Jump to content


hijack log

Started by dipset4life, Nov 30 2007 06:23 PM

  • You cannot reply to this topic
4 replies to this topic

#1 OFFLINE   dipset4life

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 30 November 2007 - 06:23 PM

hey this is my hijack analysis. had a trojan removed couple days ago but still getting pop ups. can anyone help me out? thank you

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at ?? 10:16:34, on 2007-11-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
D:\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [40ae03d8] rundll32.exe "C:\WINDOWS\system32\naaipykx.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\wvtbhoru.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Real-time Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\wvtbhoru.exe (file missing)
O23 - Service: iPod ??? (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

--
End of file - 3837 bytes

#2 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 06 December 2007 - 11:41 AM

Hi dipset4life, Welcome to the forum

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Next download this file - combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall

Please then post back the Combofix log, Vundofix log and a new HijackThis log

Cheers

Andy

#3 OFFLINE   dipset4life

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 07 December 2007 - 05:42 AM

OK here are the 3 logs:

ComboFix Log

ComboFix 07-12-07.3 - home 2007-12-05 21:12:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.76 [GMT -8:00]
Running from: C:\Documents and Settings\home\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\home\Application Data\macromedia\Flash Player\#SharedObjects\GZQF5457\www.broadcaster.com
C:\Documents and Settings\home\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\home\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\home\Favorites\Online Security Guide.lnk
C:\Program Files\fnts~1
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\crosof~1.net
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\bnpnmsbd.exe
C:\WINDOWS\system32\bogygpkq.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\hggdebc.dll
C:\WINDOWS\system32\iggbujhd.dll
C:\WINDOWS\system32\jsuqlhfy.dll
C:\WINDOWS\system32\lktajvxj.dll
C:\WINDOWS\system32\ltyqusft.exe
C:\WINDOWS\system32\lzghpqgi.dll
C:\WINDOWS\system32\msgycatw.dll
C:\WINDOWS\system32\msmbfvft.dll
C:\WINDOWS\system32\oohbenye.exe
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\qpnjpujx.dll
C:\WINDOWS\system32\sqqcbrsv.exe
C:\WINDOWS\system32\sxvwwymb.dll
C:\WINDOWS\system32\tfvfbmsm.ini
C:\WINDOWS\system32\tvioqsxs.exe
C:\WINDOWS\system32\umfjvmsh.dll
C:\WINDOWS\system32\ututv.ini
C:\WINDOWS\system32\ututv.ini2
C:\WINDOWS\system32\vtutu.dll
C:\WINDOWS\system32\wcchnpqh.dll
C:\WINDOWS\system32\xpdx.sys
C:\WINDOWS\system32\xqhpqepc.dll
C:\WINDOWS\system32\xxoexpkt.dll
C:\WINDOWS\system32\xxyaayv.dll
C:\WINDOWS\system32\xygnrlue.exe
C:\WINDOWS\system32\ybawdsus.dll
C:\WINDOWS\system32\yfhlqusj.ini
C:\WINDOWS\system32\yrtyfmgl.exe
C:\WINDOWS\wr.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService
-------\xpdx


((((((((((((((((((((((((( Files Created from 2007-11-08 to 2007-12-08 )))))))))))))))))))))))))))))))
.

