Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virtumonde etc...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Virtumonde etc...

Unread postby Dylwaugh » May 29th, 2008, 10:09 am

Hi Guys.

My comp is very slow, apparently got virtumonde virus.

I've tried spyware doctor to sort out the problems, to no avail.

My firefox wont open certain webpages, and i get plenty iexplorer popups (ie celldorado etc)

here are the logs of the online kaspersky and hjt

Thanks in advance

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 29, 2008 2:52:20 PM
Operating System: Microsoft Windows Vista Professional, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/05/2008
Kaspersky Anti-Virus database records: 811615
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 175809
Number of viruses found: 11
Number of infected objects: 80
Number of suspicious objects: 0
Duration of the scan process: 01:46:44

Infected Object Name / Virus Name / Last Action
C:\Program Files\HP Connections\6811507\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\L0000003.FCS Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\storydb.idx Object is locked skipped
C:\Program Files\ProSB\Support.exe/vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\Program Files\ProSB\Support.exe 7-Zip: infected - 1 skipped
C:\Program Files\ProSB\Support.exe UPX: infected - 1 skipped
C:\ProgramData\McAfee\MNA\NAData Object is locked skipped
C:\ProgramData\McAfee\MPF\data\log.edb Object is locked skipped
C:\ProgramData\McAfee\MPF\data\logout.edb Object is locked skipped
C:\ProgramData\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\ProgramData\McAfee\MSC\McUsers.dat Object is locked skipped
C:\ProgramData\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\bbb78300220bcb9b83c3dbaf43e6cd3b_311cff53-0acf-4dea-9647-91f5d2335b92 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\bbb78300220bcb9b83c3dbaf43e6cd3b_fa270d0c-e8c0-4426-b4f8-326139a300f1 Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008052920080530\index.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012008052920080530\index.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3M1LBQ55\moorate[1] Infected: Trojan.Win32.KillAV.rf skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LJ18P0Z0\hctp[1] Infected: Trojan.Win32.Monder.fc skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LJ18P0Z0\kriv[1] Infected: Trojan.Win32.Monder.gen skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5856E298-658A-4DD5-8484-760D6680EC58}.tmp Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{85D50659-9E85-48E5-88E3-41771F4E5868}.tmp Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BA81ACF8-326F-433A-889F-3CC3252FA815}.tmp Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\UsrClass.dat{de469c33-2a38-11dc-9037-0017a4e77d16}.TM.blf Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\UsrClass.dat{de469c33-2a38-11dc-9037-0017a4e77d16}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\UsrClass.dat{de469c33-2a38-11dc-9037-0017a4e77d16}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Business Contact Manager\MSSmallBusiness.ldf Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Business Contact Manager\MSSmallBusiness.mdf Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Outlook\Outlook.pst Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Outlook\~Outlook.pst.tmp Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows Defender\FileTracker\{13F8077B-6411-49E6-A570-B4C11233C916} Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\Acr6F66.tmp Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\Acr6FCF.tmp Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\awtuuRLC.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\bnbubooo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.srg skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\cbXNETKe.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\ddcDwxyX.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\ddcYqqOe.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\E88B.tmp Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\einoouij.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\exxsyxoj.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\fccDtTjk.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\FXSAPIDebugLogFile.txt Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\hfwbuqfy.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\hgGVpmLc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.sta skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\hgGvvtuS.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\khfGyvwx.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\lilo4 Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\lilo5 Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\ljJBtQgf.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\ljJCuRKC.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\nnNeDstu.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\nnnmlIbA.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\pmNGwxya.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\pmnmlkHb.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\pmnoMcCs.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\qOIyWnLD.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\qoMghihH.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\rqRLeddD.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\skeyiaey.dll Infected: Trojan.Win32.Monder.gen skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\ssqoLDSL.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\ssqPjklk.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\tescktrt.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\tmp00017001 Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\tmp0002c522 Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\tmp0002c84d Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\tmp0002d8ff Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\tmp0002da95 Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\tmp0002e83c Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\tmp0002fff0 Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\tmp00037f5c Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\tmp00073c15 Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\tuVlLDSi.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\tuvWnmmK.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\vtUonnlk.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\waxouwfa.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\xxywTNFx.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\yayvSmJb.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\yaywwVPG.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\~DFE59D.tmp Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Adobe\Acrobat\8.0\Updater\updater.log Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Adobe\Updater5\aumLib.log Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Mozilla\Firefox\Profiles\e1xpfbqy.default\Cache\_CACHE_001_ Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Mozilla\Firefox\Profiles\e1xpfbqy.default\Cache\_CACHE_002_ Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Mozilla\Firefox\Profiles\e1xpfbqy.default\Cache\_CACHE_003_ Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Mozilla\Firefox\Profiles\e1xpfbqy.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\VirtualStore\Windows\Temp\Cookies\index.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\VirtualStore\Windows\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\VirtualStore\Windows\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\microsoft\Outlook\Outlook.srs Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\microsoft\Templates\NormalEmail.dotm Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\microsoft\Windows\Cookies\Low\index.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\Mozilla\Firefox\Profiles\e1xpfbqy.default\cert8.db Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\Mozilla\Firefox\Profiles\e1xpfbqy.default\formhistory.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\Mozilla\Firefox\Profiles\e1xpfbqy.default\history.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\Mozilla\Firefox\Profiles\e1xpfbqy.default\key3.db Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\Mozilla\Firefox\Profiles\e1xpfbqy.default\parent.lock Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\Mozilla\Firefox\Profiles\e1xpfbqy.default\search.sqlite Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\Mozilla\Firefox\Profiles\e1xpfbqy.default\urlclassifier2.sqlite Object is locked skipped
C:\Users\Dylan de Wet\Applications\Arb\Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!]\Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!]\spybotsd152.exe/data0000.cab/is153202.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qpu skipped
C:\Users\Dylan de Wet\Applications\Arb\Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!]\Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!]\spybotsd152.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.qpu skipped
C:\Users\Dylan de Wet\Applications\Arb\Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!]\Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!]\spybotsd152.exe Rsrc-Package: infected - 2 skipped
C:\Users\Dylan de Wet\Applications\Arb\Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!].rar/Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!]/spybotsd152.exe/data0000.cab/is153202.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qpu skipped
C:\Users\Dylan de Wet\Applications\Arb\Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!].rar/Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!]/spybotsd152.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.qpu skipped
C:\Users\Dylan de Wet\Applications\Arb\Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!].rar/Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!]/spybotsd152.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qpu skipped
C:\Users\Dylan de Wet\Applications\Arb\Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!].rar RAR: infected - 3 skipped
C:\Users\Dylan de Wet\Applications\Arb\WinRAR.v4.65(cracked) (totally new interface)\WinRAR.v4.65(cracked) (totally new interface)\WRAR4.65.exe/winupdaters.exe Infected: Backdoor.Win32.SpyBoter.cy skipped
C:\Users\Dylan de Wet\Applications\Arb\WinRAR.v4.65(cracked) (totally new interface)\WinRAR.v4.65(cracked) (totally new interface)\WRAR4.65.exe CreateInstall: infected - 1 skipped
C:\Users\Dylan de Wet\Applications\Arb\WinRAR.v4.65(cracked) (totally new interface)\WinRAR.v4.65(cracked) (totally new interface).zip/WinRAR.v4.65(cracked) (totally new interface)/WRAR4.65.exe/winupdaters.exe Infected: Backdoor.Win32.SpyBoter.cy skipped
C:\Users\Dylan de Wet\Applications\Arb\WinRAR.v4.65(cracked) (totally new interface)\WinRAR.v4.65(cracked) (totally new interface).zip/WinRAR.v4.65(cracked) (totally new interface)/WRAR4.65.exe Infected: Backdoor.Win32.SpyBoter.cy skipped
C:\Users\Dylan de Wet\Applications\Arb\WinRAR.v4.65(cracked) (totally new interface)\WinRAR.v4.65(cracked) (totally new interface).zip ZIP: infected - 2 skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\sdsetup.exe/data0000.cab/is153056.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qon skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\sdsetup.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.qon skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\sdsetup.exe Rsrc-Package: infected - 2 skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\Spyware.Doctor.5.5.0.212_KEYGEN+PATCH-FFF.exe/data0000.cab/is153055.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qon skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\Spyware.Doctor.5.5.0.212_KEYGEN+PATCH-FFF.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.qon skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\Spyware.Doctor.5.5.0.212_KEYGEN+PATCH-FFF.exe Rsrc-Package: infected - 2 skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE).rar/Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)/sdsetup.exe/data0000.cab/is153056.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qon skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE).rar/Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)/sdsetup.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.qon skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE).rar/Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)/sdsetup.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qon skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE).rar/Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)/Spyware.Doctor.5.5.0.212_KEYGEN+PATCH-FFF.exe/data0000.cab/is153055.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qon skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE).rar/Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)/Spyware.Doctor.5.5.0.212_KEYGEN+PATCH-FFF.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.qon skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE).rar/Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)/Spyware.Doctor.5.5.0.212_KEYGEN+PATCH-FFF.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qon skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE).rar RAR: infected - 6 skipped
C:\Users\Dylan de Wet\Games\Diablo II\patch.exe Infected: Trojan.Win32.Dialer.yz skipped
C:\Users\Dylan de Wet\ntuser.dat Object is locked skipped
C:\Users\Dylan de Wet\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Dylan de Wet\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Dylan de Wet\ntuser.dat{a4898645-274c-11dd-b1f7-a5c679658c34}.TM.blf Object is locked skipped
C:\Users\Dylan de Wet\ntuser.dat{a4898645-274c-11dd-b1f7-a5c679658c34}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Dylan de Wet\ntuser.dat{a4898645-274c-11dd-b1f7-a5c679658c34}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\VundoFix Backups\opnmNDuT.dll.bad Infected: Trojan.Win32.Monder.gen skipped
C:\Windows\bthservsdp.dat Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\sam.log Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\Installer\MSI2463.tmp Object is locked skipped
C:\Windows\Logs\CBS\CBS.log Object is locked skipped
C:\Windows\Logs\CBS\CBS.persist.log Object is locked skipped
C:\Windows\Logs\DPX\setupact.log Object is locked skipped
C:\Windows\Logs\DPX\setuperr.log Object is locked skipped
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped
C:\Windows\Panther\UnattendGC\diagerr.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\diagwrn.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\setupact.log Object is locked skipped
C:\Windows\Panther\UnattendGC\setuperr.log Object is locked skipped
C:\Windows\security\database\secedit.sdb Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\components Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\default Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\sam Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\security Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\software Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\system Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000005.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000006.regtrans-ms Object is locked skipped
C:\Windows\System32\drivers\sptd.sys Object is locked skipped
C:\Windows\System32\hgGayApQ.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\opnmNDuT.dll Infected: Trojan.Win32.Monder.gen skipped
C:\Windows\System32\qoMecYOe.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Windows\System32\restore\MachineGuid.txt Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagerr.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagwrn.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\setupact.log Object is locked skipped
C:\Windows\System32\sysprep\Panther\setuperr.log Object is locked skipped
C:\Windows\System32\uRLFVOEV.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Windows\System32\wbem\AutoRecover\10A9EB2C94277C0A1A6143B54809F210.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\21D7529435092A1DD242FD6ACF494493.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2B8B1A8B0ACD3EE28B421D3918DC1F29.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\3460B7617E0429A960E481B197F238A3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\43A7EEE279F15546EE900076CA8CC2C8.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\8A20D7181B570E2E2142FB6261D170A2.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\8A94AF24F162D580E3D9889344A3A317.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\95CF8C2673B156E93407C44DA1171F14.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\B8F066315788F9A2DF744CF3A9F7F3D6.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E478A5DB75C9721E744C05D78DBACFD3.mof Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Credential Manager.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Backup.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Server%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DateTimeControlPanel%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-MSDT%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-PLA%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticResolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Forwarding%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WDI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx.corrupt Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MeetingSpace%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MemoryDiagnostics-Results%4Debug.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Admin.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-PnPDevices%4Admin.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-PnPDevices%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winsock-WS2HELP%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wired-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\MSFWSVC.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\System32\xxywwtRL.dll Infected: Trojan.Win32.Zapchast.gb skipped
C:\Windows\Tasks\1-Click Maintenance.job Object is locked skipped
C:\Windows\Tasks\McDefragTask.job Object is locked skipped
C:\Windows\Tasks\McQcTask.job Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\Temp\mcafee_4FX7d1JyELig97r Object is locked skipped
C:\Windows\Temp\mcafee_Tef63XpzT94YeIg Object is locked skipped
C:\Windows\Temp\mcmsc_DFE3pQ1bCHqBRvz Object is locked skipped
C:\Windows\Temp\mcmsc_u9uMaf2yJeH5Xjp Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped

Scan process completed.



--------------------------------------------------------------------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 03:26:14 PM, on 2008/05/29
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\AEADISRV.EXE
C:\Windows\system32\agrsmsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor111\pctsAuxs.exe
C:\Program Files\Spyware Doctor111\pctsSvc.exe
C:\Program Files\Spyware Doctor111\pctsTray.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Mozilla Firefox\mfirefox\firefox.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
C:\Windows\System32\rundll32.exe
C:\Windows\Explorer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Spyware Doctor111\pctsGui.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news24.com/News24/Home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: FGCatchUrl - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: (no name) - {4FCE784E-3915-49B8-B546-68EADE6B27EA} - C:\Windows\system32\cbXQhgGX.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QlbCtrl] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor111\pctsTray.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\qoMecYOe.dll,#1
O4 - HKLM\..\Run: [BM6830f3c4] Rundll32.exe "C:\Windows\system32\egycrojj.dll",s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\DYLAND~1\AppData\Local\Temp\yayaBRHy.dll,#1
O4 - HKCU\..\Run: [BM6830f3c4] Rundll32.exe "C:\Users\DYLAND~1\AppData\Local\Temp\pvalwrha.dll",s
O4 - HKCU\..\Run: [6b03c058] rundll32.exe "C:\Users\DYLAND~1\AppData\Local\Temp\jceisrhg.dll",b
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF269~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Subscribe in RSS Bandit - C:\Users\Dylan de Wet\AppData\Roaming\RssBandit\iecontext_subscribebandit.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - (no file)
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - (no file)
O9 - Extra button: Silver Sands Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - e:\Program Files\Autobot\GameClient.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61FFF564-6CF6-4D2B-B142-5E51DA12B2B6}: NameServer = 196.7.18.82,196.31.65.99
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - Unknown owner - (no file)
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: @gpapi.dll,-112 (gpsvc) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\Windows\b2new.exe (file missing)
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor111\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor111\pctsSvc.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
Dylwaugh
Active Member
 
Posts: 6
Joined: May 29th, 2008, 2:08 am
Advertisement
Register to Remove

Re: Virtumonde etc...

Unread postby Shaba » June 2nd, 2008, 10:36 am

Hi Dylwaugh

Your HijackThis is outdated.

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Virtumonde etc...

Unread postby Dylwaugh » June 5th, 2008, 4:01 am

Ok, new HJT log file

Thanks in advance

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:03 AM, on 2008/06/05
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Windows\system32\DllHost.exe
C:\Program Files\BitDefender\BitDefender 2008\seccenter.exe
C:\Program Files\Mozilla Firefox\mfirefox\firefox.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news24.com/News24/Home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: FGCatchUrl - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: (no name) - {4FABB867-3553-4546-B83F-B6D2FFF09C03} - C:\Windows\system32\cbXQhgGX.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [QlbCtrl] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF269~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Subscribe in RSS Bandit - C:\Users\Dylan de Wet\AppData\Roaming\RssBandit\iecontext_subscribebandit.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - (no file)
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - (no file)
O9 - Extra button: Silver Sands Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - e:\Program Files\Nmn\GameClient.exe (file missing)
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61FFF564-6CF6-4D2B-B142-5E51DA12B2B6}: NameServer = 196.7.18.82,196.31.65.99
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: APSHook.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - Unknown owner - (no file)
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\Windows\b2new.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 9928 bytes
Dylwaugh
Active Member
 
Posts: 6
Joined: May 29th, 2008, 2:08 am

Re: Virtumonde etc...

Unread postby Shaba » June 5th, 2008, 9:25 am

Hi

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Please post contents of that file in your next reply.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.

Post:

- dss logs (taken after mbam)
- mbam report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Virtumonde etc...

