Spyware Trojan
- Thread starter perfectm
- Start date
cohen
New Member
OK, do the following:
If after that you are still infected, please post a Hijackthis log. To post a Hijackthis log, please do the following:
Click Here to download HJTsetup.exe
* Save HJTsetup.exe to your desktop.
* Double click on the HJTsetup.exe icon on your desktop.
* By default it will install to C:\Program Files\Hijack This.
* Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
* Put a check by Create a desktop icon then click Next again.
* Continue to follow the rest of the prompts from there.
* At the final dialogue box click Finish and it will launch Hijack This.
* Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
* Click Save to save the log file and then the log will open in notepad.
* Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
* Come back Paste the log in a new post, using Hijackthis in your Subject bar
* DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
We will look at your log as soon as we see it, and give you further instructions on how to fix your computer. Most of the time it will involve downloading more programs that will either give us logs to locate the malware or delete those malware.
Once you have posted a HJT Thread DO NOT make any changes to your PC unless the advisor helping you has instructed you to do so!
If after that you are still infected, please post a Hijackthis log. To post a Hijackthis log, please do the following:
Click Here to download HJTsetup.exe
* Save HJTsetup.exe to your desktop.
* Double click on the HJTsetup.exe icon on your desktop.
* By default it will install to C:\Program Files\Hijack This.
* Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
* Put a check by Create a desktop icon then click Next again.
* Continue to follow the rest of the prompts from there.
* At the final dialogue box click Finish and it will launch Hijack This.
* Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
* Click Save to save the log file and then the log will open in notepad.
* Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
* Come back Paste the log in a new post, using Hijackthis in your Subject bar
* DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
We will look at your log as soon as we see it, and give you further instructions on how to fix your computer. Most of the time it will involve downloading more programs that will either give us logs to locate the malware or delete those malware.
Once you have posted a HJT Thread DO NOT make any changes to your PC unless the advisor helping you has instructed you to do so!
cohen
New Member
At the moment, so we can determine what we need to do, to get rid of the virus / trojan.
Hijackthis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:41: VIRUS ALERT!, on 23/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\pnw\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.genie.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O3 - Toolbar: qndsfmao - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - C:\WINDOWS\qndsfmao.dll
O3 - Toolbar: qndsfmao - {F4A52746-813B-4276-A8D7-E2ABD0C8C8A8} - C:\WINDOWS\qndsfmao.dll
O4 - HKLM\..\Run: [Sys1.exe] C:\Windows\Sys1.exe
O4 - HKLM\..\Run: [04d8880a] rundll32.exe "C:\WINDOWS\system32\fwftoanw.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Sys1.exe] C:\Windows\Sys1.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.genie.co.uk
O15 - Trusted Zone: http://www.skillstrain-online.com
O16 - DPF: {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} (PhotoBox uploader) - http://static.photobox.co.uk/sg/common/ImageUploader4.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O21 - SSODL: evgratsm - {82955011-CE07-44AF-A29A-83B7775A8C92} - C:\WINDOWS\evgratsm.dll
O21 - SSODL: kvxqmtre - {8CE6BA66-B3F0-4B86-93B1-0E6EA2FD46DA} - C:\WINDOWS\kvxqmtre.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - (no file)
--
End of file - 5713 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:41: VIRUS ALERT!, on 23/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\pnw\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.genie.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O3 - Toolbar: qndsfmao - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - C:\WINDOWS\qndsfmao.dll
O3 - Toolbar: qndsfmao - {F4A52746-813B-4276-A8D7-E2ABD0C8C8A8} - C:\WINDOWS\qndsfmao.dll
O4 - HKLM\..\Run: [Sys1.exe] C:\Windows\Sys1.exe
O4 - HKLM\..\Run: [04d8880a] rundll32.exe "C:\WINDOWS\system32\fwftoanw.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Sys1.exe] C:\Windows\Sys1.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.genie.co.uk
O15 - Trusted Zone: http://www.skillstrain-online.com
O16 - DPF: {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} (PhotoBox uploader) - http://static.photobox.co.uk/sg/common/ImageUploader4.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O21 - SSODL: evgratsm - {82955011-CE07-44AF-A29A-83B7775A8C92} - C:\WINDOWS\evgratsm.dll
O21 - SSODL: kvxqmtre - {8CE6BA66-B3F0-4B86-93B1-0E6EA2FD46DA} - C:\WINDOWS\kvxqmtre.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - (no file)
--
End of file - 5713 bytes
cohen
New Member
OK, Pls do the following:
Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
- Download this file from one of the three below listed places :
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
- Then double click combofix.exe & follow the prompts.
