View Full Version : Can't Remove Vundo
I followed the steps before posting this thread. I've tried everythign, I had Symantec AV installed, I've searched online and ran fixvundo, and the symantec vundo removers. I also ran trendmicro AV online. Everytime I run spybot search and destroy vundomonde keeps showing up.
THis is my first time posting in this forum, any help would be greatly appreciated.
-----------------------
HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 4:09:25 AM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Virtual Villagers - The Lost Children\Virtual Villagers - The Lost Children.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {75f9b5f7-68ab-4610-ad04-b42b431499a3} - C:\WINDOWS\system32\LXBla2.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\tmpDA9.tmp.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA5126] command /c del "C:\WINDOWS\system32\LXBla2.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9894] cmd /c del "C:\WINDOWS\system32\LXBla2.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: c:\windows\system32\vtuttsq.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: LXBla2 - C:\WINDOWS\SYSTEM32\LXBla2.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
-----
Panda Log
Incident Status Location
Virus:W32/ZlFake.A Disinfected Operating system
Virus:Trj/DNSChanger.XB Disinfected Operating system
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Angie Cheung\Cookies\angie cheung@247realmedia[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Angie Cheung\Cookies\angie cheung@atdmt[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Angie Cheung\Cookies\angie cheung@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Angie Cheung\Cookies\angie cheung@doubleclick[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Angie Cheung\Cookies\angie cheung@statcounter[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Angie Cheung\Cookies\angie cheung@zedo[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Angie Cheung\Local Settings\Temp\nsh5.tmp
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Angie Cheung\Local Settings\Temp\nsj5.tmp
Virus:W32/ZlFake.A Disinfected C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
Virus:W32/ZlFake.A Disinfected C:\Program Files\Symantec AntiVirus\VPTray.exe
Virus:Trj/DNSChanger.XB Disinfected C:\VundoFix Backups\awvvvts.dll.bad
Virus:Trj/DNSChanger.XB Disinfected C:\VundoFix Backups\jkhheec.dll.bad
Virus:Trj/DNSChanger.XB Disinfected C:\VundoFix Backups\jkkjkih.dll.bad
Virus:Trj/DNSChanger.XB Disinfected C:\VundoFix Backups\mllmnmm.dll.bad
Virus:Trj/DNSChanger.XB Disinfected C:\VundoFix Backups\ssttuus.dll.bad
Virus:Trj/DNSChanger.XB Disinfected C:\VundoFix Backups\vturqpo.dll.bad
Virus:Trj/DNSChanger.XB Disinfected C:\VundoFix Backups\vtuttsq.dll.bad
Virus:W32/ZlFake.A.drp Disinfected C:\WINDOWS\system32\8L7FEeDQ.exe
Virus:Trj/DNSChanger.XB Disinfected C:\WINDOWS\system32\mljggfd.dll
Virus:Trj/DNSChanger.XB Disinfected C:\WINDOWS\system32\ssqpmjh.dll
Virus:Trj/DNSChanger.XB Disinfected C:\WINDOWS\system32\vtsttut.dll
Virus:Trj/DNSChanger.XB Disinfected C:\WINDOWS\system32\vtuttsq.dll ---------------------------------------------------------
Kaspersky Log
[B]KASPERSKY ONLINE SCANNER REPORT Thursday, August 09, 2007 4:04:30 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 9/08/2007
Kaspersky Anti-Virus database records: 377384
Scan SettingsScan using the following antivirus databaseextendedScan ArchivestrueScan Mail BasestrueScan TargetMy ComputerC:\
D:\
E:\ Scan StatisticsTotal number of scanned objects47010Number of viruses found4Number of infected objects14Number of suspicious objects0Duration of the scan process01:53:29
Infected Object NameVirus NameLast ActionC:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\4BC1BEEB.TMP Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\B6AA6CE7.TMP Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09300000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09CC0000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C5C0000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C800000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C800001.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F280000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped C:\Documents and Settings\Angie Cheung\Application Data\Azureus\ipfilter.cache Object is locked skipped C:\Documents and Settings\Angie Cheung\Application Data\Azureus\tmp\AZU14222.tmp Object is locked skipped C:\Documents and Settings\Angie Cheung\Application Data\Azureus\tmp\AZU14223.tmp Object is locked skipped C:\Documents and Settings\Angie Cheung\Application Data\Azureus\tmp\AZU14224.tmp Object is locked skipped C:\Documents and Settings\Angie Cheung\Application Data\Azureus\tmp\AZU14225.tmp Object is locked skipped C:\Documents and Settings\Angie Cheung\Application Data\Azureus\tmp\AZU14226.tmp Object is locked skipped C:\Documents and Settings\Angie Cheung\Application Data\Azureus\tmp\AZU14227.tmp Object is locked skipped C:\Documents and Settings\Angie Cheung\Application Data\tmp17.tmp.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped C:\Documents and Settings\Angie Cheung\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Angie Cheung\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped C:\Documents and Settings\Angie Cheung\Local Settings\Application Data\Ahead\Nero Home\bl.db-journal Object is locked skipped C:\Documents and Settings\Angie Cheung\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped C:\Documents and Settings\Angie Cheung\Local Settings\Application Data\Ahead\Nero Home\is2.db-journal Object is locked skipped C:\Documents and Settings\Angie Cheung\Local Settings\Application Data\Microsoft\Messenger\angieccheung@gmail.com\SharingMetadata\Logs\Dfsr00005.l og Object is locked skipped C:\Documents and Settings\Angie Cheung\Local Settings\Application Data\Microsoft\Messenger\angieccheung@gmail.com\SharingMetadata\pending.dat Object is locked skipped C:\Documents and Settings\Angie Cheung\Local Settings\Application Data\Microsoft\Messenger\angieccheung@gmail.com\SharingMetadata\Working\database _F22C_6CA6_2C6C_6815\dfsr.db Object is locked skipped C:\Documents and Settings\Angie Cheung\Local Settings\Application Data\Microsoft\Messenger\angieccheung@gmail.com\SharingMetadata\Working\database _F22C_6CA6_2C6C_6815\fsr.log Object is locked skipped C:\Documents and Settings\Angie Cheung\Local Settings\Application Data\Microsoft\Messenger\angieccheung@gmail.com\SharingMetadata\Working\database _F22C_6CA6_2C6C_6815\fsrtmp.log Object is locked skipped C:\Documents and Settings\Angie Cheung\Local Settings\Application Data\Microsoft\Messenger\angieccheung@gmail.com\SharingMetadata\Working\database _F22C_6CA6_2C6C_6815\tmp.edb Object is locked skipped C:\Documents and Settings\Angie Cheung\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Angie Cheung\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Angie Cheung\Local Settings\Application Data\Microsoft\Windows Live Contacts\angieccheung@gmail.com\real\members.stg Object is locked skipped C:\Documents and Settings\Angie Cheung\Local Settings\Application Data\Microsoft\Windows Live Contacts\angieccheung@gmail.com\shadow\members.stg Object is locked skipped C:\Documents and Settings\Angie Cheung\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Angie Cheung\Local Settings\Temp\fla2FD.tmp Object is locked skipped C:\Documents and Settings\Angie Cheung\Local Settings\Temp\hsperfdata_Angie Cheung\7832 Object is locked skipped C:\Documents and Settings\Angie Cheung\Local Settings\Temp\~DF2B89.tmp Object is locked skipped C:\Documents and Settings\Angie Cheung\Local Settings\Temp\~DF2D9B.tmp Object is locked skipped C:\Documents and Settings\Angie Cheung\Local Settings\Temp\~DF87C7.tmp Object is locked skipped C:\Documents and Settings\Angie Cheung\Local Settings\Temp\~DF87DB.tmp Object is locked skipped C:\Documents and Settings\Angie Cheung\Local Settings\Temp\~DFE9C4.tmp Object is locked skipped C:\Documents and Settings\Angie Cheung\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Angie Cheung\My Documents\LDW\Virtual Villagers - The Lost Children\ldwLog.txt Object is locked skipped C:\Documents and Settings\Angie Cheung\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Angie Cheung\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped C:\Program Files\Symantec AntiVirus\VPTray.exe Infected: Virus.Win32.Agent.ab skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped C:\WINDOWS\system32\config\OSession.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\c_1ntr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped C:\WINDOWS\system32\jkhfeba.dll Infected: Trojan-Downloader.Win32.ConHook.bg skipped C:\WINDOWS\system32\mljggfd.dll Infected: Trojan-Downloader.Win32.ConHook.bg skipped C:\WINDOWS\system32\ssqpmjh.dll Infected: Trojan-Downloader.Win32.ConHook.bg skipped C:\WINDOWS\system32\vtsqqon.dll Infected: Trojan-Downloader.Win32.ConHook.bg skipped C:\WINDOWS\system32\vtuttsq.dll Infected: Trojan-Downloader.Win32.ConHook.bg skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_4fc.dat Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed.
Baabiouz
9 Aug 2007, 12:50pm
Hi!
Please download Combofix (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Thanks for your help, I've ran combofix the events are below.
-------------------------------------------------------------------------
ComboFix 07-08-09.3 - "Angie Cheung" 2007-08-09 10:40:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.506 [GMT -4:00]
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\ANGIEC~1\APPLIC~1\tmp17.tmp.exe
C:\DOCUME~1\ANGIEC~1\APPLIC~1\tmp18.tmp.exe
C:\DOCUME~1\ANGIEC~1\APPLIC~1\tmp3.tmp.exe
C:\DOCUME~1\ANGIEC~1\APPLIC~1\tmp305.tmp.exe
C:\DOCUME~1\ANGIEC~1\APPLIC~1\tmp309.tmp.exe
C:\DOCUME~1\ANGIEC~1\APPLIC~1\tmp69.tmp.exe
C:\DOCUME~1\ANGIEC~1\APPLIC~1\tmp72.tmp.exe
C:\DOCUME~1\ANGIEC~1\APPLIC~1\tmp76.tmp.exe
C:\DOCUME~1\ANGIEC~1\APPLIC~1\tmp9.tmp.exe
C:\DOCUME~1\ANGIEC~1\APPLIC~1\tmpDA8.tmp.exe
C:\DOCUME~1\ANGIEC~1\APPLIC~1\tmpDA9.tmp.exe
C:\WINDOWS\system32\dn2c6c6815.dat
C:\WINDOWS\system32\LXBla2.dll
C:\WINDOWS\system32\tmp18.tmp.dll
C:\WINDOWS\system32\tmp309.tmp.dll
C:\WINDOWS\system32\tmp9.tmp.dll
C:\WINDOWS\system32\vtutt.exe
((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))
2007-08-09 10:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-09 04:26 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-09 02:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-08-09 02:04 <DIR> d-------- C:\Program Files\BFG
2007-08-09 01:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-09 01:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-08 18:41 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-08 18:41 <DIR> d-------- C:\Program Files\Virtual Villagers - The Lost Children
2007-08-08 18:38 <DIR> d-------- C:\Program Files\bfgclient
2007-08-08 18:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BigFishGamesCache
2007-08-08 18:13 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-08 11:37 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-08 11:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-08 11:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-08 02:01 8,004 --a------ C:\dnsbak.reg
2007-08-06 12:45 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\.housecall6.6
2007-08-06 12:30 <DIR> d-------- C:\VundoFix Backups
2007-08-06 11:18 <DIR> d-------- C:\WINDOWS\CSC
2007-08-06 10:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-05 12:27 92,730 --a------ C:\WINDOWS\system32\c_1ntr.dll.vir
2007-08-03 11:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\LightScribe
2007-08-03 11:07 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2007-08-03 08:36 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\Ahead
2007-08-03 08:34 <DIR> d-------- C:\Program Files\Nero
2007-08-03 08:34 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-08-02 13:21 <DIR> d-------- C:\Program Files\PartyGaming
2007-08-01 02:51 <DIR> d-------- C:\Program Files\DivX
2007-07-26 20:28 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\vlc
2007-07-26 20:25 <DIR> d-------- C:\Program Files\VideoLAN