Unread postby Dylwaugh » June 6th, 2008, 5:03 am

Malwarebytes' Anti-Malware 1.14
Database version: 826

10:43:34 AM 2008/06/06
mbam-log-6-6-2008 (10-43-34).txt

Scan type: Full Scan (C:\|)
Objects scanned: 254315
Time elapsed: 1 hour(s), 51 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\cbXQhgGX.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{5582a8ec-574d-47a9-899a-cd624a0539d7} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5582a8ec-574d-47a9-899a-cd624a0539d7} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecurity1.209.4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxqhggx -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\cbXQhgGX.dll (Trojan.Vundo) -> Delete on reboot.
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3M1LBQ55\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3M1LBQ55\kb456456[3] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3M1LBQ55\kb456456[4] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LJ18P0Z0\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LJ18P0Z0\kb456456[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y7KR3NPS\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dylan de Wet\AppData\Local\Temp\abrccuxt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dylan de Wet\AppData\Local\Temp\cwiglorx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dylan de Wet\AppData\Local\Temp\egfwwbnm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dylan de Wet\AppData\Local\Temp\ehdujdct.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dylan de Wet\AppData\Local\Temp\jbeeclnv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dylan de Wet\AppData\Local\Temp\jyupuvco.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dylan de Wet\AppData\Local\Temp\lbjpurju.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dylan de Wet\AppData\Local\Temp\lnwvbhtg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dylan de Wet\AppData\Local\Temp\mgghbrmk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dylan de Wet\AppData\Local\Temp\mhvvkdod.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dylan de Wet\AppData\Local\Temp\phlxlrkf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dylan de Wet\AppData\Local\Temp\rvjdskoo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dylan de Wet\AppData\Local\Temp\tkteqwok.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dylan de Wet\AppData\Local\Temp\vtvvydwp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dylan de Wet\AppData\Local\Temp\xmytmjiv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dylan de Wet\AppData\Local\Temp\yirvsvcr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.




Deckard's System Scanner v20071014.68
Run by Dylan de Wet on 2008-06-06 10:52:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
20: 2008-06-06 05:57:04 UTC - RP754 - Language Pack Removal
19: 2008-06-05 05:47:23 UTC - RP753 - Language Pack Removal
18: 2008-06-04 15:22:24 UTC - RP752 - Language Pack Removal
17: 2008-06-04 10:51:25 UTC - RP751 - Language Pack Removal
16: 2008-06-04 10:29:18 UTC - RP750 - Language Pack Removal


-- First Restore Point --
1: 2008-06-01 00:03:02 UTC - RP735 - Language Pack Removal


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 17.52 GiB (less than 15%) free.


-- HijackThis (run as Dylan de Wet.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:46 AM, on 2008/06/06
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Dylan de Wet\Desktop\Programs\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Dylan de Wet.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news24.com/News24/Home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: FGCatchUrl - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: (no name) - {5582A8EC-574D-47A9-899A-CD624A0539D7} - C:\Windows\system32\cbXQhgGX.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [QlbCtrl] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF269~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Subscribe in RSS Bandit - C:\Users\Dylan de Wet\AppData\Roaming\RssBandit\iecontext_subscribebandit.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - (no file)
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - (no file)
O9 - Extra button: Silver Sands Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - e:\Program Files\Nmn\GameClient.exe (file missing)
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61FFF564-6CF6-4D2B-B142-5E51DA12B2B6}: NameServer = 196.7.18.82,196.31.65.99
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: APSHook.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - Unknown owner - (no file)
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 10209 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe,2
.js - JSFile - shell\open\command - NOTEPAD.EXE %1
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
.vbs - VBSFile - shell\open\command - NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ElRawDisk - \??\c:\windows\system32\drivers\elrawdsk.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 BDSelfPr - \??\c:\program files\bitdefender\bitdefender 2008\bdselfpr.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 StarWindServiceAE (StarWind AE Service) - c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe <Not Verified; Rocket Division Software; StarWind Alcohol Edition>
R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>

S2 AvgCoreSvc (AVG7 Resident Shield Service) -
S3 Com4Qlb - "c:\program files\hewlett-packard\hp quick launch buttons\com4qlb.exe" <Not Verified; Hewlett-Packard Development Company, L.P.; HP Quick Launch Buttons>
S3 gusvc (Google Updater Service) - "c:\program files\google\common\google updater\googleupdaterservice.exe" (file missing)
S3 stllssvr - "c:\program files\common files\surething shared\stllssvr.exe" <Not Verified; MicroVision Development, Inc.; SureThing CD Labeler>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description:
Device ID: ROOT\*ISATAP\0062
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter #5
PNP Device ID: ROOT\*ISATAP\0062
Service:

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Nokia 6110 Navigator
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 6110 Navigator
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd


-- Scheduled Tasks -------------------------------------------------------------

2008-05-16 17:16:24 390 --a------ C:\Windows\Tasks\1-Click Maintenance.job


-- Files created between 2008-05-06 and 2008-06-06 -----------------------------

2008-06-05 15:37:18 0 d-------- C:\Users\All Users\Malwarebytes
2008-06-05 15:37:18 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-04 13:50:35 0 d-------- C:\Program Files\Trend Micro
2008-06-04 12:22:35 0 d-------- C:\Users\All Users\BitDefender
2008-06-04 12:22:35 0 d-------- C:\Program Files\BitDefender
2008-06-04 12:20:31 0 d-------- C:\Program Files\Common Files\BitDefender
2008-05-29 11:16:28 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-05-29 08:36:27 0 d-------- C:\VundoFix Backups
2008-05-29 07:17:06 126464 --a------ C:\Windows\system32\egycrojj.dll
2008-05-29 07:16:19 250969 --ahs---- C:\Windows\system32\XGghQXbc.ini2
2008-05-28 12:05:14 0 d-------- C:\Program Files\ProSB
2008-05-24 21:15:40 0 d-------- C:\Program Files\djDecks
2008-05-22 14:51:45 0 d-------- C:\Users\All Users\Nokia
2008-05-22 14:38:26 0 d-------- C:\Users\Dylan de Wet\Phone Browser
2008-05-22 14:33:31 0 d-------- C:\Users\All Users\PC Suite
2008-05-22 14:32:28 0 d-------- C:\Program Files\Common Files\PCSuite
2008-05-22 14:32:28 0 d-------- C:\Program Files\Common Files\Nokia
2008-05-22 14:31:55 0 d-------- C:\Program Files\DIFX
2008-05-22 14:30:06 0 d-------- C:\Program Files\PC Connectivity Solution
2008-05-22 14:26:57 0 d-------- C:\Program Files\Nokia
2008-05-22 14:26:02 0 d-------- C:\Users\All Users\Installations
2008-05-20 08:20:36 0 d------c- C:\Windows\system32\DRVSTORE
2008-05-19 14:18:50 0 d-------- C:\Program Files\GNUGS
2008-05-10 23:10:05 0 d-------- C:\Program Files\EA SPORTS
2008-05-09 12:26:32 168720 --a------ C:\Windows\system32\msltus35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-09 12:26:31 252688 --a------ C:\Windows\system32\msexcl35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-09 12:26:29 260368 --a------ C:\Windows\system32\msxb3032.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-09 12:26:29 121104 --a------ C:\Windows\system32\mstx3032.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-09 12:26:29 240912 --a------ C:\Windows\system32\mspx3032.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-09 12:26:29 136704 --a------ C:\Windows\system32\GRDKRN32.DLL <Not Verified; Apex Software Corporation; APEXGRID>
2008-05-09 12:26:28 72704 --a------ C:\Windows\system32\ODBCTL32.DLL <Not Verified; Microsoft Corporation; Microsoft Open Database Connectivity>
2008-05-09 12:26:28 220944 --a------ C:\Windows\system32\msxl3032.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-09 12:26:28 144144 --a------ C:\Windows\system32\mslt3032.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-09 12:26:26 252176 --a------ C:\Windows\system32\MSRD2X35.DLL <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-09 12:26:25 24848 --a------ C:\Windows\system32\MSJTER35.DLL <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-09 12:26:25 123664 --a------ C:\Windows\system32\MSJINT35.DLL <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-09 12:26:25 1050896 --a------ C:\Windows\system32\MSJET35.DLL <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-09 12:26:22 721168 --a------ C:\Windows\system32\VB40032.DLL <Not Verified; Microsoft Corporation; Visual Basic 4.0>
2008-05-09 12:26:22 0 d-------- C:\Program Files\RevWin