- When finished, it shall produce a log for you. Post that log in your next reply
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Combofix Log
ComboFix 08-07-23.2 - pnw 2008-07-23 23:15:51.1 - NTFSx86
Running from: C:\Documents and Settings\pnw\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\.protected
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
C:\Documents and Settings\pnw\Application Data\FunWebProducts
C:\Documents and Settings\pnw\Application Data\FunWebProducts\Data\pnw\avatar.dat
C:\Documents and Settings\pnw\Application Data\FunWebProducts\Data\pnw\register.dat
C:\Documents and Settings\pnw\Application Data\FunWebProducts\Data\pnw\zbucks.dat
C:\Documents and Settings\pnw\Desktop\Error Cleaner.url
C:\Documents and Settings\pnw\Desktop\Privacy Protector.url
C:\Documents and Settings\pnw\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\pnw\Favorites\Error Cleaner.url
C:\Documents and Settings\pnw\Favorites\Privacy Protector.url
C:\Documents and Settings\pnw\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\pnw\Start Menu\Programs\Startup\.protected
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\PCHealthCenter
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.exe
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\2.exe
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\3.exe
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\4.exe
C:\Program Files\PCHealthCenter\5.exe
C:\Program Files\PCHealthCenter\7.exe
C:\Program Files\PCHealthCenter\sex1.ico
C:\Program Files\PCHealthCenter\sex2.ico
C:\Program Files\VAV
C:\WINDOWS\.protected
C:\WINDOWS\edel.exe
C:\WINDOWS\erms.exe
C:\WINDOWS\evgratsm.dll
C:\WINDOWS\kgxmotapktx.dll
C:\WINDOWS\kgxmotaptbp.dll
C:\WINDOWS\kvxqmtre.dll
C:\WINDOWS\qndsfmao.dll
C:\WINDOWS\system32\agsjruwd.dll
C:\WINDOWS\system32\bpbopurc.dll
C:\WINDOWS\system32\cbXPfDsP.dll
C:\WINDOWS\system32\drivers\etc\.protected
C:\WINDOWS\system32\dwurjsga.ini
C:\WINDOWS\system32\ebtdgjcr.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\hpxpds.dll
C:\WINDOWS\system32\info.txt
C:\WINDOWS\system32\lgukgmxg.dll
C:\WINDOWS\system32\ogleuv.dll
C:\WINDOWS\system32\opnoLccB.dll
C:\WINDOWS\system32\qwmlloyr.dll
C:\WINDOWS\system32\rqRJbyyV.dll
C:\WINDOWS\system32\urorlp.dll
C:\WINDOWS\system32\VyybJRqr.ini
C:\WINDOWS\system32\VyybJRqr.ini2
C:\WINDOWS\system32\wintisv.exe
C:\WINDOWS\system32\ykrgzc.dll
.
((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
.