2007-07-26 19:06 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-26 19:06 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-24 20:48 134,136 --a------ C:\WINDOWS\ColorPic Uninstaller.exe
2007-07-24 20:48 <DIR> d-------- C:\Program Files\ColorPic 4.1
2007-07-24 20:29 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2007-07-24 10:47 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\WinRAR
2007-07-24 10:15 <DIR> d-------- C:\Program Files\Trillian
2007-07-17 22:48 <DIR> d-------- C:\Program Files\Common Files\SolidWorks Shared
2007-07-17 22:48 <DIR> d-------- C:\Program Files\Common Files\eDrawings2007
2007-07-17 19:18 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-07-16 11:16 <DIR> d-------- C:\Program Files\RemoteCalendars
2007-07-16 11:16 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\RemoteCalendars
2007-07-16 11:15 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-07-15 23:35 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-07-15 15:59 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\Contacts
2007-07-13 11:55 <DIR> d-------- C:\Program Files\MSN Messenger
2007-07-12 19:19 247,808 --a------ C:\WINDOWS\system32\npscan.dll
2007-07-12 19:13 <DIR> d-------- C:\Program Files\NCsoft
2007-07-12 19:12 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\InstallShield
2007-07-12 18:48 <DIR> d-------- C:\Program Files\Webteh
2007-07-12 16:36 983,101 --a------ C:\WINDOWS\system32\LXBKGF.DLL
2007-07-12 16:36 90,112 --a------ C:\WINDOWS\system32\LXBKCUR.DLL
2007-07-12 16:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-07-12 16:36 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-07-12 16:36 86,016 --a------ C:\WINDOWS\system32\LXBKIH.EXE
2007-07-12 16:36 77,824 --a------ C:\WINDOWS\system32\LXBKLCNP.DLL
2007-07-12 16:36 73,728 --a------ C:\WINDOWS\system32\lxbkpwr.dll
2007-07-12 16:36 69,632 --a------ C:\WINDOWS\system32\lxbkscin.dll
2007-07-12 16:36 69,632 --a------ C:\WINDOWS\system32\LXBKCU.DLL
2007-07-12 16:36 57,344 --a------ C:\WINDOWS\system32\lxbkcinf.dll
2007-07-12 16:36 544,768 --a------ C:\WINDOWS\system32\LXBKLSNT.EXE
2007-07-12 16:36 49,152 --a------ C:\WINDOWS\system32\lxbkcoin.dll
2007-07-12 16:36 454,656 --a------ C:\WINDOWS\system32\LXBKJSWR.DLL
2007-07-12 16:36 40,960 --a------ C:\WINDOWS\system32\lxbkvs.dll
2007-07-12 16:36 40,960 --a------ C:\WINDOWS\system32\INSTMON.EXE
2007-07-12 16:36 352,256 --a------ C:\WINDOWS\system32\LXBKUTIL.DLL
2007-07-12 16:36 303,104 --a------ C:\WINDOWS\system32\LEXBCES.EXE
2007-07-12 16:36 286,720 --a------ C:\WINDOWS\system32\LXBKPMNT.DLL
2007-07-12 16:36 286,720 --a------ C:\WINDOWS\system32\lxbkcomm.dll
2007-07-12 16:36 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-07-12 16:36 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-07-12 16:36 217,088 --a------ C:\WINDOWS\system32\LXBKLCNT.DLL
2007-07-12 16:36 201,216 --a------ C:\WINDOWS\system32\LEXP2P32.DLL
2007-07-12 16:36 196,096 --a------ C:\WINDOWS\system32\LEX2KUSB.DLL
2007-07-12 16:36 192,512 --a------ C:\WINDOWS\system32\LEXLMPM.DLL
2007-07-12 16:36 174,592 --a------ C:\WINDOWS\system32\LEXPPS.EXE
2007-07-12 16:36 155,648 --a------ C:\WINDOWS\system32\LEXPING.EXE
2007-07-12 16:36 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-07-12 16:36 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-07-12 16:36 147,456 --a------ C:\WINDOWS\system32\LEXBCE.DLL
2007-07-12 16:36 126,976 --a------ C:\WINDOWS\system32\LXBKCFG.EXE
2007-07-12 16:36 <DIR> d-------- C:\Program Files\Lexmark X1100 Series
2007-07-12 16:35 299,520 --a------ C:\WINDOWS\uninst.exe
2007-07-12 16:35 <DIR> d-------- C:\Lxk1100
2007-07-12 16:35 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\WINDOWS
2007-07-12 12:54 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\Google
2007-07-12 12:53 <DIR> d-------- C:\Program Files\Google
2007-07-12 12:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-07-12 12:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-12 11:24 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\AdobeUM
2007-07-12 09:24 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-07-12 09:22 682,232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-07-12 09:20 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-07-12 09:20 110,256 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-07-12 09:20 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-07-12 09:19 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-07-12 09:19 <DIR> d-------- C:\Program Files\Symantec
2007-07-12 09:19 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-12 09:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-07-12 02:57 <DIR> d-------- C:\Program Files\Azureus
2007-07-12 02:57 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\Azureus
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-12 01:23 0 --a------ C:\WINDOWS\system32\drivers\SET2B.tmp
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-08-08 18:18]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-08-08 18:18]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-08-08 18:18]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 10:58]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-08 18:19]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-08-08 18:18]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-10-13 20:44]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-08-08 18:18]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 10:43]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-08-08 20:14]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 18:29]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 11:28]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-05-15 17:12]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-07-12 11:20:23]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-12 02:55:04]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-12 12:53:30]
HP Pavilion Webcam Tray Icon.lnk - C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2007-07-12 01:30:44]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\vtuttsq.dll
R0 iaStor;Intel AHCI Controller;C:\WINDOWS\system32\drivers\iaStor.sys
R1 eabfiltr;eabfiltr;C:\WINDOWS\system32\DRIVERS\eabfiltr.sys