-- Find3M Report ---------------------------------------------------------------

2008-06-06 10:45:13 4956 --a------ C:\Windows\bthservsdp.dat
2008-06-06 10:13:31 0 d-------- C:\Program Files\Steam
2008-06-06 09:58:00 0 d-------- C:\Program Files\Common Files\Steam
2008-06-05 15:37:28 0 d-------- C:\Users\Dylan de Wet\AppData\Roaming\Malwarebytes
2008-06-05 10:55:33 0 d-------- C:\Users\Dylan de Wet\AppData\Roaming\uTorrent
2008-06-04 12:26:31 0 d-------- C:\Users\Dylan de Wet\AppData\Roaming\BitDefender
2008-06-04 12:20:31 0 d-------- C:\Program Files\Common Files
2008-06-02 21:21:25 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-29 08:47:25 0 d-------- C:\Program Files\Java
2008-05-25 22:12:46 0 d-------- C:\Users\Dylan de Wet\AppData\Roaming\Nokia
2008-05-25 22:12:46 8 --a------ C:\Users\Dylan de Wet\AppData\Roaming\NMM-MetaData.db
2008-05-25 19:56:50 0 d-------- C:\Users\Dylan de Wet\AppData\Roaming\U3
2008-05-24 21:38:40 0 d-------- C:\Program Files\Absolute MP3 Splitter
2008-05-24 13:42:16 0 d-------- C:\Users\Dylan de Wet\AppData\Roaming\Nokia Multimedia Player
2008-05-22 15:11:19 0 d-------- C:\Users\Dylan de Wet\AppData\Roaming\ROUTE 66 Sync
2008-05-22 14:38:32 0 d-------- C:\Users\Dylan de Wet\AppData\Roaming\PC Suite
2008-05-22 07:19:51 0 d-------- C:\Users\Dylan de Wet\AppData\Roaming\McAfee
2008-05-16 19:58:40 0 d-------- C:\Program Files\BRABYS
2008-05-15 15:39:16 0 d-------- C:\Program Files\Gabest
2008-05-15 15:30:41 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-15 14:49:38 0 d-------- C:\Users\Dylan de Wet\AppData\Roaming\TuneUp Software
2008-05-15 07:30:54 0 d-------- C:\Program Files\Windows Mail
2008-05-05 15:22:17 0 d-------- C:\Users\Dylan de Wet\AppData\Roaming\Azureus
2008-05-02 11:25:35 0 d-------- C:\Program Files\Jackpot Kings Casino Rand
2008-04-29 14:19:05 0 d-------- C:\Program Files\FreeUndelete
2008-04-06 14:17:57 0 d-------- C:\Program Files\Championship Manager 2007
2008-04-06 14:07:12 0 d-------- C:\Program Files\PowerISO


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5582A8EC-574D-47A9-899A-CD624A0539D7}]
C:\Windows\system32\cbXQhgGX.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007/07/06 09:44 AM]
"PTHOSTTR"="C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.exe" [2007/01/10 12:52 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007/09/15 02:50 AM]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007/01/11 12:13 AM]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007/01/11 12:12 AM]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007/03/12 08:54 PM]
"CognizanceTS"="C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003/12/22 07:12 PM]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007/09/13 10:38 PM]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007/09/13 10:38 PM]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007/09/13 10:38 PM]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007/09/15 02:29 AM]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007/11/06 04:34 PM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007/02/21 05:14 PM]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007/06/18 03:10 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008/02/22 04:25 AM]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007/10/09 03:46 PM]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008/02/16 05:45 PM]
"Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008/05/30 01:06 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006/11/02 02:36 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
HP Connections.lnk - C:\Program Files\HP Connections\6811507\Program\HP Connections.exe [2007/04/28 01:52:29 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=APSHook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli ASWLNPkg
"Authentication Packages"= msv1_0 C:\Windows\system32\cbXQhgGX

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg
bthsvcs BthServ
Cognizance ASBroker ASChannel
GPSvcGroup GPSvc
bdx scan


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
AutoRun\command- L:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{567a209a-b559-11dc-987e-f3bb99c51c82}]
AutoRun\command- I:\
explore\Command- RECYCLER\INFO.exe
open\Command- RECYCLER\INFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{567a209c-b559-11dc-987e-f3bb99c51c82}]
AutoRun\command- K:\
explore\Command- RECYCLER\INFO.exe
open\Command- RECYCLER\INFO.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- Hosts -----------------------------------------------------------------------

127.0.0.1 http://www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 http://www.008k.com
127.0.0.1 008k.com
127.0.0.1 http://www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 http://www.032439.com
127.0.0.1 032439.com

8382 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-06 10:59:05 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Business (build 6000)
Architecture: X86; Language: English

CPU 0: Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz
Percentage of Memory in Use: 46%
Physical Memory (total/avail): 2038.69 MiB / 1100.39 MiB
Pagefile Memory (total/avail): 5451.46 MiB / 4369.98 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1913.89 MiB

C: is Fixed (NTFS) - 139.16 GiB total, 17.52 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 1.55 GiB total, 0.98 GiB free.
F: is Fixed (NTFS) - 8.34 GiB total, 0.46 GiB free.
G: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHW2160BH PL ATA Device - 149.05 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 139.16 GiB - C:
\PARTITION1 - Installable File System - 8.34 GiB - F:
\PARTITION2 - Installable File System - 1588 MiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

FW: Bitdefender Firewall v8.0 (BitDefender)
AV: AVG 7.5.484 v7.5.484 (GRISOFT)
AV: Bitdefender Antivirus v8.0 (BitDefender)
AS: BitDefender Antispyware v8.0 (BitDefender)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Dylan de Wet\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DYLANDEWET-PC
ComSpec=C:\Windows\system32\cmd.exe
DEFAULT_CA_NR=CA18
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Dylan de Wet
LOCALAPPDATA=C:\Users\Dylan de Wet\AppData\Local
LOGONSERVER=\\DYLANDEWET-PC
NUMBER_OF_PROCESSORS=2
OnlineServices=Online Services
OS=Windows_NT
Path=C:\Program Files\PC Connectivity Solution\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;c:\Program Files\Common Files\Roxio Shared\DLLShared\;c:\Program Files\Common Files\Roxio Shared\DLLShared\;c:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\Hewlett-Packard\IAM\bin;C:\Program Files\Common Files\Teleca Shared;C:\Program Files\Smart Projects\IsoBuster
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PLATFORM=BNB
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0a
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
RoxioCentral=c:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\DYLAND~1\AppData\Local\Temp
TMP=C:\Users\DYLAND~1\AppData\Local\Temp
USERDOMAIN=DylandeWet-PC
USERNAME=Dylan de Wet
USERPROFILE=C:\Users\Dylan de Wet
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Dylan de Wet