2008-07-23 22:55 . 2008-07-23 22:55 94,848 --a------ C:\WINDOWS\system32\rqwhjduk.dll
2008-07-23 22:55 . 2008-07-24 00:13 44,689 ---hs---- C:\WINDOWS\system32\kudjhwqr.ini
2008-07-22 20:47 . 2008-07-22 22:21 <DIR> d-------- C:\Program Files\XoftSpySE
2008-07-22 19:58 . 2008-07-23 22:54 44,449 --ahs---- C:\WINDOWS\system32\wnaotfwf.ini
2008-07-21 19:13 . 2008-07-21 19:13 43,521 --ahs---- C:\WINDOWS\system32\fujnhkhw.ini
2008-07-21 18:51 . 2008-07-17 10:14 155,648 --a------ C:\WINDOWS\agpqlrfm.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-18 23:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-04 06:57 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-02 21:57 --------- d-----w C:\Program Files\Microsoft AutoRoute
2008-07-02 21:55 --------- d-----w C:\Program Files\PokerStars.NET
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-27 17:44 --------- d-----w C:\Documents and Settings\pnw\Application Data\Centra
2008-05-26 16:25 --------- d-----w C:\Program Files\PokerStars
2007-08-06 11:14 6,479,904 -csha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-06 11:14 179,744 -csha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-09-01 10:52 376912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"04d8880a"="C:\WINDOWS\system32\rqwhjduk.dll" [2008-07-23 22:55 94848]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
--a------ 2005-12-29 10:22 543232 C:\Program Files\btbb_wcm\McciTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
--a------ 2003-05-21 17:37 229437 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2003-09-01 10:52 376912 C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-06-25 10:24 49152 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ioloDelayModule]
--a------ 2005-06-08 20:31 96256 C:\Program Files\iolo\System Mechanic Professional 6\Delay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2006-02-06 17:52 462935 C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 16:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]
--a------ 2006-12-20 16:47 557056 C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2004-01-22 16:08 495616 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2004-01-22 16:09 98304 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
--a------ 2003-09-05 02:24 65536 C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2004-04-14 13:52]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-23 22:47:39 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-12-12 10:09:25 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2004-08-21 16:04:52 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2004-08-21 16:04:54 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2008-07-23 22:49:32 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-07-22 20:47:28 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - C:\WINDOWS\qndsfmao.dll
Toolbar-{F4A52746-813B-4276-A8D7-E2ABD0C8C8A8} - C:\WINDOWS\qndsfmao.dll
HKCU-Run-Sys1.exe - C:\Windows\Sys1.exe
HKLM-Run-Sys1.exe - C:\Windows\Sys1.exe
SSODL-evgratsm-{82955011-CE07-44AF-A29A-83B7775A8C92} - C:\WINDOWS\evgratsm.dll
SSODL-kvxqmtre-{8CE6BA66-B3F0-4B86-93B1-0E6EA2FD46DA} - C:\WINDOWS\kvxqmtre.dll
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R0 -: HKCU-Main,Default_Search_URL = hxxp://ie.search.msn.com
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = hxxp://www.msn.com
R0 -: HKLM-Main,Search Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.genie.co.uk/
R1 -: HKCU-Internet Settings,ProxyOverride = 127.0.0.1
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O18 -: Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - C:\Program Files\Microsoft ActiveSync\AATP.DLL
O18 -: WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL
O18 -: WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL
O18 -: WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL
O18 -: WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL
O18 -: WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL
O18 -: WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
O16 -: {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} - hxxp://static.photobox.co.uk/sg/common/ImageUploader4.cab
C:\WINDOWS\Downloaded Program Files\ImageUploader4.inf
C:\WINDOWS\system32\unicows.dll
C:\WINDOWS\Downloaded Program Files\ImageUploader4.ocx
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-24 00:14:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\rqwhjduk.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-07-24 0:31:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-24 00:31:01
Pre-Run: 23,291,969,536 bytes free
Post-Run: 23,298,826,240 bytes free
210 --- E O F --- 2008-07-21 18:16:44
ComboFix 08-07-23.2 - pnw 2008-07-23 23:15:51.1 - NTFSx86
Running from: C:\Documents and Settings\pnw\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\.protected
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
C:\Documents and Settings\pnw\Application Data\FunWebProducts