R1 SRTSP;SRTSP;C:\WINDOWS\system32\Drivers\SRTSP.SYS
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI;C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
R3 HBtnKey;HBtnKey;C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
R3 NETw3x32;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows XP 32 Bit;C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
R3 rimmptsk;rimmptsk;C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
R3 rimsptsk;rimsptsk;C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
R3 rismxdp;Ricoh xD-Picture Card Driver;C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
R3 sdbus;sdbus;C:\WINDOWS\system32\DRIVERS\sdbus.sys
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC);C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
S3 RimUsb;RIM Handheld;C:\WINDOWS\system32\Drivers\RimUsb.sys
S3 SRTSPL;SRTSPL;C:\WINDOWS\system32\Drivers\SRTSPL.SYS
S3 usbvideo;USB Video Device (WDM);C:\WINDOWS\system32\Drivers\usbvideo.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{2ea73842-307b-11dc-9d09-0016d304a3b6}]
Auto\command- F:\infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
Contents of the 'Scheduled Tasks' folder
2007-08-09 04:00:00 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-09 13:00:00 C:\WINDOWS\Tasks\At10.job
2007-08-09 14:00:00 C:\WINDOWS\Tasks\At11.job
2007-08-08 15:01:00 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-08 16:01:02 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-06 17:01:02 C:\WINDOWS\Tasks\At14.job
2007-08-06 18:01:02 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-05 14:59:15 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-06 20:01:00 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-06 21:01:00 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-08 22:01:00 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-09 05:00:00 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-08 23:01:01 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-09 00:01:02 C:\WINDOWS\Tasks\At21.job
2007-08-09 01:00:00 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-09 02:00:00 C:\WINDOWS\Tasks\At23.job
2007-08-09 03:00:00 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-09 06:00:00 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-09 07:00:00 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-09 08:00:00 C:\WINDOWS\Tasks\At5.job
2007-08-09 09:00:00 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-09 10:00:00 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-09 11:00:00 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-09 12:00:00 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\system32\8L7FEeDQ.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 10:43:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-09 10:46:03 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-09 10:45
--- E O F ---
-------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:48:22 AM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: c:\windows\system32\vtuttsq.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Baabiouz
9 Aug 2007, 05:42pm
Hi!
Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:
O20 - AppInit_DLLs: c:\windows\system32\vtuttsq.dll
Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
____________________
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\c_1ntr.dll.vir
C:\WINDOWS\system32\drivers\SET2B.tmp
Save this as CFScript.txt
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
_____________________
Please, run Panda Active Scan:
Panda ActiveScan
(http://www.pandasoftware.com/activescan/com/activescan_principal.htm)
- Once you are on the Panda site, click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Do NOT lose it!
Please, send the Panda activescan report.
_____________________
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u2 (http://java.sun.com/javase/downloads/index.jsp).
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
J2SE Runtime Environment 6.0 Update 1
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
_____________________
Please, post a fresh hijackthis log, Combofix log and Panda Active Scan report.
I've completed the above steps as well as updated my java. I've noticed that I'm not getting the symantec virus notifications and that I'm not getting pop-ups, but I'm having trouble posting my logs, because they contain links and I do not as of yet have permission. I've messaged Keebler, and I will post them ASAP.
Thanks,
Angie
Logs below:
-------------
ComboFix 07-08-09.3 - "Angie Cheung" 2007-08-09 13:02:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.540 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Angie Cheung\Desktop\CFScript.txt
FILE::
C:\WINDOWS\system32\c_1ntr.dll.vir
C:\WINDOWS\system32\drivers\SET2B.tmp
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\c_1ntr.dll.vir
C:\WINDOWS\system32\drivers\SET2B.tmp
((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))
2007-08-09 10:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-09 04:26 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-09 02:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-08-09 02:04 <DIR> d-------- C:\Program Files\BFG
2007-08-09 01:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-09 01:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-08 18:41 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-08 18:41 <DIR> d-------- C:\Program Files\Virtual Villagers - The Lost Children
2007-08-08 18:38 <DIR> d-------- C:\Program Files\bfgclient
2007-08-08 18:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BigFishGamesCache
2007-08-08 18:13 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-08 11:37 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-08 11:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-08 11:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-08 02:01 8,004 --a------ C:\dnsbak.reg
2007-08-06 12:45 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\.housecall6.6
2007-08-06 12:30 <DIR> d-------- C:\VundoFix Backups
2007-08-06 11:18 <DIR> d-------- C:\WINDOWS\CSC