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec /X{85EBB283-65AF-4C53-9EBE-7C0A232762F7}
--> MsiExec.exe /I{EC2ADB7C-8A45-40C9-BFD1-18F22D9A7DF5}
µTorrent --> "C:\Program Files\uTorrent\uninstall.exe"
µTorrent --> "C:\Users\Dylan de Wet\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
Absolute MP3 Splitter version 2.2.11 --> "C:\Program Files\Absolute MP3 Splitter\unins000.exe"
Adobe Flash Player 9 ActiveX --> C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player 11 --> C:\Windows\system32\adobe\SHOCKW~1\UNWISE.EXE C:\Windows\system32\Adobe\SHOCKW~1\Install.log
AGEIA PhysX v7.03.21 --> MsiExec.exe /X{85EBB283-65AF-4C53-9EBE-7C0A232762F7}
Agere Systems HDA Modem --> agrsmdel
Application Installer 4.00.B13 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{70CEFEBA-F757-4DBE-8A21-027C326137CE}\SETUP.EXE" -l0x9
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
BitDefender Total Security 2008 --> MsiExec.exe /I{92098E58-00AD-4F78-AD6E-807BDB323478}
Championship Manager 2007 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{25FED2B8-57D5-4A0D-98BF-973411E0D43E}\Setup.exe" -l0x9 -removeonly
Condition Zero --> "C:\Program Files\Steam\steam.exe" steam://uninstall/80
Counter-Strike --> "C:\Program Files\Steam\steam.exe" steam://uninstall/10
Credential Manager for HP ProtectTools --> MsiExec.exe /X{377E3D59-C8FB-4E16-B3D1-E1D92D30DA00}
Diablo II --> C:\Windows\DIIUnin.exe C:\Windows\DIIUnin.dat
ESU for Microsoft Vista --> MsiExec.exe /X{091A6E73-BAE9-470F-A68A-B204E8C0698D}
FLV Player 2.0, build 23 --> C:\Program Files\FLV Player\uninst.exe
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Hewlett-Packard Active Check --> MsiExec.exe /X{254C37AA-6B72-4300-84F6-98A82419187E}
Hewlett-Packard Asset Agent --> MsiExec.exe /X{669D4A35-146B-4314-89F1-1AC3D7B88367}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP 3D DriveGuard --> MsiExec.exe /X{F8A678B8-AC50-4B57-B520-0E37A51020E4}
HP Active Support Library --> C:\Program Files\InstallShield Installation Information\{290B83AA-093A-45BF-A917-D1C4A1E8D917}\setup.exe -runfromtemp -l0x0409
HP Active Support Library 32 bit components --> MsiExec.exe /I{FAB0C302-CB18-4A7A-BA03-C3DC23101A68}
HP Backup & Recovery Manager Installer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F9F7336-6DF8-476F-ABF6-C70A17FAF619}\setup.exe" -l0x9 -uninst -removeonly
HP BIOS Configuration for ProtectTools --> MsiExec.exe /X{C74D0FA0-1D49-464F-A707-B427EE3385C1}
HP Connections (remove only) --> C:\Windows\HPCPCUninstall-6811507\HPBWSetup.exe -appid 6811507 -uninstall
HP Customer Experience Enhancements --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB5E289E-76BF-4251-9F3F-9B763F681AE0}\setup.exe" -l0x9 -removeonly
HP Doc Viewer --> MsiExec.exe /I{082702D5-5DD8-4600-BCE5-48B15174687F}
HP Easy Setup - Core --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F94234DB-FD06-42C3-B88D-6FC4DC9F988C}\setup.exe" -l0x9
HP Easy Setup - Frontend --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBE5C83E-4DC5-494F-8A23-3AAE242E94C2}\setup.exe" -l0x9 -removeonly
HP Help and Support --> MsiExec.exe /I{E4DDBA93-769B-49D8-BA33-8814E45ED0C1}
HP MULTIPLE MODEM INSTALLER for VISTA --> MsiExec.exe /I{45A136EC-88BF-4B95-99F5-C45D3930E1CC}
HP Notebook Accessories Product Tour --> MsiExec.exe /I{521F72F4-FFE4-4959-AA88-EED06125211F}
HP ProtectTools Security Manager --> MsiExec.exe /I{2DB165DC-DDB4-403F-B985-19F3EC7D0357}
HP Quick Launch Buttons 6.40 B2 --> C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\Setup.exe -runfromtemp -l0x0009 -removeonly uninst
HP Total Care Advisor --> MsiExec.exe /X{509F2C70-1C5D-45BE-A48F-B785B51A8037}
HP Update --> MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
HP User Guides 0064 --> MsiExec.exe /I{E25AA53F-6878-4C64-8130-EB8D678DF303}
HP Wireless Assistant --> MsiExec.exe /I{6FE30813-AC60-40A3-BE53-F6713A1F3893}
Intel(R) Graphics Media Accelerator Driver --> C:\Windows\system32\igxpun.exe -uninstall
InterVideo DVD Check --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5D97A4A7-C274-4B63-86D9-07A33435F505}\setup.exe" REMOVEALL
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Kaspersky Online Scanner --> C:\Windows\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Macromedia Dreamweaver MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B4AB829-DFD3-436D-B808-D9733D76C590}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" -l0x9 mmUninstall
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB929729) --> "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M929729\M929729Uninstall.msp"
Microsoft Office 2003 Web Components --> MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Plus 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROPLUS /dll OSETUP.DLL
Microsoft Office Professional Plus 2007 --> MsiExec.exe /X{90120000-0011-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Small Business Connectivity Components --> MsiExec.exe /X{A939D341-5A04-4E0A-BB55-3E65B386432D}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft SQL Server Native Client --> MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\mfirefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
Nokia Connectivity Cable Driver --> MsiExec.exe /X{4F1DCA42-2030-437C-A94E-736692A499C1}
Nokia Flashing Cable Driver --> MsiExec.exe /X{A4E0CA0F-1903-440A-9B98-FEA6CB049999}
Nokia PC Suite --> C:\ProgramData\Installations\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\Nokia_PC_Suite_6_84_10_3_EA.exe
Nokia PC Suite --> MsiExec.exe /I{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}
Nokia Software Updater --> MsiExec.exe /X{5D19E730-D3C6-47F4-AE4B-DCB26EC2D905}
nRoute --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{127053BC-9DD4-46FB-A5E9-77DC91BB8E2A}\setup.exe" -l0x9 AddRemove
PC Connectivity Solution --> MsiExec.exe /I{99A40651-0BC2-4095-8F9A-A40FAB224FEF}
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
Revelation for Windows - Libraries... --> C:\Windows\uninst.exe -f"C:\Program Files\RevWin\DeIsL3.isu" -c"C:\Program Files\RevWin\_ISREG32.DLL"
Revelation Small Business --> C:\RevUnIns.exe "C:\Program Files\ProSB\Install.log"
ROUTE 66 Sync --> rundll32.exe dfshim.dll,ShArpMaintain ROUTE66Sync.application, Culture=neutral, PublicKeyToken=c4b9ac6af6e31a36, processorArchitecture=x86
Roxio Creator Audio --> MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82}
Roxio Creator Basic v9 --> MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Copy --> MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
Roxio Creator Data --> MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87}
Roxio Creator Tools --> MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF}
Roxio Express Labeler 3 --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio MyDVD Basic v9 --> MsiExec.exe /I{33C65B6A-5D73-4E3E-A1F9-127C27BD3F72}
SADC 2005 Directory --> MsiExec.exe /I{0A8BD413-31BC-4F38-9B15-46732450C66C}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for Visio 2007 (KB947590) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sonic Activation Module --> MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
Sony Ericsson Device Data --> MsiExec.exe /I{C92E7DF1-624A-4D95-A4C4-18CB491B44A4}
Sony Ericsson Drivers --> MsiExec.exe /I{5CC68528-24FF-4DF8-91C9-AF540F98505A}
Sony Ericsson PC Suite --> C:\Windows\Installer\{D6BF6477-8369-489F-8DE6-3731F4B88560}\Setup.exe /uninstall
Sony Ericsson PC Suite --> MsiExec.exe /I{B192E1BB-98A4-4369-9271-96117A57F546}
SOUTH AFRICA STREETMAPS V4 --> MsiExec.exe /X{1D6BCD07-18B3-42AE-A871-F54A4FFB9FBD}
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
Tiger Woods PGA TOUR 07 --> C:\Program Files\EA SPORTS\Tiger Woods PGA TOUR 07\EAUninstall.exe
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb950378) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {F6296086-AED5-4EC0-938B-08EA0254F20E}
Video Camera Drivers V1.0 --> C:\Windows\unins000.exe
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Vista Codec Package --> MsiExec.exe /I{F9FD80CE-0448-4D4F-8BCD-77FC514C3F99}
Vista Default Settings --> MsiExec.exe /I{93D44E47-EBE0-43FC-A427-8AC3CD026536}
Windows Driver Package - Nokia (WUDFRd) WPD (06/01/2007 6.84.33.0) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\Windows\System32\DriverStore\FileRepository\pccswpddriver.inf_a419b392\pccswpddriver.inf
Windows Driver Package - Nokia Modem (02/15/2007 3.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\Windows\System32\DriverStore\FileRepository\pccs_bluetooth.inf_48f6f624\pccs_bluetooth.inf
Windows Driver Package - Nokia Modem (02/15/2007 3.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\Windows\System32\DriverStore\FileRepository\pccs_bluetooth.inf_51d2d3e1\pccs_bluetooth.inf
Windows Driver Package - Nokia Modem (05/24/2007 6.84.0.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\Windows\System32\DriverStore\FileRepository\nokbtmdm.inf_e5643fdd\nokbtmdm.inf
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{0ED47137-C071-46CC-A243-E5E33271E10E}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XviD MPEG4 Video Codec (remove only) --> "C:\Windows\system32\xvid-uninstall.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type27087 / Warning
Event Submitted/Written: 06/06/2008 10:50:53 AM
Event ID/Source: 3036 / Windows Search Service
Event Description:
The content source <mapi://{s-1-5-21-3568989815-3060670663-33497352-1006}/> cannot be accessed.

Context: Windows Application, SystemIndex Catalog

Details:
A server error occurred. Check that the server is available. (0x80041206)

Event Record #/Type27079 / Success
Event Submitted/Written: 06/06/2008 10:47:51 AM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type27078 / Success
Event Submitted/Written: 06/06/2008 10:47:50 AM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type27071 / Success
Event Submitted/Written: 06/06/2008 10:47:31 AM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type27062 / Warning
Event Submitted/Written: 06/06/2008 10:44:57 AM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-3568989815-3060670663-33497352-1006_Classes:
Process 1888 (\Device\HarddiskVolume1\Windows\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-3568989815-3060670663-33497352-1006_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type346919 / Warning
Event Submitted/Written: 06/06/2008 10:53:20 AM
Event ID/Source: 4 / Client Side Rendering Spooler
Event Description:
The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.

Event Record #/Type346918 / Warning
Event Submitted/Written: 06/06/2008 10:53:20 AM
Event ID/Source: 4 / Client Side Rendering Spooler
Event Description:
The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.

Event Record #/Type346914 / Warning
Event Submitted/Written: 06/06/2008 10:52:17 AM
Event ID/Source: 4 / Microsoft-Windows-FilterManager
Event Description:
0xc0000013608bdfsfltr2007-12-31T10:12:12.000Z14\Device\CdRom1

Event Record #/Type346913 / Warning
Event Submitted/Written: 06/06/2008 10:52:17 AM
Event ID/Source: 4 / Microsoft-Windows-FilterManager
Event Description:
0xc0000013608bdfsfltr2007-12-31T10:12:12.000Z14\Device\CdRom0

Event Record #/Type346897 / Warning
Event Submitted/Written: 06/06/2008 10:46:45 AM
Event ID/Source: 4 / b57nd60x
Event Description:
Broadcom NetLink (TM) Gigabit Ethernet: The network link is down. Check to make sure the network cable is properly connected.