2007-12-05 19:17 . 2007-12-05 19:17 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-05 18:30 . 2007-12-05 18:30 <DIR> d-------- C:\VundoFix Backups
2007-12-05 16:31 . 2007-12-05 16:31 74,304 --a------ C:\WINDOWS\system32\brphghvi.exe
2007-12-02 21:26 . 2007-08-20 02:04 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-02 21:26 . 2007-04-17 01:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-02 21:26 . 2007-03-07 21:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-02 21:26 . 2007-08-20 02:04 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-02 21:26 . 2007-08-20 02:04 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-02 21:26 . 2007-08-20 02:04 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-02 21:26 . 2007-08-20 02:04 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-02 21:26 . 2007-08-20 02:04 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-02 21:26 . 2007-08-17 02:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-02 21:10 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-12-02 20:35 . 2007-12-02 20:35 <DIR> d-------- C:\Program Files\Dr Delete
2007-12-02 20:23 . 2007-12-02 20:23 <DIR> d-------- C:\Program Files\BitComet
2007-12-02 20:22 . 2007-12-05 21:06 <DIR> d-------- C:\Program Files\hijack
2007-12-02 18:46 . 2007-12-02 18:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-02 18:46 . 2007-12-02 18:46 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-02 11:09 . 2007-12-05 16:30 749,258 --ahs---- C:\WINDOWS\system32\fgwbrwds.ini
2007-11-29 11:05 . 2007-11-29 11:06 <DIR> d-------- C:\Program Files\0900a5a2802e97be
2007-11-28 17:45 . 2007-12-02 11:08 792,052 --ahs---- C:\WINDOWS\system32\xkypiaan.ini
2007-11-27 15:38 . 2007-11-28 17:41 790,379 --ahs---- C:\WINDOWS\system32\jfkbcrvo.ini
2007-11-25 11:59 . 2007-11-27 15:33 789,949 --ahs---- C:\WINDOWS\system32\ogsetsjf.ini
2007-11-24 11:59 . 2007-11-25 09:47 474 --ahs---- C:\WINDOWS\system32\kuutjgtd.ini
2007-11-22 15:40 . 2007-11-22 18:04 3,678 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-22 15:37 . 2001-12-13 11:41 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-11-22 15:37 . 2001-12-13 12:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sony Corporation
2007-11-22 15:37 . 2001-12-13 11:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-11-22 13:46 . 2007-12-02 20:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-22 13:46 . 2007-11-22 13:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-22 13:45 . 2007-11-22 13:45 <DIR> d-------- C:\Documents and Settings\home\Application Data\SUPERAntiSpyware.com
2007-11-22 12:09 . 2007-11-23 11:27 776,192 --ahs---- C:\WINDOWS\system32\wqesbsrs.ini
2007-11-22 11:42 . 2007-11-22 11:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-22 11:40 . 2007-11-22 13:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 04:54 --------- d-----w C:\Program Files\3D Home Interiors
2007-12-03 03:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-29 19:09 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-28 02:21 26,848 ----a-w C:\Documents and Settings\home\Application Data\GDIPFONTCACHEV1.DAT
2007-11-22 19:42 --------- d-----w C:\Program Files\Lavasoft
2007-05-25 16:16 1,572,112 --sha-w C:\WINDOWS\system32\vyadd.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6BA5362C-A555-4B6C-8B7B-B10F0A017832}]
C:\WINDOWS\system32\ddcyw.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2001-04-26 11:02]
"WebTrapNT.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe" [2001-12-18 18:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 02:03]
"Pop3trap.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe" [2001-12-18 19:09]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-10-12 21:34]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-10-12 21:27]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-12 22:58]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
Real-time Monitor.lnk - C:\WINDOWS\Installer\{A839294B-70A9-11D5-9F5A-0050DAD742CD}\_106B5A0.exe [2001-12-21 12:29:38]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbjt32]
winbjt32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VAIO Action Setup (Server).lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VAIO Action Setup (Server).lnk
backup=C:\WINDOWS\pss\VAIO Action Setup (Server).lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^home^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\home\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\TEMP\win115.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-10-23 19:51 233472 --a------ C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 11:24 49152 --a------ C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

R1 SonyFanC;FAN Control Device Service;C:\WINDOWS\system32\Drivers\SonyFanC.sys
S3 BCM42XX;Broadcom iLine10™ Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-07 21:25:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-07 21:27:49 - machine was rebooted
.
--- E O F ---

Vundo Log

VundoFix V6.7.0

Checking Java version...

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Scan started at ?? 6:30:48 2007-12-05

Listing files found while scanning....

C:\windows\system32\ddcyw.dll
C:\windows\system32\wycdd.ini
C:\windows\system32\wycdd.ini2

Beginning removal...

Attempting to delete C:\windows\system32\ddcyw.dll
C:\windows\system32\ddcyw.dll Has been deleted!

Attempting to delete C:\windows\system32\wycdd.ini
C:\windows\system32\wycdd.ini Has been deleted!