2007-08-06 10:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-03 11:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\LightScribe
2007-08-03 11:07 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2007-08-03 08:36 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\Ahead
2007-08-03 08:34 <DIR> d-------- C:\Program Files\Nero
2007-08-03 08:34 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-08-02 13:21 <DIR> d-------- C:\Program Files\PartyGaming
2007-08-01 02:51 <DIR> d-------- C:\Program Files\DivX
2007-07-26 20:28 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\vlc
2007-07-26 20:25 <DIR> d-------- C:\Program Files\VideoLAN
2007-07-26 19:06 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-26 19:06 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-24 20:48 134,136 --a------ C:\WINDOWS\ColorPic Uninstaller.exe
2007-07-24 20:48 <DIR> d-------- C:\Program Files\ColorPic 4.1
2007-07-24 20:29 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2007-07-24 10:47 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\WinRAR
2007-07-24 10:15 <DIR> d-------- C:\Program Files\Trillian
2007-07-17 22:48 <DIR> d-------- C:\Program Files\Common Files\SolidWorks Shared
2007-07-17 22:48 <DIR> d-------- C:\Program Files\Common Files\eDrawings2007
2007-07-17 19:18 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-07-16 11:16 <DIR> d-------- C:\Program Files\RemoteCalendars
2007-07-16 11:16 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\RemoteCalendars
2007-07-16 11:15 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-07-15 23:35 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-07-15 15:59 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\Contacts
2007-07-13 11:55 <DIR> d-------- C:\Program Files\MSN Messenger
2007-07-12 19:19 247,808 --a------ C:\WINDOWS\system32\npscan.dll
2007-07-12 19:13 <DIR> d-------- C:\Program Files\NCsoft
2007-07-12 19:12 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\InstallShield
2007-07-12 18:48 <DIR> d-------- C:\Program Files\Webteh
2007-07-12 16:36 983,101 --a------ C:\WINDOWS\system32\LXBKGF.DLL
2007-07-12 16:36 90,112 --a------ C:\WINDOWS\system32\LXBKCUR.DLL
2007-07-12 16:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-07-12 16:36 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-07-12 16:36 86,016 --a------ C:\WINDOWS\system32\LXBKIH.EXE
2007-07-12 16:36 77,824 --a------ C:\WINDOWS\system32\LXBKLCNP.DLL
2007-07-12 16:36 73,728 --a------ C:\WINDOWS\system32\lxbkpwr.dll
2007-07-12 16:36 69,632 --a------ C:\WINDOWS\system32\lxbkscin.dll
2007-07-12 16:36 69,632 --a------ C:\WINDOWS\system32\LXBKCU.DLL
2007-07-12 16:36 57,344 --a------ C:\WINDOWS\system32\lxbkcinf.dll
2007-07-12 16:36 544,768 --a------ C:\WINDOWS\system32\LXBKLSNT.EXE
2007-07-12 16:36 49,152 --a------ C:\WINDOWS\system32\lxbkcoin.dll
2007-07-12 16:36 454,656 --a------ C:\WINDOWS\system32\LXBKJSWR.DLL
2007-07-12 16:36 40,960 --a------ C:\WINDOWS\system32\lxbkvs.dll
2007-07-12 16:36 40,960 --a------ C:\WINDOWS\system32\INSTMON.EXE
2007-07-12 16:36 352,256 --a------ C:\WINDOWS\system32\LXBKUTIL.DLL
2007-07-12 16:36 303,104 --a------ C:\WINDOWS\system32\LEXBCES.EXE
2007-07-12 16:36 286,720 --a------ C:\WINDOWS\system32\LXBKPMNT.DLL
2007-07-12 16:36 286,720 --a------ C:\WINDOWS\system32\lxbkcomm.dll
2007-07-12 16:36 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-07-12 16:36 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-07-12 16:36 217,088 --a------ C:\WINDOWS\system32\LXBKLCNT.DLL
2007-07-12 16:36 201,216 --a------ C:\WINDOWS\system32\LEXP2P32.DLL
2007-07-12 16:36 196,096 --a------ C:\WINDOWS\system32\LEX2KUSB.DLL
2007-07-12 16:36 192,512 --a------ C:\WINDOWS\system32\LEXLMPM.DLL
2007-07-12 16:36 174,592 --a------ C:\WINDOWS\system32\LEXPPS.EXE
2007-07-12 16:36 155,648 --a------ C:\WINDOWS\system32\LEXPING.EXE
2007-07-12 16:36 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-07-12 16:36 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-07-12 16:36 147,456 --a------ C:\WINDOWS\system32\LEXBCE.DLL
2007-07-12 16:36 126,976 --a------ C:\WINDOWS\system32\LXBKCFG.EXE
2007-07-12 16:36 <DIR> d-------- C:\Program Files\Lexmark X1100 Series
2007-07-12 16:35 299,520 --a------ C:\WINDOWS\uninst.exe
2007-07-12 16:35 <DIR> d-------- C:\Lxk1100
2007-07-12 16:35 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\WINDOWS
2007-07-12 12:54 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\Google
2007-07-12 12:53 <DIR> d-------- C:\Program Files\Google
2007-07-12 12:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-07-12 12:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-12 11:24 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\AdobeUM
2007-07-12 09:24 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-07-12 09:22 682,232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-07-12 09:20 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-07-12 09:20 110,256 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-07-12 09:20 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-07-12 09:19 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-07-12 09:19 <DIR> d-------- C:\Program Files\Symantec
2007-07-12 09:19 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-12 09:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-07-12 02:57 <DIR> d-------- C:\Program Files\Azureus
2007-07-12 02:57 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\Azureus
2007-07-12 02:55 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-08-08 18:18]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-08-08 18:18]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-08-08 18:18]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 10:58]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-08 18:19]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-08-08 18:18]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-10-13 20:44]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-08-08 18:18]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 10:43]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-08-08 20:14]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 18:29]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 11:28]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-05-15 17:12]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-07-12 11:20:23]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-12 02:55:04]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-12 12:53:30]