-- End of Deckard's System Scanner: finished at 2008-06-06 10:59:05 ------------
Dylwaugh
Active Member
 
Posts: 6
Joined: May 29th, 2008, 2:08 am

Re: Virtumonde etc...

Unread postby Shaba » June 6th, 2008, 11:42 am

Hi

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: FGCatchUrl - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: (no name) - {5582A8EC-574D-47A9-899A-CD624A0539D7} - C:\Windows\system32\cbXQhgGX.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - (no file)
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - (no file)
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - Unknown owner - (no file)

Close all windows including browser and press fix checked.

Reboot.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: Select all
    C:\Windows\system32\egycrojj.dll
    C:\Windows\system32\XGghQXbc.ini2
    

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Re-run dss

Post:

- dss log
- otmoveit2 report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Virtumonde etc...

Unread postby Dylwaugh » June 9th, 2008, 6:46 am

Deckard's System Scanner v20071014.68
Run by Dylan de Wet on 2008-06-09 12:44:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 17.4 GiB (less than 15%) free.


-- HijackThis (run as Dylan de Wet.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:08 PM, on 2008/06/09
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\Mozilla Firefox\mfirefox\firefox.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Users\Dylan de Wet\Desktop\OTMoveIt2.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Dylan de Wet\Desktop\Programs\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\DYLAND~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news24.com/News24/Home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [QlbCtrl] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF269~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Subscribe in RSS Bandit - C:\Users\Dylan de Wet\AppData\Roaming\RssBandit\iecontext_subscribebandit.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Silver Sands Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - e:\Program Files\Nmn\GameClient.exe (file missing)
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61FFF564-6CF6-4D2B-B142-5E51DA12B2B6}: NameServer = 196.7.18.82,196.31.65.99
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: APSHook.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - Unknown owner - (no file)
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 9653 bytes

-- Files created between 2008-05-09 and 2008-06-09 -----------------------------

2008-06-09 01:14:27 0 d-------- C:\Users\Dylan de Wet\.dvdcss
2008-06-09 01:11:35 0 d-------- C:\Program Files\LG Software Innovations
2008-06-05 15:37:18 0 d-------- C:\Users\All Users\Malwarebytes
2008-06-05 15:37:18 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-04 13:50:35 0 d-------- C:\Program Files\Trend Micro
2008-06-04 12:22:35 0 d-------- C:\Users\All Users\BitDefender
2008-06-04 12:22:35 0 d-------- C:\Program Files\BitDefender
2008-06-04 12:20:31 0 d-------- C:\Program Files\Common Files\BitDefender
2008-05-29 11:16:28 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-05-29 08:36:27 0 d-------- C:\VundoFix Backups
2008-05-28 12:05:14 0 d-------- C:\Program Files\ProSB
2008-05-24 21:15:40 0 d-------- C:\Program Files\djDecks
2008-05-22 14:51:45 0 d-------- C:\Users\All Users\Nokia
2008-05-22 14:38:26 0 d-------- C:\Users\Dylan de Wet\Phone Browser
2008-05-22 14:33:31 0 d-------- C:\Users\All Users\PC Suite
2008-05-22 14:32:28 0 d-------- C:\Program Files\Common Files\PCSuite
2008-05-22 14:32:28 0 d-------- C:\Program Files\Common Files\Nokia
2008-05-22 14:31:55 0 d-------- C:\Program Files\DIFX
2008-05-22 14:30:06 0 d-------- C:\Program Files\PC Connectivity Solution
2008-05-22 14:26:57 0 d-------- C:\Program Files\Nokia
2008-05-22 14:26:02 0 d-------- C:\Users\All Users\Installations
2008-05-20 08:20:36 0 d------c- C:\Windows\system32\DRVSTORE
2008-05-19 14:18:50 0 d-------- C:\Program Files\GNUGS
2008-05-10 23:10:05 0 d-------- C:\Program Files\EA SPORTS
2008-05-09 12:26:32 168720 --a------ C:\Windows\system32\msltus35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-09 12:26:31 252688 --a------ C:\Windows\system32\msexcl35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-09 12:26:29 260368 --a------ C:\Windows\system32\msxb3032.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-09 12:26:29 121104 --a------ C:\Windows\system32\mstx3032.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-09 12:26:29 240912 --a------ C:\Windows\system32\mspx3032.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-09 12:26:29 136704 --a------ C:\Windows\system32\GRDKRN32.DLL <Not Verified; Apex Software Corporation; APEXGRID>
2008-05-09 12:26:28 72704 --a------ C:\Windows\system32\ODBCTL32.DLL <Not Verified; Microsoft Corporation; Microsoft Open Database Connectivity>
2008-05-09 12:26:28 220944 --a------ C:\Windows\system32\msxl3032.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-09 12:26:28 144144 --a------ C:\Windows\system32\mslt3032.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-09 12:26:26 252176 --a------ C:\Windows\system32\MSRD2X35.DLL <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-09 12:26:25 24848 --a------ C:\Windows\system32\MSJTER35.DLL <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-09 12:26:25 123664 --a------ C:\Windows\system32\MSJINT35.DLL <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-09 12:26:25 1050896 --a------ C:\Windows\system32\MSJET35.DLL <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-05-09 12:26:22 721168 --a------ C:\Windows\system32\VB40032.DLL <Not Verified; Microsoft Corporation; Visual Basic 4.0>
2008-05-09 12:26:22 0 d-------- C:\Program Files\RevWin


-- Find3M Report ---------------------------------------------------------------

2008-06-09 12:36:59 4956 --a------ C:\Windows\bthservsdp.dat
2008-06-09 01:15:23 0 d-------- C:\Program Files\A1 DVD Ripper
2008-06-09 01:10:36 0 d-------- C:\Program Files\Any DVD Converter Professional
2008-06-09 01:09:56 0 d-------- C:\Program Files\DVDneXtCOPY2
2008-06-08 23:40:05 0 d-------- C:\Users\Dylan de Wet\AppData\Roaming\dvdcss
2008-06-06 16:54:05 0 d-------- C:\Users\Dylan de Wet\AppData\Roaming\uTorrent
2008-06-06 12:46:30 0 d-------- C:\Program Files\Steam
2008-06-06 09:58:00 0 d-------- C:\Program Files\Common Files\Steam
2008-06-05 15:37:28 0 d-------- C:\Users\Dylan de Wet\AppData\Roaming\Malwarebytes
2008-06-04 12:26:31 0 d-------- C:\Users\Dylan de Wet\AppData\Roaming\BitDefender
2008-06-04 12:20:31 0 d-------- C:\Program Files\Common Files
2008-06-02 21:21:25 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-29 08:47:25 0 d-------- C:\Program Files\Java
2008-05-25 22:12:46 0 d-------- C:\Users\Dylan de Wet\AppData\Roaming\Nokia
2008-05-25 22:12:46 8 --a------ C:\Users\Dylan de Wet\AppData\Roaming\NMM-MetaData.db
2008-05-25 19:56:50 0 d-------- C:\Users\Dylan de Wet\AppData\Roaming\U3
2008-05-24 21:38:40 0 d-------- C:\Program Files\Absolute MP3 Splitter
2008-05-24 13:42:16 0 d-------- C:\Users\Dylan de Wet\AppData\Roaming\Nokia Multimedia Player
2008-05-22 15:11:19 0 d-------- C:\Users\Dylan de Wet\AppData\Roaming\ROUTE 66 Sync
2008-05-22 14:38:32 0 d-------- C:\Users\Dylan de Wet\AppData\Roaming\PC Suite
2008-05-22 07:19:51 0 d-------- C:\Users\Dylan de Wet\AppData\Roaming\McAfee
2008-05-16 19:58:40 0 d-------- C:\Program Files\BRABYS
2008-05-15 15:39:16 0 d-------- C:\Program Files\Gabest
2008-05-15 15:30:41 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-15 14:49:38 0 d-------- C:\Users\Dylan de Wet\AppData\Roaming\TuneUp Software
2008-05-15 07:30:54 0 d-------- C:\Program Files\Windows Mail
2008-05-05 15:22:17 0 d-------- C:\Users\Dylan de Wet\AppData\Roaming\Azureus
2008-05-02 11:25:35 0 d-------- C:\Program Files\Jackpot Kings Casino Rand
2008-04-29 14:19:05 0 d-------- C:\Program Files\FreeUndelete


