - FileAdvisor 1 2007.08.28 - Fortinet 2.91.0.0 2007.08.28 - F-Prot 4.3.2.48 2007.08.28 - F-Secure 6.70.13260.0 2007.08.28 IM-Worm.Win32.Garm.d Ikarus T3.1.1.12 2007.08.28 IM-Worm.Win32.Garm.d Kaspersky 4.0.2.24 2007.08.28 IM-Worm.Win32.Garm.d McAfee 5106 2007.08.27 - Microsoft 1.2803 2007.08.28 - NOD32v2 2488 2007.08.28 a variant of Win32/Agent.NBJ Norman 5.80.02 2007.08.28 - Panda 9.0.0.4 2007.08.28 Suspicious file Prevx1 V2 2007.08.28 - Rising 19.38.12.00 2007.08.28 - Sophos 4.21.0 2007.08.28 - Sunbelt 2.2.907.0 2007.08.25 VIPRE.Suspicious Symantec 10 2007.08.28 - TheHacker 6.1.9.175 2007.08.28 - VBA32 3.12.2.3 2007.08.28 - VirusBuster 4.3.26:9 2007.08.27 - Webwasher-Gateway 6.0.1 2007.08.28 Worm.Garm.D Additional information File size: 188928 bytes MD5: c10891e7ba2be0e245779f6d36f5928a SHA1: 144482c20fe45502fc0da80a591793c54c495a47 packers: ASProtect packers: PE_Patch, Aspack Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

08-28-2007, 07:23 AM	#7 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,757 OS: 2000 Pro; XP Pro; XP Home	Re: Poss. Trojan Horse - Qhost.gen Thank you....please do the same for this file: C:\Documents and Settings\Owner\tele.exe I'll have instructions for you after that return. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

08-28-2007, 07:46 AM	#8 (permalink)
VicenteSD Registered User Join Date: Aug 2007 Posts: 8 OS: XP	Re: Poss. Trojan Horse - Qhost.gen AhnLab-V3 2007.8.29.0 2007.08.28 - AntiVir 7.4.1.63 2007.08.28 Worm/Garm.C Authentium 4.93.8 2007.08.28 - Avast 4.7.1029.0 2007.08.27 Win32:Agent-HOP AVG 7.5.0.484 2007.08.27 - BitDefender 7.2 2007.08.28 - CAT-QuickHeal 9.00 2007.08.25 (Suspicious) - DNAScan ClamAV 0.91.2 2007.08.28 - DrWeb 4.33 2007.08.28 - eSafe 7.0.15.0 2007.08.28 - eTrust-Vet 31.1.5091 2007.08.28 Win32/VMalum.IJR Ewido 4.0 2007.08.28 - FileAdvisor 1 2007.08.28 - Fortinet 2.91.0.0 2007.08.28 - F-Prot 4.3.2.48 2007.08.28 - F-Secure 6.70.13030.0 2007.08.28 IM-Worm.Win32.Garm.c Ikarus T3.1.1.12 2007.08.28 Backdoor.Win32.Rbot Kaspersky 4.0.2.24 2007.08.28 IM-Worm.Win32.Garm.c McAfee 5106 2007.08.27 - Microsoft 1.2803 2007.08.28 Worm:Win32/Smees.A NOD32v2 2488 2007.08.28 a variant of Win32/Agent.NBJ Norman 5.80.02 2007.08.28 - Panda 9.0.0.4 2007.08.28 - Prevx1 V2 2007.08.28 - Rising 19.38.12.00 2007.08.28 Worm.IM.Agent.l Sophos 4.21.0 2007.08.28 - Sunbelt 2.2.907.0 2007.08.25 - Symantec 10 2007.08.28 - TheHacker 6.1.9.175 2007.08.28 - VBA32 3.12.2.3 2007.08.28 - VirusBuster 4.3.26:9 2007.08.27 - Webwasher-Gateway 6.0.1 2007.08.28 Worm.Garm.C

08-28-2007, 07:47 AM	#9 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,757 OS: 2000 Pro; XP Pro; XP Home	Re: Poss. Trojan Horse - Qhost.gen Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked O2 - BHO: (no name) - {7023ECEE-0B5B-4700-B084-7B1916DB03DF} - C:\WINDOWS\system32\ssqpo.dll (file missing) O2 - BHO: (no name) - {AD2AB685-8B18-4711-AF44-8F90C28B53CA} - C:\WINDOWS\system32\ssqpo.dll (file missing) Close HijackThis now. --------------------------------------------------------------------------------------------- Please download the OTMoveIt by OldTimer. Save it to your desktop. Please double-click OTMoveIt.exe to run it. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): C:\DOCUME~1\Owner\tele.exe C:\chis.exe C:\DOCUME~1\Sergio\kelly.exe C:\WINDOWS\system32\dccdd.bak1 C:\WINDOWS\system32\ddccd.dll.vir C:\VundoFix Backups C:\DOCUME~1\Lindsay\kelly.exe C:\DOCUME~1\Margaret\kelly.exe C:\DOCUME~1\Owner\chis.exe C:\DOCUME~1\Margaret\chis.exe C:\DOCUME~1\Owner\kelly.exe C:\WINDOWS\system32\ljjgfcb.dll.vir Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste. Click the red Moveit! button. Close OTMoveIt If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. Please post the log from OTMoveIt, located here: c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log Where mmddyyyy_hhmmss is the date of the tool run. --------------------------------------------------------------------------------------------- Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the licence, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

08-28-2007, 02:56 PM	#10 (permalink)
VicenteSD Registered User Join Date: Aug 2007 Posts: 8 OS: XP	Re: Poss. Trojan Horse - Qhost.gen Sorry for the delay, KOS took especially long to scan this time (just for future reference, do I need to scan the entire of My Computer, or is critical mass enough?) MoveIt! Report C:\DOCUME~1\Owner\tele.exe moved successfully. C:\chis.exe moved successfully. C:\DOCUME~1\Sergio\kelly.exe moved successfully. C:\WINDOWS\system32\dccdd.bak1 moved successfully. C:\WINDOWS\system32\ddccd.dll.vir moved successfully. C:\VundoFix Backups moved successfully. C:\DOCUME~1\Lindsay\kelly.exe moved successfully. C:\DOCUME~1\Margaret\kelly.exe moved successfully. C:\DOCUME~1\Owner\chis.exe moved successfully. C:\DOCUME~1\Margaret\chis.exe moved successfully. C:\DOCUME~1\Owner\kelly.exe moved successfully. C:\WINDOWS\system32\ljjgfcb.dll.vir moved successfully. Created on 08/28/2007 15:03:22 Kaspersky Online Scanner Report ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Tuesday, August 28, 2007 9:55:18 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 28/08/2007 Kaspersky Anti-Virus database records: 394397 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 172284 Number of viruses found: 6 Number of infected objects: 62 Number of suspicious objects: 0 Duration of the scan process: 03:52:02 Infected Object Name / Virus Name / Last Action C:\Backup 30-4-07\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_OWNER-1CB67CF49.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_OWNER-1CB67CF49.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\370d84034061568baf36aefd7c231b74_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3d016fb03d86d2f0759d9f0605d49740_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\40a9624aeab265e2e22890d21e707872_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5be47ee6d05596b23314823e3de79c20_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c563643122128abc794db72436ea1ed9_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f79b4715d4ac298fdfcedb352a4645f0_7e4d1b0c-c6ea-43b0-8f6a-2e46cabd1850 Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Last.fm\Client\lastfmhelper.log Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temp\NAILogs\UpdaterUI_OWNER-1CB67CF49.log Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped C:\QooBox\Quarantine\C\WINDOWS\system32\awturss.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\C\WINDOWS\system32\byxutrp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\C\WINDOWS\system32\cbxwxvu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\C\WINDOWS\system32\efcaaax.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\C\WINDOWS\system32\gebbayv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\C\WINDOWS\system32\gebxvus.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\C\WINDOWS\system32\gebxyvs.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\C\WINDOWS\system32\hggdaxv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\C\WINDOWS\system32\hhivmncs.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\QooBox\Quarantine\C\WINDOWS\system32\iifdefc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\C\WINDOWS\system32\ljjggfd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\C\WINDOWS\system32\ljjklij.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\C\WINDOWS\system32\mljiijg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\C\WINDOWS\system32\nnnklkk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\C\WINDOWS\system32\nnnnmnk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\C\WINDOWS\system32\nnnonom.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\C\WINDOWS\system32\pmnnklk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\C\WINDOWS\system32\rxspcvex.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\QooBox\Quarantine\C\WINDOWS\system32\tuvwtus.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\C\WINDOWS\system32\xxyaxxv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\C\WINDOWS\system32\xxyxuut.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\C\WINDOWS\system32\xxyyxuu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\catchme2007-08-28_125525.37.zip/ssqnkii.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\catchme2007-08-28_125525.37.zip ZIP: infected - 1 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP78\A0084577.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP78\A0084583.exe Infected: IM-Worm.Win32.Garm.d skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP78\A0084597.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP78\A0084776.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP78\A0084787.exe Infected: IM-Worm.Win32.Garm.d skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP78\A0085788.exe Infected: IM-Worm.Win32.Garm.d skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP81\A0086624.exe Infected: IM-Worm.Win32.Garm.c skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP82\A0086626.exe Infected: IM-Worm.Win32.Garm.c skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP83\A0086693.exe Infected: IM-Worm.Win32.Garm.c skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086818.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086819.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086820.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086821.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086822.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086823.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086824.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086825.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086826.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086828.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086829.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086830.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086831.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086832.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086833.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086834.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086835.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086836.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086837.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086838.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086839.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP84\A0086841.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2BE57B90-C133-4F93-A4B6-C6C64EEDE8C0}\RP85\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped C:\_OTMoveIt\MovedFiles\chis.exe Infected: IM-Worm.Win32.Garm.d skipped C:\_OTMoveIt\MovedFiles\DOCUME~1\Margaret\chis.exe Infected: IM-Worm.Win32.Garm.d skipped C:\_OTMoveIt\MovedFiles\DOCUME~1\Owner\chis.exe Infected: IM-Worm.Win32.Garm.d skipped C:\_OTMoveIt\MovedFiles\DOCUME~1\Owner\tele.exe Infected: IM-Worm.Win32.Garm.c skipped C:\_OTMoveIt\MovedFiles\VundoFix Backups\ydasxvoi.exe.bad Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\_OTMoveIt\MovedFiles\WINDOWS\system32\ljjgfcb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped Scan process completed.

08-28-2007, 03:05 PM	#11 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,757 OS: 2000 Pro; XP Pro; XP Home	Re: Poss. Trojan Horse - Qhost.gen It's important to scan My Computer, it's more thorough. Run OTMoveIt, and click on the Cleanup button. Follow the prompts. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. The system may require a reboot to complete this step. Please allow it. Also post a new HijackThis log. How is your system behaving, please? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

08-28-2007, 03:07 PM	#12 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,757 OS: 2000 Pro; XP Pro; XP Home	Re: Poss. Trojan Horse - Qhost.gen Also, is your McAfee subscription current? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

08-28-2007, 03:30 PM	#13 (permalink)
VicenteSD Registered User Join Date: Aug 2007 Posts: 8 OS: XP	Re: Poss. Trojan Horse - Qhost.gen I ran the CleanUp - the system rebooted, and when it did so, OTMoveIt had disappeared from the desktop. Is that normal, or did I do something foolish? HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:27:52, on 28/08/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe C:\Program Files\Microsoft LifeCam\MSCamSvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\htpatch.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\WINDOWS\vVX3000.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Genius\ioCentre\gTaskBar.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\WINDOWS\system32\ctfmon.exe C:\Genius\ioCentre\gMouseTask.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Messenger\msmsgs.exe C:\Genius\ioCentre\gKbdTask.exe C:\Genius\ioCentre\gAutoPan.exe C:\Genius\ioCentre\gAutoScroll.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\Genius\ioCentre\gZoom.exe C:\Genius\ioCentre\gMGlass.exe C:\Genius\ioCentre\gIMMgm.exe C:\Genius\ioCentre\gDeskMgm.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Last.fm\LastFMHelper.exe C:\Genius\ioCentre\gTaskSwitch.exe C:\Program Files\Microsoft Office\Office\OSA.EXE C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\MSN Messenger\usnsvc.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe" O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [ioCentre] C:\Genius\ioCentre\gTaskBar.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe -- End of file - 8201 bytes Re. McAfee: I have the Enterprise 8.5i version - it was downloaded from the Cambridge University website (all students get access to the university's antivirus), so presumably it is up to date. I downloaded all of the updates before scanning, and it still found nothing though. Thanks once more for your help.

08-28-2007, 03:44 PM	#15 (permalink)
VicenteSD Registered User Join Date: Aug 2007 Posts: 8 OS: XP	Re: Poss. Trojan Horse - Qhost.gen All is running well - the trojan has gone as far as I can tell. I've done as suggested above, and all is working fine. This is the second time you guys have bailed me out of a sticky situation. You people are incredible, and really restore the faith in the human race :) goes to paypal to donate Thanks :D

08-28-2007, 03:46 PM	#16 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,757 OS: 2000 Pro; XP Pro; XP Home	Re: Poss. Trojan Horse - Qhost.gen You're welcome! Surf Safely out there. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009