HP Pavilion Webcam Tray Icon.lnk - C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2007-07-12 01:30:44]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
R0 iaStor;Intel AHCI Controller;C:\WINDOWS\system32\drivers\iaStor.sys
R1 eabfiltr;eabfiltr;C:\WINDOWS\system32\DRIVERS\eabfiltr.sys
R1 SRTSP;SRTSP;C:\WINDOWS\system32\Drivers\SRTSP.SYS
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI;C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
R3 HBtnKey;HBtnKey;C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
R3 NETw3x32;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows XP 32 Bit;C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
R3 rimmptsk;rimmptsk;C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
R3 rimsptsk;rimsptsk;C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
R3 rismxdp;Ricoh xD-Picture Card Driver;C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
R3 sdbus;sdbus;C:\WINDOWS\system32\DRIVERS\sdbus.sys
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC);C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
S3 RimUsb;RIM Handheld;C:\WINDOWS\system32\Drivers\RimUsb.sys
S3 SRTSPL;SRTSPL;C:\WINDOWS\system32\Drivers\SRTSPL.SYS
S3 usbvideo;USB Video Device (WDM);C:\WINDOWS\system32\Drivers\usbvideo.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{2ea73842-307b-11dc-9d09-0016d304a3b6}]
Auto\command- F:\infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
Contents of the 'Scheduled Tasks' folder
2007-08-09 04:00:00 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-09 13:00:00 C:\WINDOWS\Tasks\At10.job
2007-08-09 14:00:00 C:\WINDOWS\Tasks\At11.job
2007-08-09 15:00:00 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-09 16:00:00 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-09 17:00:00 C:\WINDOWS\Tasks\At14.job
2007-08-06 18:01:02 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-05 14:59:15 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-06 20:01:00 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-06 21:01:00 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-08 22:01:00 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-09 05:00:00 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-08 23:01:01 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-09 00:01:02 C:\WINDOWS\Tasks\At21.job
2007-08-09 01:00:00 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-09 02:00:00 C:\WINDOWS\Tasks\At23.job
2007-08-09 03:00:00 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-09 06:00:00 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-09 07:00:00 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-09 08:00:00 C:\WINDOWS\Tasks\At5.job
2007-08-09 09:00:00 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-09 10:00:00 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-09 11:00:00 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\system32\8L7FEeDQ.exe
2007-08-09 12:00:00 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\system32\8L7FEeDQ.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://www.gmer.net/)
Rootkit scan 2007-08-09 13:06:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-09 13:08:16 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-09 13:08
C:\ComboFix2.txt ... 2007-08-09 10:46
--- E O F ---
------------
Incident Status Location
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Angie Cheung\Cookies\angie cheung@atdmt[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Angie Cheung\Cookies\angie cheung@statse.webtrendslive[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Angie Cheung\Desktop\ComboFix.exe[nircmd.exe]
Virus:Trj/DNSChanger.XB Disinfected C:\VundoFix Backups\jkhfeba.dll.bad
Virus:Trj/DNSChanger.XB Disinfected C:\VundoFix Backups\jkhfffe.dll.bad
Virus:Trj/DNSChanger.XB Disinfected C:\VundoFix Backups\mljggfd.dll.bad
Virus:Trj/DNSChanger.XB Disinfected C:\VundoFix Backups\ssqpmjh.dll.bad
Virus:Trj/DNSChanger.XB Disinfected C:\VundoFix Backups\vtsqqon.dll.bad
Virus:Trj/DNSChanger.XB Disinfected C:\VundoFix Backups\vtuttsq.dll.bad
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Baabiouz
10 Aug 2007, 09:59am
Hi!
Let's use again combo script:
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\system32\8L7FEeDQ.exe
Save this as CFScript.txt
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
_________________________
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
This is only a short scan.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
Back at the main window, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' i at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gifat the right, and the scan will start.
his will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply
________________________
Please, post dr.web cure's raport, a fresh Hijackthis log and Combofix log :)
Hi thanks again for your patience and resourcefulness.
I followed the instructions. Ran the script in combofix and then ran dr. web, and i rebooted and then ran hijackthis to get a new log.
The result are below:
ComboFix 07-08-09.3 - "Angie Cheung" 2007-08-10 10:35:21.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.504 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Angie Cheung\Desktop\CFScript.txt
FILE::
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\system32\8L7FEeDQ.exe
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
((((((((((((((((((((((((( Files Created from 2007-07-10 to 2007-08-10 )))))))))))))))))))))))))))))))
2007-08-09 10:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-09 04:26 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-09 02:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-08-09 02:04 <DIR> d-------- C:\Program Files\BFG
2007-08-09 01:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-09 01:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-08 18:41 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-08 18:41 <DIR> d-------- C:\Program Files\Virtual Villagers - The Lost Children