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007/07/06 09:44 AM]
"PTHOSTTR"="C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.exe" [2007/01/10 12:52 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007/09/15 02:50 AM]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007/01/11 12:13 AM]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007/01/11 12:12 AM]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007/03/12 08:54 PM]
"CognizanceTS"="C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003/12/22 07:12 PM]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007/09/13 10:38 PM]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007/09/13 10:38 PM]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007/09/13 10:38 PM]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007/09/15 02:29 AM]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007/11/06 04:34 PM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007/02/21 05:14 PM]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007/06/18 03:10 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008/02/22 04:25 AM]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007/10/09 03:46 PM]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008/02/16 05:45 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006/11/02 02:36 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
HP Connections.lnk - C:\Program Files\HP Connections\6811507\Program\HP Connections.exe [2007/04/28 01:52:29 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=APSHook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli ASWLNPkg
"Authentication Packages"= msv1_0 C:\Windows\system32\cbXQhgGX

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware Reboot]
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg
bthsvcs BthServ
Cognizance ASBroker ASChannel
GPSvcGroup GPSvc
bdx scan


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
AutoRun\command- L:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{567a209a-b559-11dc-987e-f3bb99c51c82}]
AutoRun\command- I:\
explore\Command- RECYCLER\INFO.exe
open\Command- RECYCLER\INFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{567a209c-b559-11dc-987e-f3bb99c51c82}]
AutoRun\command- K:\
explore\Command- RECYCLER\INFO.exe
open\Command- RECYCLER\INFO.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-06-09 12:45:39 ------------




DllUnregisterServer procedure not found in C:\Windows\system32\egycrojj.dll
C:\Windows\system32\egycrojj.dll NOT unregistered.
C:\Windows\system32\egycrojj.dll moved successfully.
C:\Windows\system32\XGghQXbc.ini2 moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06092008_124304
Dylwaugh
Active Member
 
Posts: 6
Joined: May 29th, 2008, 2:08 am

Re: Virtumonde etc...

Unread postby Shaba » June 9th, 2008, 9:33 am

Hi

At least there is no wonder why you got infected:

C:\Users\Dylan de Wet\Applications\Arb\Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!]\Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!]\spybotsd152.exe/data0000.cab/is153202.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qpu skipped
C:\Users\Dylan de Wet\Applications\Arb\Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!]\Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!]\spybotsd152.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.qpu skipped
C:\Users\Dylan de Wet\Applications\Arb\Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!]\Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!]\spybotsd152.exe Rsrc-Package: infected - 2 skipped
C:\Users\Dylan de Wet\Applications\Arb\Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!].rar/Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!]/spybotsd152.exe/data0000.cab/is153202.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qpu skipped
C:\Users\Dylan de Wet\Applications\Arb\Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!].rar/Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!]/spybotsd152.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.qpu skipped
C:\Users\Dylan de Wet\Applications\Arb\Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!].rar/Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!]/spybotsd152.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qpu skipped
C:\Users\Dylan de Wet\Applications\Arb\Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!].rar RAR: infected - 3 skipped
C:\Users\Dylan de Wet\Applications\Arb\WinRAR.v4.65(cracked) (totally new interface)\WinRAR.v4.65(cracked) (totally new interface)\WRAR4.65.exe/winupdaters.exe Infected: Backdoor.Win32.SpyBoter.cy skipped
C:\Users\Dylan de Wet\Applications\Arb\WinRAR.v4.65(cracked) (totally new interface)\WinRAR.v4.65(cracked) (totally new interface)\WRAR4.65.exe CreateInstall: infected - 1 skipped
C:\Users\Dylan de Wet\Applications\Arb\WinRAR.v4.65(cracked) (totally new interface)\WinRAR.v4.65(cracked) (totally new interface).zip/WinRAR.v4.65(cracked) (totally new interface)/WRAR4.65.exe/winupdaters.exe Infected: Backdoor.Win32.SpyBoter.cy skipped
C:\Users\Dylan de Wet\Applications\Arb\WinRAR.v4.65(cracked) (totally new interface)\WinRAR.v4.65(cracked) (totally new interface).zip/WinRAR.v4.65(cracked) (totally new interface)/WRAR4.65.exe Infected: Backdoor.Win32.SpyBoter.cy skipped
C:\Users\Dylan de Wet\Applications\Arb\WinRAR.v4.65(cracked) (totally new interface)\WinRAR.v4.65(cracked) (totally new interface).zip ZIP: infected - 2 skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\sdsetup.exe/data0000.cab/is153056.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qon skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\sdsetup.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.qon skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\sdsetup.exe Rsrc-Package: infected - 2 skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\Spyware.Doctor.5.5.0.212_KEYGEN+PATCH-FFF.exe/data0000.cab/is153055.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qon skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\Spyware.Doctor.5.5.0.212_KEYGEN+PATCH-FFF.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.qon skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)\Spyware.Doctor.5.5.0.212_KEYGEN+PATCH-FFF.exe Rsrc-Package: infected - 2 skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE).rar/Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)/sdsetup.exe/data0000.cab/is153056.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qon skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE).rar/Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)/sdsetup.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.qon skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE).rar/Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)/sdsetup.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qon skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE).rar/Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)/Spyware.Doctor.5.5.0.212_KEYGEN+PATCH-FFF.exe/data0000.cab/is153055.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qon skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE).rar/Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)/Spyware.Doctor.5.5.0.212_KEYGEN+PATCH-FFF.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.qon skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE).rar/Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)/Spyware.Doctor.5.5.0.212_KEYGEN+PATCH-FFF.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qon skipped
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE).rar RAR: infected - 6 skipped

Downloading pirated programs is not only illegal but also very stupid as you can see.

Delete these:

C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE).rar
C:\Users\Dylan de Wet\Documents\Downloads\Spyware Doctor v5.5.0.212 + KEYGEN & PATCH (UNLIMITED LISENCE - UPDATABLE)
C:\Users\Dylan de Wet\Applications\Arb\WinRAR.v4.65(cracked) (totally new interface)
C:\Users\Dylan de Wet\Applications\Arb\Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!].rar
C:\Users\Dylan de Wet\Applications\Arb\Spybot Search & Destroy 1.5.2 LATEST FULL Edition [GRAB IT!]

Empty Recycle Bin.

Please download ATF Cleaner by Atribune and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Re-scan with kaspersky.

Post:

- a fresh HijackThis log
- kaspersky report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Virtumonde etc...

Unread postby Dylwaugh » June 10th, 2008, 5:57 am

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, June 10, 2008 11:46:43 AM
Operating System: Microsoft Windows Vista Professional, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/06/2008
Kaspersky Anti-Virus database records: 845558
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 169199
Number of viruses found: 3
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 01:44:19