C:\Documents and Settings\pnw\Application Data\FunWebProducts\Data\pnw\avatar.dat
C:\Documents and Settings\pnw\Application Data\FunWebProducts\Data\pnw\register.dat
C:\Documents and Settings\pnw\Application Data\FunWebProducts\Data\pnw\zbucks.dat
C:\Documents and Settings\pnw\Desktop\Error Cleaner.url
C:\Documents and Settings\pnw\Desktop\Privacy Protector.url
C:\Documents and Settings\pnw\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\pnw\Favorites\Error Cleaner.url
C:\Documents and Settings\pnw\Favorites\Privacy Protector.url
C:\Documents and Settings\pnw\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\pnw\Start Menu\Programs\Startup\.protected
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\PCHealthCenter
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.exe
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\2.exe
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\3.exe
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\4.exe
C:\Program Files\PCHealthCenter\5.exe
C:\Program Files\PCHealthCenter\7.exe
C:\Program Files\PCHealthCenter\sex1.ico
C:\Program Files\PCHealthCenter\sex2.ico
C:\Program Files\VAV
C:\WINDOWS\.protected
C:\WINDOWS\edel.exe
C:\WINDOWS\erms.exe
C:\WINDOWS\evgratsm.dll
C:\WINDOWS\kgxmotapktx.dll
C:\WINDOWS\kgxmotaptbp.dll
C:\WINDOWS\kvxqmtre.dll
C:\WINDOWS\qndsfmao.dll
C:\WINDOWS\system32\agsjruwd.dll
C:\WINDOWS\system32\bpbopurc.dll
C:\WINDOWS\system32\cbXPfDsP.dll
C:\WINDOWS\system32\drivers\etc\.protected
C:\WINDOWS\system32\dwurjsga.ini
C:\WINDOWS\system32\ebtdgjcr.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\hpxpds.dll
C:\WINDOWS\system32\info.txt
C:\WINDOWS\system32\lgukgmxg.dll
C:\WINDOWS\system32\ogleuv.dll
C:\WINDOWS\system32\opnoLccB.dll
C:\WINDOWS\system32\qwmlloyr.dll
C:\WINDOWS\system32\rqRJbyyV.dll
C:\WINDOWS\system32\urorlp.dll
C:\WINDOWS\system32\VyybJRqr.ini
C:\WINDOWS\system32\VyybJRqr.ini2
C:\WINDOWS\system32\wintisv.exe
C:\WINDOWS\system32\ykrgzc.dll
.
((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
.
2008-07-23 22:55 . 2008-07-23 22:55 94,848 --a------ C:\WINDOWS\system32\rqwhjduk.dll
2008-07-23 22:55 . 2008-07-24 00:13 44,689 ---hs---- C:\WINDOWS\system32\kudjhwqr.ini
2008-07-22 20:47 . 2008-07-22 22:21 <DIR> d-------- C:\Program Files\XoftSpySE
2008-07-22 19:58 . 2008-07-23 22:54 44,449 --ahs---- C:\WINDOWS\system32\wnaotfwf.ini
2008-07-21 19:13 . 2008-07-21 19:13 43,521 --ahs---- C:\WINDOWS\system32\fujnhkhw.ini
2008-07-21 18:51 . 2008-07-17 10:14 155,648 --a------ C:\WINDOWS\agpqlrfm.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-18 23:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-04 06:57 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-02 21:57 --------- d-----w C:\Program Files\Microsoft AutoRoute
2008-07-02 21:55 --------- d-----w C:\Program Files\PokerStars.NET
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-27 17:44 --------- d-----w C:\Documents and Settings\pnw\Application Data\Centra
2008-05-26 16:25 --------- d-----w C:\Program Files\PokerStars
2007-08-06 11:14 6,479,904 -csha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-06 11:14 179,744 -csha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-09-01 10:52 376912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"04d8880a"="C:\WINDOWS\system32\rqwhjduk.dll" [2008-07-23 22:55 94848]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
--a------ 2005-12-29 10:22 543232 C:\Program Files\btbb_wcm\McciTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
--a------ 2003-05-21 17:37 229437 C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2003-09-01 10:52 376912 C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-06-25 10:24 49152 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ioloDelayModule]
--a------ 2005-06-08 20:31 96256 C:\Program Files\iolo\System Mechanic Professional 6\Delay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2006-02-06 17:52 462935 C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 16:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]
--a------ 2006-12-20 16:47 557056 C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2004-01-22 16:08 495616 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2004-01-22 16:09 98304 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
--a------ 2003-09-05 02:24 65536 C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2004-04-14 13:52]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-23 22:47:39 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-12-12 10:09:25 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2004-08-21 16:04:52 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2004-08-21 16:04:54 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2008-07-23 22:49:32 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-07-22 20:47:28 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - C:\WINDOWS\qndsfmao.dll
Toolbar-{F4A52746-813B-4276-A8D7-E2ABD0C8C8A8} - C:\WINDOWS\qndsfmao.dll
HKCU-Run-Sys1.exe - C:\Windows\Sys1.exe
HKLM-Run-Sys1.exe - C:\Windows\Sys1.exe
SSODL-evgratsm-{82955011-CE07-44AF-A29A-83B7775A8C92} - C:\WINDOWS\evgratsm.dll
SSODL-kvxqmtre-{8CE6BA66-B3F0-4B86-93B1-0E6EA2FD46DA} - C:\WINDOWS\kvxqmtre.dll
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R0 -: HKCU-Main,Default_Search_URL = hxxp://ie.search.msn.com
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = hxxp://www.msn.com
R0 -: HKLM-Main,Search Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.genie.co.uk/
R1 -: HKCU-Internet Settings,ProxyOverride = 127.0.0.1
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O18 -: Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - C:\Program Files\Microsoft ActiveSync\AATP.DLL
O18 -: WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL
O18 -: WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL
O18 -: WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL
O18 -: WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL
O18 -: WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL
O18 -: WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - C:\Program Files\Microsoft ActiveSync\CENETFLT.DLL
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
O16 -: {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} - hxxp://static.photobox.co.uk/sg/common/ImageUploader4.cab
C:\WINDOWS\Downloaded Program Files\ImageUploader4.inf
C:\WINDOWS\system32\unicows.dll
C:\WINDOWS\Downloaded Program Files\ImageUploader4.ocx
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-24 00:14:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\rqwhjduk.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-07-24 0:31:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-24 00:31:01
Pre-Run: 23,291,969,536 bytes free
Post-Run: 23,298,826,240 bytes free
210 --- E O F --- 2008-07-21 18:16:44
GameMaster
New Member
Hi, your system must be running much better.
One step more to do, however.
Download Avenger, and unzip it to your desktop or somewhere you can find it. (Do not run it yet).
Note: This program is for use on Windows XP 32 bit systems only, and must be run from an Administrator account.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Start Avenger by double clicking on Avenger.exe.
One step more to do, however.
Download Avenger, and unzip it to your desktop or somewhere you can find it. (Do not run it yet).
Note: This program is for use on Windows XP 32 bit systems only, and must be run from an Administrator account.
- Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK.
- Click Format, and ensure Word Wrap is unchecked.
- Copy and Paste the text in the box below into Notepad.
- Now save the file as RemoveFiles.txt in a location where you can find it.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Start Avenger by double clicking on Avenger.exe.
- Check Load script from file:
- Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
- Double click it to enter it into Avenger.
- Click the green traffic light symbol.
- You will be asked if you want to execute the script, answer Yes.
- At this point you may get prompts from your protection systems, allow them please.
- Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
- Answer Yes, and allow your computer to re-boot.
- Upon re-boot a command window will briefly appear on screen (this is normal).
- A Notepad text file will be created C:\avenger.txt.
- Copy and Paste it into your next post please.
After Running Combofix
Computer is running much better now - although is quite slow.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:54, on 25/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\pnw\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.genie.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [04d8880a] rundll32.exe "C:\WINDOWS\system32\rqwhjduk.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.genie.co.uk
O15 - Trusted Zone: http://www.skillstrain-online.com
O16 - DPF: {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} (PhotoBox uploader) - http://static.photobox.co.uk/sg/common/ImageUploader4.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - (no file)
--
End of file - 4993 bytes
Computer is running much better now - although is quite slow.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:54, on 25/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\pnw\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.genie.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [04d8880a] rundll32.exe "C:\WINDOWS\system32\rqwhjduk.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.genie.co.uk
O15 - Trusted Zone: http://www.skillstrain-online.com
O16 - DPF: {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} (PhotoBox uploader) - http://static.photobox.co.uk/sg/common/ImageUploader4.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - (no file)
--
End of file - 4993 bytes
Log file after running Avenger
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "C:\WINDOWS\system32\rqwhjduk.dll" deleted successfully.