Attempting to delete C:\windows\system32\wycdd.ini2
C:\windows\system32\wycdd.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

Hijack Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at ?? 9:06:44, on 2007-12-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINDOWS\system32\wuauclt.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3A2224A0-B114-4491-9305-FD0E4B55FA1E} - C:\WINDOWS\system32\hggdebc.dll
O2 - BHO: (no name) - {6BA5362C-A555-4B6C-8B7B-B10F0A017832} - C:\WINDOWS\system32\ddcyw.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: {7b5cf46e-b1b2-4e58-2864-fc6057b46eed} - {dee64b75-06cf-4682-85e4-2b1be64fc5b7} - C:\WINDOWS\system32\iggbujhd.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [40ae03d8] rundll32.exe "C:\WINDOWS\system32\jsuqlhfy.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\wvtbhoru.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Real-time Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: hggdebc - C:\WINDOWS\SYSTEM32\hggdebc.dll
O20 - Winlogon Notify: winbjt32 - winbjt32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\wvtbhoru.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

--
End of file - 5404 bytes

#4 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building &amp; Design, Malware Testing/Research and spending time with friends &amp; family.

Posted 07 December 2007 - 11:03 AM

Thanks Dipset,

Combofix removed alot of junk as well as a nasty rootkit named Rustock so thats a great start, there's still alot to do though but let me know if you have any problems along the way :)

Goto Start > Run > then type or copy/paste

sc delete DomainService

Press OK and you will just notice the cmd screen flash on then off again and the service will be removed.


Run HijackThis and choose Do A System Scan then place a check next to these entries

O2 - BHO: (no name) - {3A2224A0-B114-4491-9305-FD0E4B55FA1E} - C:\WINDOWS\system32\hggdebc.dll
O2 - BHO: (no name) - {6BA5362C-A555-4B6C-8B7B-B10F0A017832} - C:\WINDOWS\system32\ddcyw.dll (file missing)
O2 - BHO: {7b5cf46e-b1b2-4e58-2864-fc6057b46eed} - {dee64b75-06cf-4682-85e4-2b1be64fc5b7} - C:\WINDOWS\system32\iggbujhd.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [40ae03d8] rundll32.exe "C:\WINDOWS\system32\jsuqlhfy.dll",b
O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\wvtbhoru.exe
O20 - Winlogon Notify: hggdebc - C:\WINDOWS\SYSTEM32\hggdebc.dll
O20 - Winlogon Notify: winbjt32 - winbjt32.dll (file missing)

Close all open browser and other windows except for HijackThis and press the Fix Checked button


Next Open notepad and copy/paste the text in the quotebox below into it (making File:: the top line in notepad)

Quote

File::
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\brphghvi.exe
C:\WINDOWS\system32\fgwbrwds.ini
C:\WINDOWS\system32\xkypiaan.ini
C:\WINDOWS\system32\jfkbcrvo.ini
C:\WINDOWS\system32\ogsetsjf.ini
C:\WINDOWS\system32\kuutjgtd.ini
C:\WINDOWS\system32\wqesbsrs.ini
C:\WINDOWS\system32\vyadd.bak2
C:\WINDOWS\system32\ddcyw.dll
C:\WINDOWS\system32\jsuqlhfy.dll
C:\WINDOWS\system32\hggdebc.dll
C:\WINDOWS\system32\iggbujhd.dll

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6BA5362C-A555-4B6C-8B7B-B10F0A017832}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3A2224A0-B114-4491-9305-FD0E4B55FA1E}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^home^Start Menu^Programs^Startup^findfast.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

DirLook::
C:\Program Files900a5a2802e97be


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt" which I will need in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Please then use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
        Extended
    • Scan Options:
        Scan Archives
        Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Finally generate a report of the Add/Remove screen entries:
Open Hijackthis, and click the Misc Tools button (or Config... then Misc Tools if its open on the scan Window)
Then click the Open Uninstall Manager... button.
The Add/Remove Programs Manager panel should appear.
In this panel click the Save list button.
Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply.

Please then post back the new Combofix log, Kaspersky log, Uninstall list and a new HijackThis log, Please post the reports in seperate replies if needed to make sure all the information is included.

Cheers

#5 OFFLINE   dipset4life

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 08 December 2007 - 05:33 AM

Thanks for your help so far. Here are the next 4 logs.

New Combo Fix Log:

ComboFix 07-12-07.3 - home 2007-12-08 12:55:11.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.67 [GMT -8:00]
Running from: D:\Programs\ComboFix.exe
Command switches used :: D:\Documents\Logs\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\brphghvi.exe
C:\WINDOWS\system32\ddcyw.dll
C:\WINDOWS\system32\fgwbrwds.ini
C:\WINDOWS\system32\hggdebc.dll
C:\WINDOWS\system32\iggbujhd.dll
C:\WINDOWS\system32\jfkbcrvo.ini
C:\WINDOWS\system32\jsuqlhfy.dll
C:\WINDOWS\system32\kuutjgtd.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ogsetsjf.ini
C:\WINDOWS\system32\vyadd.bak2
C:\WINDOWS\system32\wqesbsrs.ini
C:\WINDOWS\system32\xkypiaan.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\brphghvi.exe
C:\WINDOWS\system32\fgwbrwds.ini
C:\WINDOWS\system32\jfkbcrvo.ini
C:\WINDOWS\system32\kuutjgtd.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ogsetsjf.ini
C:\WINDOWS\system32\vyadd.bak2
C:\WINDOWS\system32\wqesbsrs.ini
C:\WINDOWS\system32\xkypiaan.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-08 to 2007-12-08 )))))))))))))))))))))))))))))))
.

2007-12-05 18:30 . 2007-12-05 18:30 <DIR> d-------- C:\VundoFix Backups
2007-12-02 21:26 . 2007-08-20 02:04 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-02 21:26 . 2007-04-17 01:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-02 21:26 . 2007-03-07 21:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-02 21:26 . 2007-08-20 02:04 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-02 21:26 . 2007-08-20 02:04 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-02 21:26 . 2007-08-20 02:04 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-02 21:26 . 2007-08-20 02:04 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-02 21:26 . 2007-08-20 02:04 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-02 21:26 . 2007-08-17 02:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-02 21:10 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-12-02 20:35 . 2007-12-02 20:35 <DIR> d-------- C:\Program Files\Dr Delete
2007-12-02 20:23 . 2007-12-02 20:23 <DIR> d-------- C:\Program Files\BitComet
2007-12-02 20:22 . 2007-12-08 12:50 <DIR> d-------- C:\Program Files\hijack
2007-12-02 18:46 . 2007-12-02 18:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-02 18:46 . 2007-12-02 18:46 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-29 11:05 . 2007-11-29 11:06 <DIR> d-------- C:\Program Files\0900a5a2802e97be
2007-11-22 15:40 . 2007-11-22 18:04 3,678 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-22 15:37 . 2001-12-13 11:41 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-11-22 15:37 . 2001-12-13 12:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sony Corporation
2007-11-22 15:37 . 2001-12-13 11:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-11-22 13:46 . 2007-12-02 20:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-22 13:46 . 2007-11-22 13:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-22 13:45 . 2007-11-22 13:45 <DIR> d-------- C:\Documents and Settings\home\Application Data\SUPERAntiSpyware.com
2007-11-22 11:42 . 2007-11-22 11:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-22 11:40 . 2007-11-22 13:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 04:54 --------- d-----w C:\Program Files\3D Home Interiors
2007-12-03 03:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-29 19:09 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-28 02:21 26,848 ----a-w C:\Documents and Settings\home\Application Data\GDIPFONTCACHEV1.DAT
2007-11-22 19:42 --------- d-----w C:\Program Files\Lavasoft
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files900a5a2802e97be ----

C:\Program Files900a5a2802e97be\


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2001-04-26 11:02]
"WebTrapNT.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe" [2001-12-18 18:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 02:03]
"Pop3trap.exe"="C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe" [2001-12-18 19:09]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-10-12 21:34]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-10-12 21:27]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-12 22:58]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
Real-time Monitor.lnk - C:\WINDOWS\Installer\{A839294B-70A9-11D5-9F5A-0050DAD742CD}\_106B5A0.exe [2001-12-21 12:29:38]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VAIO Action Setup (Server).lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VAIO Action Setup (Server).lnk
backup=C:\WINDOWS\pss\VAIO Action Setup (Server).lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-10-23 19:51 233472 --a------ C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 11:24 49152 --a------ C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime


.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-08 12:57:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-08 12:58:40
C:\ComboFix2.txt ... 2007-12-07 21:27
.
--- E O F ---

Kaspersky Log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, December 08, 2007 9:16:00 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/12/2007
Kaspersky Anti-Virus database records: 476970
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 48331
Number of viruses found: 22
Number of infected objects: 109
Number of suspicious objects: 0
Duration of the scan process: 01:56:21

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\home\Application Data\Mozilla\Firefox\Profiles\jgil09am.default\cert8.db Object is locked skipped
C:\Documents and Settings\home\Application Data\Mozilla\Firefox\Profiles\jgil09am.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\home\Application Data\Mozilla\Firefox\Profiles\jgil09am.default\history.dat Object is locked skipped
C:\Documents and Settings\home\Application Data\Mozilla\Firefox\Profiles\jgil09am.default\key3.db Object is locked skipped
C:\Documents and Settings\home\Application Data\Mozilla\Firefox\Profiles\jgil09am.default\parent.lock Object is locked skipped
C:\Documents and Settings\home\Application Data\Mozilla\Firefox\Profiles\jgil09am.default\search.sqlite Object is locked skipped
C:\Documents and Settings\home\Application Data\Mozilla\Firefox\Profiles\jgil09am.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\home\Application Data\Mozilla\Firefox\Profiles\jgil09am.default\webappsstore.sqlite Object is locked skipped
C:\Documents and Settings\home\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\home\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\home\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\home\Local Settings\Application Data\Mozilla\Firefox\Profiles\jgil09am.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\home\Local Settings\Application Data\Mozilla\Firefox\Profiles\jgil09am.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\home\Local Settings\Application Data\Mozilla\Firefox\Profiles\jgil09am.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\home\Local Settings\Application Data\Mozilla\Firefox\Profiles\jgil09am.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\home\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\home\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\home\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\home\ntuser.dat Object is locked skipped
C:\Documents and Settings\home\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\bnpnmsbd.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\bogygpkq.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\jsuqlhfy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\lktajvxj.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.h skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ltyqusft.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\lzghpqgi.dll.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\msgycatw.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ae skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\msmbfvft.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\oohbenye.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\qpnjpujx.dll.vir Infected: Trojan.Win32.BHO.zo skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\sqqcbrsv.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\tvioqsxs.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\xxoexpkt.dll.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\xxyaayv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ath skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\xygnrlue.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\yrtyfmgl.exe.vir Infected: Trojan.Win32.Obfuscated.kp skipped
C:\qoobox\Quarantine\catchme2007-12-07_212510.50.zip/hggdebc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ath skipped
C:\qoobox\Quarantine\catchme2007-12-07_212510.50.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP115\A0041443.exe/data.rar/keygen.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ath skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP115\A0041443.exe/data.rar/patch.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP115\A0041443.exe/data.rar/crack.exe Infected: Trojan.Win32.Inject.ks skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP115\A0041443.exe/data.rar Infected: Trojan.Win32.Inject.ks skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP115\A0041443.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP115\A0041448.exe/data.rar/keygen.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ath skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP115\A0041448.exe/data.rar/patch.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP115\A0041448.exe/data.rar/crack.exe Infected: Trojan.Win32.Inject.ks skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP115\A0041448.exe/data.rar Infected: Trojan.Win32.Inject.ks skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP115\A0041448.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP115\A0041449.exe/data.rar/keygen.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ath skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP115\A0041449.exe/data.rar/patch.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP115\A0041449.exe/data.rar/crack.exe Infected: Trojan.Win32.Inject.ks skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP115\A0041449.exe/data.rar Infected: Trojan.Win32.Inject.ks skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP115\A0041449.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP115\A0041450.exe/data.rar/keygen.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ath skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP115\A0041450.exe/data.rar/patch.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP115\A0041450.exe/data.rar/crack.exe Infected: Trojan.Win32.Inject.ks skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP115\A0041450.exe/data.rar Infected: Trojan.Win32.Inject.ks skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP115\A0041450.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP117\A0042490.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP117\A0042491.dll Infected: Trojan.Win32.BHO.zo skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP117\A0042492.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP117\A0042493.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP117\A0042505.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP119\A0043514.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP119\A0043515.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP119\A0043516.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP119\A0043517.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP119\A0043519.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP119\A0044509.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP119\A0044510.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP119\A0044511.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP119\A0044512.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP119\A0044526.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP119\A0044527.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP119\A0044528.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP119\A0044534.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP119\A0044535.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP120\A0044540.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP120\A0044541.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP120\A0044542.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP120\A0044543.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP120\A0044549.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP120\A0044554.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP120\A0044555.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP120\A0044556.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP120\A0044565.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP120\A0044566.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP120\A0044568.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP120\A0044569.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP120\A0044572.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP120\A0044573.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP120\A0044725.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.e skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP120\A0044726.exe Infected: Trojan-Downloader.Win32.Agent.brf skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP120\A0044727.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP120\A0044728.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP120\A0044729.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP120\A0044730.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP120\A0044731.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP121\A0046773.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP121\A0046841.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP122\A0047896.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP123\A0047916.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP125\A0049139.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP129\A0050066.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP130\A0050078.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ayv skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP132\A0050098.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP132\A0050099.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP132\A0050100.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP132\A0050101.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP132\A0050102.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP132\A0050103.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP132\A0050104.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP132\A0050105.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP132\A0050107.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP132\A0050108.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.h skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP132\A0050109.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP132\A0050110.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ae skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP132\A0050111.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP132\A0050112.dll Infected: Trojan.Win32.BHO.zo skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP132\A0050118.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP132\A0050119.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ath skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP132\A0050129.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ath skipped
C:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP133\change.log Object is locked skipped
C:\VundoFix Backups\ddcyw.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ayv skipped
C:\WINDOWS\$NtUninstallQ307271$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ307271$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ307271$\usbuhci.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ308677$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ308677$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ308677$\userenv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\termsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ312368$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ312368$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ312368$\syssetup.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\pss\findfast.exeStartup Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\winohw32(2).dll Infected: Trojan.Win32.Agent.qt skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP127\A0049791.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP127\A0049791.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP127\A0049791.exe RarSFX: infected - 2 skipped
D:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP127\A0049798.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\System Volume Information\_restore{046F465C-B897-4E66-AE63-526940B5BD49}\RP133\change.log Object is locked skipped