2007-08-08 18:38 <DIR> d-------- C:\Program Files\bfgclient
2007-08-08 18:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BigFishGamesCache
2007-08-08 18:13 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-08 11:37 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-08 11:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-08 11:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-08 02:01 8,004 --a------ C:\dnsbak.reg
2007-08-06 12:45 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\.housecall6.6
2007-08-06 12:30 <DIR> d-------- C:\VundoFix Backups
2007-08-06 11:18 <DIR> d-------- C:\WINDOWS\CSC
2007-08-06 10:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-03 11:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\LightScribe
2007-08-03 11:07 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2007-08-03 08:36 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\Ahead
2007-08-03 08:34 <DIR> d-------- C:\Program Files\Nero
2007-08-03 08:34 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-08-02 13:21 <DIR> d-------- C:\Program Files\PartyGaming
2007-08-01 02:51 <DIR> d-------- C:\Program Files\DivX
2007-07-26 20:28 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\vlc
2007-07-26 20:25 <DIR> d-------- C:\Program Files\VideoLAN
2007-07-26 19:06 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-26 19:06 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-24 20:48 134,136 --a------ C:\WINDOWS\ColorPic Uninstaller.exe
2007-07-24 20:48 <DIR> d-------- C:\Program Files\ColorPic 4.1
2007-07-24 20:29 <DIR> d-------- C:\Program Files\Common Files\Research In Motion
2007-07-24 10:47 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\WinRAR
2007-07-24 10:15 <DIR> d-------- C:\Program Files\Trillian
2007-07-17 22:48 <DIR> d-------- C:\Program Files\Common Files\SolidWorks Shared
2007-07-17 22:48 <DIR> d-------- C:\Program Files\Common Files\eDrawings2007
2007-07-17 19:18 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-07-16 11:16 <DIR> d-------- C:\Program Files\RemoteCalendars
2007-07-16 11:16 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\RemoteCalendars
2007-07-16 11:15 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-07-15 23:35 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-07-15 15:59 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\Contacts
2007-07-13 11:55 <DIR> d-------- C:\Program Files\MSN Messenger
2007-07-12 19:19 247,808 --a------ C:\WINDOWS\system32\npscan.dll
2007-07-12 19:13 <DIR> d-------- C:\Program Files\NCsoft
2007-07-12 19:12 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\InstallShield
2007-07-12 18:48 <DIR> d-------- C:\Program Files\Webteh
2007-07-12 16:36 983,101 --a------ C:\WINDOWS\system32\LXBKGF.DLL
2007-07-12 16:36 90,112 --a------ C:\WINDOWS\system32\LXBKCUR.DLL
2007-07-12 16:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-07-12 16:36 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-07-12 16:36 86,016 --a------ C:\WINDOWS\system32\LXBKIH.EXE
2007-07-12 16:36 77,824 --a------ C:\WINDOWS\system32\LXBKLCNP.DLL
2007-07-12 16:36 73,728 --a------ C:\WINDOWS\system32\lxbkpwr.dll
2007-07-12 16:36 69,632 --a------ C:\WINDOWS\system32\lxbkscin.dll
2007-07-12 16:36 69,632 --a------ C:\WINDOWS\system32\LXBKCU.DLL
2007-07-12 16:36 57,344 --a------ C:\WINDOWS\system32\lxbkcinf.dll
2007-07-12 16:36 544,768 --a------ C:\WINDOWS\system32\LXBKLSNT.EXE
2007-07-12 16:36 49,152 --a------ C:\WINDOWS\system32\lxbkcoin.dll
2007-07-12 16:36 454,656 --a------ C:\WINDOWS\system32\LXBKJSWR.DLL
2007-07-12 16:36 40,960 --a------ C:\WINDOWS\system32\lxbkvs.dll
2007-07-12 16:36 40,960 --a------ C:\WINDOWS\system32\INSTMON.EXE
2007-07-12 16:36 352,256 --a------ C:\WINDOWS\system32\LXBKUTIL.DLL
2007-07-12 16:36 303,104 --a------ C:\WINDOWS\system32\LEXBCES.EXE
2007-07-12 16:36 286,720 --a------ C:\WINDOWS\system32\LXBKPMNT.DLL
2007-07-12 16:36 286,720 --a------ C:\WINDOWS\system32\lxbkcomm.dll
2007-07-12 16:36 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-07-12 16:36 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-07-12 16:36 217,088 --a------ C:\WINDOWS\system32\LXBKLCNT.DLL
2007-07-12 16:36 201,216 --a------ C:\WINDOWS\system32\LEXP2P32.DLL
2007-07-12 16:36 196,096 --a------ C:\WINDOWS\system32\LEX2KUSB.DLL
2007-07-12 16:36 192,512 --a------ C:\WINDOWS\system32\LEXLMPM.DLL
2007-07-12 16:36 174,592 --a------ C:\WINDOWS\system32\LEXPPS.EXE
2007-07-12 16:36 155,648 --a------ C:\WINDOWS\system32\LEXPING.EXE
2007-07-12 16:36 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-07-12 16:36 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-07-12 16:36 147,456 --a------ C:\WINDOWS\system32\LEXBCE.DLL
2007-07-12 16:36 126,976 --a------ C:\WINDOWS\system32\LXBKCFG.EXE
2007-07-12 16:36 <DIR> d-------- C:\Program Files\Lexmark X1100 Series
2007-07-12 16:35 299,520 --a------ C:\WINDOWS\uninst.exe
2007-07-12 16:35 <DIR> d-------- C:\Lxk1100
2007-07-12 16:35 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\WINDOWS
2007-07-12 12:54 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\Google
2007-07-12 12:53 <DIR> d-------- C:\Program Files\Google
2007-07-12 12:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-07-12 12:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-12 11:24 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\AdobeUM
2007-07-12 09:24 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-07-12 09:22 682,232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-07-12 09:20 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-07-12 09:20 110,256 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-07-12 09:20 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-07-12 09:19 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-07-12 09:19 <DIR> d-------- C:\Program Files\Symantec
2007-07-12 09:19 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-12 09:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-07-12 02:57 <DIR> d-------- C:\Program Files\Azureus
2007-07-12 02:57 <DIR> d-------- C:\DOCUME~1\ANGIEC~1\APPLIC~1\Azureus
2007-07-12 02:55 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-08-08 18:18]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-08-08 18:18]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-08-08 18:18]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 10:58]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-08 18:19]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-08-08 18:18]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-10-13 20:44]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-08-08 18:18]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 10:43]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-08-08 20:14]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 18:29]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 11:28]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-05-15 17:12]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-07-12 11:20:23]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-12 02:55:04]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-12 12:53:30]
HP Pavilion Webcam Tray Icon.lnk - C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2007-07-12 01:30:44]
R0 iaStor;Intel AHCI Controller;C:\WINDOWS\system32\drivers\iaStor.sys
R1 eabfiltr;eabfiltr;C:\WINDOWS\system32\DRIVERS\eabfiltr.sys
R1 SRTSP;SRTSP;C:\WINDOWS\system32\Drivers\SRTSP.SYS
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI;C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
R3 HBtnKey;HBtnKey;C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
R3 NETw3x32;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows XP 32 Bit;C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
R3 rimmptsk;rimmptsk;C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
R3 rimsptsk;rimsptsk;C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
R3 rismxdp;Ricoh xD-Picture Card Driver;C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
R3 sdbus;sdbus;C:\WINDOWS\system32\DRIVERS\sdbus.sys
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC);C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
S3 RimUsb;RIM Handheld;C:\WINDOWS\system32\Drivers\RimUsb.sys
S3 SRTSPL;SRTSPL;C:\WINDOWS\system32\Drivers\SRTSPL.SYS
S3 usbvideo;USB Video Device (WDM);C:\WINDOWS\system32\Drivers\usbvideo.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{2ea73842-307b-11dc-9d09-0016d304a3b6}]
Auto\command- F:\infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-10 10:36:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000739
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-10 10:37:15
C:\ComboFix-quarantined-files.txt ... 2007-08-10 10:37
C:\ComboFix2.txt ... 2007-08-09 13:08
C:\ComboFix3.txt ... 2007-08-09 10:46
--- E O F ---
-------------
backup-20070808-104545-459.dll;C:\Program Files\Hijackthis\backups;Trojan.Virtumod;Deleted.;backup-20070808-104700-464.dll;C:\Program Files\Hijackthis\backups;Trojan.Virtumod;Deleted.;backup-20070808-104700-672.dll;C:\Program Files\Hijackthis\backups;Trojan.Virtumod;Deleted.;backup-20070808-110257-636.dll;C:\Program Files\Hijackthis\backups;Trojan.Virtumod;Deleted.;backup-20070808-113009-762.dll;C:\Program Files\Hijackthis\backups;Trojan.Virtumod;Deleted.;tmp17.tmp.exe.vir;C:\QooBox\Qu arantine\C\DOCUME~1\ANGIEC~1\APPLIC~1;Trojan.Virtumod;Deleted.;tmp18.tmp.exe.vir ;C:\QooBox\Quarantine\C\DOCUME~1\ANGIEC~1\APPLIC~1;Trojan.Virtumod;Deleted.;tmp3 .tmp.exe.vir;C:\QooBox\Quarantine\C\DOCUME~1\ANGIEC~1\APPLIC~1;Trojan.Virtumod;D eleted.;tmp305.tmp.exe.vir;C:\QooBox\Quarantine\C\DOCUME~1\ANGIEC~1\APPLIC~1;Tro jan.Virtumod;Deleted.;tmp309.tmp.exe.vir;C:\QooBox\Quarantine\C\DOCUME~1\ANGIEC~ 1\APPLIC~1;Trojan.Virtumod;Deleted.;tmp69.tmp.exe.vir;C:\QooBox\Quarantine\C\DOC UME~1\ANGIEC~1\APPLIC~1;Trojan.Virtumod;Deleted.;tmp72.tmp.exe.vir;C:\QooBox\Qua rantine\C\DOCUME~1\ANGIEC~1\APPLIC~1;Trojan.Virtumod;Deleted.;tmp76.tmp.exe.vir; C:\QooBox\Quarantine\C\DOCUME~1\ANGIEC~1\APPLIC~1;Trojan.Virtumod;Deleted.;tmp9. tmp.exe.vir;C:\QooBox\Quarantine\C\DOCUME~1\ANGIEC~1\APPLIC~1;Trojan.Virtumod;De leted.;tmpDA8.tmp.exe.vir;C:\QooBox\Quarantine\C\DOCUME~1\ANGIEC~1\APPLIC~1;Troj an.Virtumod;Deleted.;tmpDA9.tmp.exe.vir;C:\QooBox\Quarantine\C\DOCUME~1\ANGIEC~1 \APPLIC~1;Trojan.Virtumod;Deleted.;c_1ntr.dll.vir.vir;C:\QooBox\Quarantine\C\WIN DOWS\system32;Adware.Duncan.34;Incurable.Moved.;tmp18.tmp.dll.vir;C:\QooBox\Quar antine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;tmp309.tmp.dll.vir;C:\QooBox\ Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;tmp9.tmp.dll.vir;C:\QooBo x\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;vtutt.exe.vir;C:\QooBox \Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;tmpDA9.tmp.dll.bad;C:\Vu ndoFix Backups;Trojan.Virtumod;Deleted.;
--------------
Logfile of HijackThis v1.99.1
Scan saved at 12:25:55 PM, on 8/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Baabiouz
10 Aug 2007, 06:33pm
Hi!
Your log looks clean :D Do you have problems?
I'm not entirely sure, I'm not getting virus notifications or pop-ups but my Symantec AV is still disabled.
Baabiouz
10 Aug 2007, 10:05pm
...And you can't enable it?
No when i try to enable the autoprotect it just disables itself again.
Baabiouz
10 Aug 2007, 10:52pm
Have you tried reinstall Symantec?
I uninstalled Symantec and installed Kaspersky which seems to be a better product. It looks like i'm all good now. Thanks again for all your help.
Baabiouz
11 Aug 2007, 08:32am
Hi!
Please, send a fresh hijackthis log. Why? - Beckause Symantec doesn't leave always easily.
Yeah I've noticed that problem with Symantec before as well. Thanks again.
Logfile of HijackThis v1.99.1
Scan saved at 6:30:31 PM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
Baabiouz
12 Aug 2007, 07:35am
Hi!
Yep, there is Symantec's Liveupdate.
Let's delete it:
Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
_______________
1. Go to Start->Run and type in notepad and hit OK.
2. Then copy and paste the content of the following codebox into Notepad:
sc stop LiveUpdate
sc delete LiveUpdate
del delete.bat
3. Save the file as "delete.bat". Make sure to save it with the quotation marks.
4. Double click delete.bat.
_______________
Pleas