File "C:\WINDOWS\system32\kudjhwqr.ini" deleted successfully.
File "C:\WINDOWS\system32\wnaotfwf.ini" deleted successfully.
File "C:\WINDOWS\system32\fujnhkhw.ini" deleted successfully.
File "C:\WINDOWS\agpqlrfm.exe" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "C:\WINDOWS\system32\rqwhjduk.dll" deleted successfully.
File "C:\WINDOWS\system32\kudjhwqr.ini" deleted successfully.
File "C:\WINDOWS\system32\wnaotfwf.ini" deleted successfully.
File "C:\WINDOWS\system32\fujnhkhw.ini" deleted successfully.
File "C:\WINDOWS\agpqlrfm.exe" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
cohen
New Member
OK,
Please do a scan with Kaspersky Online Scanner
Click on the Accept button and install any components it needs.
Please do a scan with Kaspersky Online Scanner
Click on the Accept button and install any components it needs.
- The program will install and then begin downloading the latest definition files.
- After the files have been downloaded on the left side of the page in the Scan section select My Computer.
- This will start the program and scan your system.
- The scan will take a while, so be patient and let it run.
- Once the scan is complete, click on View scan report
- Now, click on the Save Report as button.
- In the drop down box labeled Files of type change the type to Text file.
- Save the file to your desktop.
- Copy and paste that information in your next post.
cohen
New Member
OK, tried a different browser???
Otherwise try this:
Ok let's get a log from Panda online scanners:
Run Panda Online Scan
Run Panda's ActiveScan from here and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- Save the log file to your desktop
GameMaster
New Member
You should use Internet Explorer to do the scan.
Active Scan Log
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-08-01 18:02:22
PROTECTIONS: 0
MALWARE: 42
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00024343 adware/keenvalue Adware No 0 Yes No c:\windows\system32\drivers\etc\hosts.bho
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@casalemedia[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@atdmt[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@fastclick[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@mediaplex[1].txt
00147824 Cookie/Clickbank TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@clickbank[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@com[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\[email protected][1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@apmebf[2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@burstnet[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@advertising[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@realmedia[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@zedo[2].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@adrevolver[2].txt
00217379 adware/dollarrevenue Adware No 0 Yes No hkey_local_machine\software\microsoft\drsmartload
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120724.EXE
01253216 Generic Malware Virus/Trojan No 0 Yes No C:\syssxxz.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120712.sys
02909997 Adware/SystemDefender Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0115631.exe
03324220 Adware/VistaAntivirus Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0117653.cpl
03324220 Adware/VistaAntivirus Adware No 0 No No C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\5.exe.vir[vav.cpl]
03324220 Adware/VistaAntivirus Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0117649.cpl
03324220 Adware/VistaAntivirus Adware No 0 No No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120682.exe[vav.cpl]
03324615 Adware/VistaAntivirus Adware No 0 No No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120682.exe[vav.exe]
03324615 Adware/VistaAntivirus Adware No 0 No No C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\5.exe.vir[vav.exe]
03324615 Adware/VistaAntivirus Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0118663.exe
03329533 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0113621.exe
03329533 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120681.exe
03329533 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\4.exe.vir
03329564 Generic Trojan Virus/Trojan No 0 Yes No C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\7.exe.vir
03329564 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120683.exe
03339148 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120688.dll
03339148 Adware/VapSup Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\evgratsm.dll.vir
03339166 Adware/Antivirus2008 Adware No 0 Yes No C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\5.exe.vir
03339166 Adware/Antivirus2008 Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120682.exe
03348898 Adware/VapSup Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\kgxmotapktx.dll.vir
03348898 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120690.dll
03363333 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\urorlp.dll.vir
03363333 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\lgukgmxg.dll.vir
03363333 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120697.dll
03363333 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120702.dll
03363333 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\bpbopurc.dll.vir
03363333 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120694.dll
03363333 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\ogleuv.dll.vir
03363333 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120698.dll
03363397 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP409\A0120825.exe
03363399 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120706.exe
03363399 Adware/VapSup Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\erms.exe.vir
03378081 Adware/AVMaster Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0114620.exe
03378081 Adware/AVMaster Adware No 0 Yes No C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\1.exe.vir
03378081 Adware/AVMaster Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0113622.exe
03378081 Adware/AVMaster Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120678.exe
03378093 Adware/AVMaster Adware No 0 Yes No C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\2.exe.vir
03378093 Adware/AVMaster Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120679.exe
03378138 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\qwmlloyr.dll.vir
03378138 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\hpxpds.dll.vir
03378138 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120700.dll
03378138 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120696.dll
03378431 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\agsjruwd.dll.vir
03378431 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120693.dll
03378431 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0113623.dll
03378566 Application/Winantivirus2006 HackTools No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120680.exe
03378566 Application/Winantivirus2006 HackTools No 0 Yes No C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\3.exe.vir
03378566 Application/Winantivirus2006 HackTools No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0113620.exe
03393186 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP409\A0120828.dll
03398311 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120689.dll
03398311 Adware/VapSup Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\kvxqmtre.dll.vir
03398312 Adware/VapSup Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\edel.exe.vir
03398312 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120705.exe
03398327 Adware/VapSup Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\kgxmotaptbp.dll.vir
03398327 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120691.dll
03403509 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\ebtdgjcr.dll.vir
03403509 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120703.dll
03403509 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\ykrgzc.dll.vir
03403509 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120695.dll
03421794 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120687.dll
03421794 Adware/VapSup Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\qndsfmao.dll.vir
03431663 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120711.dll
;===================================================================================================================================================================================
SUSPECTS
Sent Location }
;===================================================================================================================================================================================
No C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\0.exe.vir }
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description }
;===================================================================================================================================================================================
;===================================================================================================================================================================================
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-08-01 18:02:22
PROTECTIONS: 0
MALWARE: 42
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00024343 adware/keenvalue Adware No 0 Yes No c:\windows\system32\drivers\etc\hosts.bho
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@casalemedia[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@atdmt[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@fastclick[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@mediaplex[1].txt
00147824 Cookie/Clickbank TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@clickbank[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@com[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\[email protected][1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@apmebf[2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@burstnet[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@advertising[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@realmedia[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@zedo[2].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\pnw\Cookies\pnw@adrevolver[2].txt
00217379 adware/dollarrevenue Adware No 0 Yes No hkey_local_machine\software\microsoft\drsmartload
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120724.EXE
01253216 Generic Malware Virus/Trojan No 0 Yes No C:\syssxxz.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120712.sys
02909997 Adware/SystemDefender Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0115631.exe
03324220 Adware/VistaAntivirus Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0117653.cpl
03324220 Adware/VistaAntivirus Adware No 0 No No C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\5.exe.vir[vav.cpl]
03324220 Adware/VistaAntivirus Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0117649.cpl
03324220 Adware/VistaAntivirus Adware No 0 No No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120682.exe[vav.cpl]
03324615 Adware/VistaAntivirus Adware No 0 No No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120682.exe[vav.exe]
03324615 Adware/VistaAntivirus Adware No 0 No No C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\5.exe.vir[vav.exe]
03324615 Adware/VistaAntivirus Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0118663.exe
03329533 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0113621.exe
03329533 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120681.exe
03329533 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\4.exe.vir
03329564 Generic Trojan Virus/Trojan No 0 Yes No C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\7.exe.vir
03329564 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120683.exe
03339148 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120688.dll
03339148 Adware/VapSup Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\evgratsm.dll.vir
03339166 Adware/Antivirus2008 Adware No 0 Yes No C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\5.exe.vir
03339166 Adware/Antivirus2008 Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120682.exe
03348898 Adware/VapSup Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\kgxmotapktx.dll.vir
03348898 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120690.dll
03363333 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\urorlp.dll.vir
03363333 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\lgukgmxg.dll.vir
03363333 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120697.dll
03363333 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120702.dll
03363333 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\bpbopurc.dll.vir
03363333 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120694.dll
03363333 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\ogleuv.dll.vir
03363333 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120698.dll
03363397 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP409\A0120825.exe
03363399 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120706.exe
03363399 Adware/VapSup Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\erms.exe.vir
03378081 Adware/AVMaster Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0114620.exe
03378081 Adware/AVMaster Adware No 0 Yes No C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\1.exe.vir
03378081 Adware/AVMaster Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0113622.exe
03378081 Adware/AVMaster Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120678.exe
03378093 Adware/AVMaster Adware No 0 Yes No C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\2.exe.vir
03378093 Adware/AVMaster Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120679.exe
03378138 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\qwmlloyr.dll.vir
03378138 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\hpxpds.dll.vir
03378138 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120700.dll
03378138 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120696.dll
03378431 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\agsjruwd.dll.vir
03378431 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120693.dll
03378431 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0113623.dll
03378566 Application/Winantivirus2006 HackTools No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120680.exe
03378566 Application/Winantivirus2006 HackTools No 0 Yes No C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\3.exe.vir
03378566 Application/Winantivirus2006 HackTools No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP405\A0113620.exe
03393186 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP409\A0120828.dll
03398311 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120689.dll
03398311 Adware/VapSup Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\kvxqmtre.dll.vir
03398312 Adware/VapSup Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\edel.exe.vir
03398312 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120705.exe
03398327 Adware/VapSup Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\kgxmotaptbp.dll.vir
03398327 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120691.dll
03403509 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\ebtdgjcr.dll.vir
03403509 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120703.dll
03403509 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\ykrgzc.dll.vir
03403509 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120695.dll
03421794 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120687.dll
03421794 Adware/VapSup Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\qndsfmao.dll.vir
03431663 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{B191484F-6940-4C0A-B094-69318FF0F599}\RP406\A0120711.dll
;===================================================================================================================================================================================
SUSPECTS
Sent Location }
;===================================================================================================================================================================================
No C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\0.exe.vir }
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description }
;===================================================================================================================================================================================
;===================================================================================================================================================================================
ceewi1
VIP Member
My apologies for the delay.
Please run HijackThis and choose Do a system scan only.
Place a check next to the following entries:
Please delete the following file:
C:\syssxxz.exe
Please reboot your PC.
Please rename HijackThis.exe to scanner.exe (or anything else that's not HijackThis.exe) and post a new HijackThis log. How is your system running now?
Please run HijackThis and choose Do a system scan only.
Place a check next to the following entries:
[*]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
[*]O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
[*]O4 - HKLM\..\Run: [04d8880a] rundll32.exe "C:\WINDOWS\system32\rqwhjduk.dll",b
[*]O24 - Desktop Component 0: (no name) - (no file)
Please delete the following file:
C:\syssxxz.exe
Please reboot your PC.
Please rename HijackThis.exe to scanner.exe (or anything else that's not HijackThis.exe) and post a new HijackThis log. How is your system running now?
Latest Log!! System still a little slow!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:59, on 05/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\pnw\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.genie.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.genie.co.uk
O15 - Trusted Zone: http://www.skillstrain-online.com
O16 - DPF: {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} (PhotoBox uploader) - http://static.photobox.co.uk/sg/common/ImageUploader4.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - (no file)
--
End of file - 4935 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:59, on 05/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\pnw\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.genie.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.genie.co.uk
O15 - Trusted Zone: http://www.skillstrain-online.com
O16 - DPF: {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} (PhotoBox uploader) - http://static.photobox.co.uk/sg/common/ImageUploader4.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - (no file)
--
End of file - 4935 bytes