Scan process completed.

Uninstall List:

3D Home Interiors
Ad-Aware 2007
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
AOL Instant Messenger
AOL Uninstaller (Choose which Products to Remove)
CoreFLAC Audio Decoder+Source Filter (remove only)
DigitalPrint 1.1
Experience VAIO
ffdshow (remove only)
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
hp deskjet 5100
ImageStation
ImageStation Demo
J2SE Runtime Environment 5.0 Update 8
Kaspersky Online Scanner
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft XML Parser and SDK
Motion JPEG Software Decoder
Mozilla Firefox (2.0.0.11)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Music Visualizer Library 1.2
Nero 6 Demo
OpenMG Secure Module 3.0.01
PC-cillin 2000
QuickTime
RealPlayer
Samsung PC Studio
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB943460)
Smart Capture
SonicStage 1.1.00
SonicStage CD-R Writing Module
Sony Certificate PCH
Sony DV Shared Library
Sony on Yahoo! Essentials
SUPERAntiSpyware Free Edition
Support Actions Win2K,WinXP
TurboTax 2005
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
VAIO Action Setup
VAIO Brezza Wallpaper
VAIO Grid Wallpaper
VAIO Help & Support
VAIO Registration
VAIO Serenus Wallpaper
VAIO Support
VisualFlow 2.1
WexTech AnswerWorks
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Yahoo! Messenger

Hijack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at ?? 9:20:50, on 2007-12-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Real-time Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

--
End of file - 4772 bytes
Back to Spyware Hell


  1. Piriform Community Forums
  2. Computer Help and Discussion
  3. Spyware Hell