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20080609124454\backup\Users\DYLAND~1\AppData\Local\Temp\bbjdrpsk.dll Object is locked skipped
C:\Deckard\System Scanner\20080609124454\backup\Users\DYLAND~1\AppData\Local\Temp\bcpdwabt.dll Object is locked skipped
C:\Deckard\System Scanner\20080609124454\backup\Users\DYLAND~1\AppData\Local\Temp\eyildttf.dll Object is locked skipped
C:\Deckard\System Scanner\20080609124454\backup\Users\DYLAND~1\AppData\Local\Temp\fodlpucn.dll Object is locked skipped
C:\Deckard\System Scanner\20080609124454\backup\Users\DYLAND~1\AppData\Local\Temp\huemiybo.dll Object is locked skipped
C:\Deckard\System Scanner\20080609124454\backup\Users\DYLAND~1\AppData\Local\Temp\jpuirvsw.dll Object is locked skipped
C:\Deckard\System Scanner\20080609124454\backup\Users\DYLAND~1\AppData\Local\Temp\loajcosf.dll Object is locked skipped
C:\Deckard\System Scanner\20080609124454\backup\Users\DYLAND~1\AppData\Local\Temp\muexppon.dll Object is locked skipped
C:\Deckard\System Scanner\20080609124454\backup\Users\DYLAND~1\AppData\Local\Temp\nfvbseuh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vqd skipped
C:\Deckard\System Scanner\20080609124454\backup\Users\DYLAND~1\AppData\Local\Temp\uiotargy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vqd skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\sw_ae-20080609-185748.log Object is locked skipped
C:\Program Files\BitDefender\BitDefender 2008\as2core\antispam_sig_11935\aspdict.dat Object is locked skipped
C:\Program Files\BitDefender\BitDefender 2008\dbokf.db Object is locked skipped
C:\Program Files\BitDefender\BitDefender 2008\dbokf.db-journal Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\L0000005.FCS Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\HP Connections\6811507\Users\Default\Data\storydb.idx Object is locked skipped
C:\Program Files\ProSB\Support.exe/vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\Program Files\ProSB\Support.exe 7-Zip: infected - 1 skipped
C:\Program Files\ProSB\Support.exe UPX: infected - 1 skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\bbb78300220bcb9b83c3dbaf43e6cd3b_311cff53-0acf-4dea-9647-91f5d2335b92 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\bbb78300220bcb9b83c3dbaf43e6cd3b_fa270d0c-e8c0-4426-b4f8-326139a300f1 Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008061020080611\index.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3M1LBQ55\kb456456[2] Infected: Trojan.Win32.Monder.gen skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3M1LBQ55\kb456456[5] Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3M1LBQ55\kb456456[6] Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3M1LBQ55\kb516107[1] Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3M1LBQ55\kb516107[3] Infected: Trojan.Win32.Monder.gen skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LJ18P0Z0\kb456456[3] Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LJ18P0Z0\kb516107[1] Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y7KR3NPS\kb456456[2] Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y7KR3NPS\kb516107[1] Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y7KR3NPS\kb516107[2] Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1D464AB1-E479-4E33-B7F1-17C6FCF210CB}.tmp Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AF6A7A3F-CFC9-4081-9F25-3E0384BAFDC0}.tmp Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DB946AF8-14FD-460D-BA85-13444A882E52}.tmp Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\UsrClass.dat{de469c33-2a38-11dc-9037-0017a4e77d16}.TM.blf Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\UsrClass.dat{de469c33-2a38-11dc-9037-0017a4e77d16}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Windows\UsrClass.dat{de469c33-2a38-11dc-9037-0017a4e77d16}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Business Contact Manager\MSSmallBusiness.ldf Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Business Contact Manager\MSSmallBusiness.mdf Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Outlook\Outlook.pst Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Microsoft\Outlook\~Outlook.pst.tmp Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Temp\FXSAPIDebugLogFile.txt Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Mozilla\Firefox\Profiles\e1xpfbqy.default\Cache\_CACHE_001_ Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Mozilla\Firefox\Profiles\e1xpfbqy.default\Cache\_CACHE_002_ Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Mozilla\Firefox\Profiles\e1xpfbqy.default\Cache\_CACHE_003_ Object is locked skipped
C:\Users\Dylan de Wet\AppData\Local\Mozilla\Firefox\Profiles\e1xpfbqy.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\microsoft\Windows\Cookies\Low\index.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\microsoft\Outlook\Outlook.NK2 Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\microsoft\Outlook\Outlook.srs Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\microsoft\Templates\NormalEmail.dotm Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\BitDefender\Desktop\Profiles\asdict.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\Mozilla\Firefox\Profiles\e1xpfbqy.default\cert8.db Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\Mozilla\Firefox\Profiles\e1xpfbqy.default\formhistory.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\Mozilla\Firefox\Profiles\e1xpfbqy.default\history.dat Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\Mozilla\Firefox\Profiles\e1xpfbqy.default\key3.db Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\Mozilla\Firefox\Profiles\e1xpfbqy.default\parent.lock Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\Mozilla\Firefox\Profiles\e1xpfbqy.default\search.sqlite Object is locked skipped
C:\Users\Dylan de Wet\AppData\Roaming\Mozilla\Firefox\Profiles\e1xpfbqy.default\urlclassifier2.sqlite Object is locked skipped
C:\Users\Dylan de Wet\ntuser.dat Object is locked skipped
C:\Users\Dylan de Wet\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Dylan de Wet\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Dylan de Wet\ntuser.dat{a4898645-274c-11dd-b1f7-a5c679658c34}.TM.blf Object is locked skipped
C:\Users\Dylan de Wet\ntuser.dat{a4898645-274c-11dd-b1f7-a5c679658c34}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Dylan de Wet\ntuser.dat{a4898645-274c-11dd-b1f7-a5c679658c34}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Dylan de Wet\Work\Shared Work Folder\PLANNING\JUNE\9 - 13.xls Object is locked skipped
C:\Windows\bthservsdp.dat Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\sam.log Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\Installer\MSI2463.tmp Object is locked skipped
C:\Windows\Logs\CBS\CBS.log Object is locked skipped
C:\Windows\Logs\CBS\CBS.persist.log Object is locked skipped
C:\Windows\Logs\DPX\setupact.log Object is locked skipped
C:\Windows\Logs\DPX\setuperr.log Object is locked skipped
C:\Windows\MEMORY.DMP Object is locked skipped
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped
C:\Windows\Panther\UnattendGC\diagerr.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\diagwrn.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\setupact.log Object is locked skipped
C:\Windows\Panther\UnattendGC\setuperr.log Object is locked skipped
C:\Windows\security\database\secedit.sdb Object is locked skipped
C:\Windows\SoftwareDistribution\EventCache\{EF936E47-B176-4325-909F-4F610FBA01BE}.bin Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\components Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\default Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\sam Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\security Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\software Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\system Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000005.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000006.regtrans-ms Object is locked skipped
C:\Windows\System32\drivers\sptd.sys Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\restore\MachineGuid.txt Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagerr.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagwrn.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\setupact.log Object is locked skipped
C:\Windows\System32\sysprep\Panther\setuperr.log Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\10A9EB2C94277C0A1A6143B54809F210.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\21D7529435092A1DD242FD6ACF494493.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2B8B1A8B0ACD3EE28B421D3918DC1F29.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\3460B7617E0429A960E481B197F238A3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\43A7EEE279F15546EE900076CA8CC2C8.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\8A20D7181B570E2E2142FB6261D170A2.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\8A94AF24F162D580E3D9889344A3A317.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\95CF8C2673B156E93407C44DA1171F14.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\B8F066315788F9A2DF744CF3A9F7F3D6.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E478A5DB75C9721E744C05D78DBACFD3.mof Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Credential Manager.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Backup.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Server%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DateTimeControlPanel%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-MSDT%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-PLA%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticResolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Forwarding%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WDI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx.corrupt Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MeetingSpace%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MemoryDiagnostics-Results%4Debug.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Admin.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-PnPDevices%4Admin.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-PnPDevices%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winsock-WS2HELP%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wired-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\MSFWSVC.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\1-Click Maintenance.job Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\Temp\tmp00002282\tmp00000000 Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped
C:\_OTMoveIt\MovedFiles\06092008_124304\Windows\system32\egycrojj.dll Infected: Trojan.Win32.Monder.gen skipped

Scan process completed.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:51 AM, on 2008/06/10
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\dvd43\DVD43_Tray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\mfirefox\firefox.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news24.com/News24/Home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [QlbCtrl] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF269~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Subscribe in RSS Bandit - C:\Users\Dylan de Wet\AppData\Roaming\RssBandit\iecontext_subscribebandit.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Silver Sands Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - e:\Program Files\Nmn\GameClient.exe (file missing)
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.kaspersky.com.au
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61FFF564-6CF6-4D2B-B142-5E51DA12B2B6}: NameServer = 196.7.18.82,196.31.65.99
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: APSHook.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - Unknown owner - (no file)
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 10143 bytes
Dylwaugh
Active Member
 
Posts: 6
Joined: May 29th, 2008, 2:08 am

Re: Virtumonde etc...

Unread postby Shaba » June 10th, 2008, 8:43 am

Hi

Empty these folders:

C:\Deckard\System Scanner\20080609124454\backup\Users\DYLAND~1\AppData\Local\Temp
C:\_OTMoveIt\MovedFiles\

Empty Recycle Bin.

Please download ATF Cleaner by Atribune and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Still problems?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Virtumonde etc...

Unread postby Dylwaugh » June 11th, 2008, 1:49 am

Did a deep system scan and my computer seems to be completely clean...

Thanks so much, you really helped me :cheers:
Dylwaugh
Active Member
 
Posts: 6
Joined: May 29th, 2008, 2:08 am

Re: Virtumonde etc...

Unread postby Shaba » June 11th, 2008, 9:19 am

Hi

Then you're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

If BitDefender doesn't have a firewall, install one from below:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor
3) Sunbelt/Kerio
4) Agnitum
5) ZoneAlarm (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop.
  • Scroll down to where it saysThe Java SE Runtime Environment (JRE) allows end-users to run Java applications..
  • Click the Download button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

Next we remove all used tools.

Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

  • Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and re-enable system restore here:

    Windows XP System Restore Guide

    or

    Windows Vista System Restore Guide

Re-enable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

    Malwarebytes' Anti-Malware Setup Guide

    Malwarebytes' Anti-Malware Scanning Guide

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

    Instructions for Spybot S & D

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean! :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Virtumonde etc...

Unread postby Shaba » June 14th, 2008, 5:00 am

Dylwaugh this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 55 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware