pos.tmp and more

Computing.Net > Forums > Security and Virus > pos.tmp and more

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

pos.tmp and more

Name: jrtech33
Date: January 29, 2008 at 00:20:50 Pacific
OS: Windows Xp
CPU/Ram: P4 3Ghz 1.24 Gb Ram
Product: Dell

Comment:

Hi, i've been trying to fix these problems but i don't know how. My IE is constantly opening and i have unknown processes running it's really a pain.. and i can't find IE on my desktop anymore.. also i have a ton of pos.tmp in my documents folder and /C: drive thanks for any help

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: January 29, 2008 at 03:23:41 Pacific

Reply:

Please download Atribune's VundoFix.exe from the following site to your desktop:
Vundofix.exe

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click "yes".
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will reboot your computer,
click "ok".
Run Vundofix again.
Go to the this link:
Disable Realtime Protection
Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.
Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.

Response Number 2

Name: jrtech33
Date: January 29, 2008 at 09:18:35 Pacific

Reply:

wow, thank you for the quick reply i really appreciate it... heres the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:07 AM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\qwerty12.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\program files\softwin\bitdefender8\bdnagent.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netster.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [04ee46fe] rundll32.exe "C:\WINDOWS\system32\tuaurpuu.dll",b
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKUS\S-1-5-18\..\RunOnce: [POSTRBT] C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe /REMEDIATE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [POSTRBT] C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe /REMEDIATE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhealer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhealer.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O21 - SSODL: itNvUfnoPKDSkA - {04EE4652-AE44-ECF8-7E0E-53444C0D25FB} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qwerty12.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Security Service (INSY) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Plus\dirto.html
--
End of file - 8486 bytes
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And here is the ComboFix Log:
ComboFix 08-01-29.3 - Junior 2008-01-29 0:46:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.647 [GMT -8:00]
Running from: C:\Documents and Settings\Junior\Desktop\ComboFix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\Guest\Application Data\.rdr.ini
C:\Documents and Settings\Junior\Application Data\.rdr.ini
C:\Documents and Settings\Junior\Application Data\install.dat
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\Cache\CheckersAIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\ChessAIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\EnableDisableAIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn-new.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn-new.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\NoSettingAIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\ReversiAIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.exe
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.exe
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.exe
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]002E43C
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]034B6C0
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]0DFD8BF
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]207A4BF
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]207AAD9.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]207AC12.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]207AD5A.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]207AEB2.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]5A77149.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]741EEDC.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]741F2B4.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]741F3CD.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]741F535.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]A8D128C.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]A8D157A.bin
C:\Program Files\MyWebSearch\bar\Cache\[u]0[/u]A8D175E.bin
C:\Program Files\MyWebSearch\bar\Cache\22602B23
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search
C:\Program Files\MyWebSearch\bar\Settings\prevcfg.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
C:\Program Files\Online Services\vizykinu4444.dll
C:\Program Files\Online Services\vizykinu83122.dll
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\Program Files\Windows Plus\dirto.html
C:\temp\17o7
C:\temp\17o7\tmpTF.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\159x.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\byyawv.dll
C:\WINDOWS\cfihii.ini
C:\WINDOWS\cookies.ini
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\efhhii.ini
C:\WINDOWS\fnts~1
C:\WINDOWS\fnts~1\F?nts\
C:\WINDOWS\fnts~1\wuaclt.exe
C:\WINDOWS\gghkkj.ini
C:\WINDOWS\hgjijl.ini
C:\WINDOWS\iihhfe.dll
C:\WINDOWS\iihifc.dll
C:\WINDOWS\itpb_3.exe
C:\WINDOWS\jkkhgg.dll
C:\WINDOWS\khebax.dll
C:\WINDOWS\ljijgh.dll
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\s32.txt
C:\WINDOWS\system32\5_exception.nls
C:\WINDOWS\system32\bmtl.dll
C:\WINDOWS\system32\config\systemprofile\application data\.rdr.ini
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\ijllm.ini
C:\WINDOWS\system32\ijllm.ini2
C:\WINDOWS\system32\ksys.sys
C:\WINDOWS\system32\ldr1.tmp
C:\WINDOWS\system32\ldrC.tmp
C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\model.dat
C:\WINDOWS\system32\msdrives
C:\WINDOWS\system32\opnlkjh.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\perfc000.dat
C:\WINDOWS\system32\qwerty12.exe
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\racle~1\s?anregw.exe
C:\WINDOWS\system32\rlxf.dll
C:\WINDOWS\system32\smpi1
C:\WINDOWS\system32\smpi1\DealioKit1-stub-0.exe
C:\WINDOWS\system32\spoolsvv.sys
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\winhealer.dll
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\wmvds32.dll
C:\WINDOWS\tk58.exe
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\vwayyb.ini
C:\WINDOWS\ws386.ini
C:\WINDOWS\xabehk.ini
C:\WINDOWS\zzzx.exe
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
[color=red] C:\WINDOWS\system32\winlogon.exe . . . is infected!![/color]
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_DRIVER
-------\LEGACY_DRIVERPP
-------\LEGACY_EXAMPLE
-------\LEGACY_NDNET1
-------\LEGACY_RUNTIME
-------\DomainService
-------\Driver
-------\driverpp
-------\EXAMPLE
-------\NDnet1
-------\Runtime
-------\windev-73db-d83

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.
2008-01-29 00:59 . 2008-01-29 00:59 <DIR> d-------- C:\Temp\tn3
2008-01-29 00:59 . 2008-01-29 00:59 932 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-29 00:05 . 2008-01-29 00:33 <DIR> d-------- C:\VundoFix Backups
2008-01-28 21:38 . 2008-01-28 21:38 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-28 21:29 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-28 21:29 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-28 17:32 . 2008-01-28 22:48 414 ---hs---- C:\WINDOWS\system32\uupruaut.ini
2008-01-28 14:43 . 2008-01-28 14:43 <DIR> d-------- C:\Program Files\Half Life 2
2008-01-28 02:46 . 2008-01-28 02:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-28 02:42 . 2008-01-28 02:42 <DIR> d-------- C:\Deckard
2008-01-28 01:24 . 2008-01-28 02:14 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-28 00:56 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-28 00:41 . 2008-01-28 01:28 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-28 00:41 . 2008-01-28 00:41 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-28 00:41 . 2008-01-28 00:41 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-28 00:41 . 2008-01-28 00:41 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-28 00:15 . 2008-01-28 00:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-01-28 00:14 . 2008-01-28 00:15 <DIR> d-------- C:\Program Files\Dell Support Center
2008-01-28 00:14 . 2008-01-28 00:14 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-01-27 23:34 . 2008-01-28 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-01-27 23:27 . 2008-01-27 23:27 <DIR> d-------- C:\Program Files\Uniblue
2008-01-27 23:12 . 2008-01-27 23:28 <DIR> d-------- C:\Documents and Settings\Junior\Application Data\Uniblue
2008-01-27 23:02 . 2008-01-27 23:02 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-27 23:02 . 2008-01-27 23:02 <DIR> d-------- C:\Documents and Settings\Junior\Application Data\PC Tools
2008-01-27 22:40 . 2004-10-14 19:22 5,110 --a------ C:\WINDOWS\system32\e100b325.din
2008-01-27 22:40 . 2003-11-03 18:15 1,902 --------- C:\WINDOWS\system32\SetupBD.din
2008-01-27 18:26 . 2008-01-27 18:26 <DIR> d-------- C:\WINDOWS\system32\svcd
2008-01-27 18:26 . 2008-01-27 18:26 87,552 --a------ C:\WINDOWS\system32\TmpX.exe
2008-01-27 18:26 . 2008-01-29 01:00 114 --a------ C:\WINDOWS\system32\url3
2008-01-27 18:26 . 2008-01-29 01:00 102 --a------ C:\WINDOWS\system32\url2
2008-01-27 18:26 . 2008-01-29 01:00 102 --a------ C:\WINDOWS\system32\url1
2008-01-27 18:26 . 2008-01-29 01:00 8 --a------ C:\WINDOWS\system32\CID
2008-01-27 18:26 . 2008-01-27 18:26 4 --a------ C:\WINDOWS\system32\SvcNm
2008-01-27 17:16 . 2008-01-27 23:02 <DIR> d-------- C:\WINDOWS\system32\wnis6
2008-01-27 17:16 . 2008-01-27 18:28 <DIR> d-------- C:\WINDOWS\system32\nip4
2008-01-27 17:16 . 2008-01-27 17:16 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-01-27 17:16 . 2008-01-27 17:16 <DIR> d-------- C:\WINDOWS\system32\ets1
2008-01-27 17:16 . 2008-01-27 17:16 <DIR> d-------- C:\Temp\gTiis19
2008-01-27 17:16 . 2008-01-27 17:16 <DIR> d-------- C:\Temp\cXzz9
2008-01-27 17:16 . 2008-01-27 17:16 86,016 --a------ C:\WINDOWS\system32\drivers\mcdd.sys
2008-01-26 11:43 . 2008-01-26 11:43 <DIR> d-------- C:\Program Files\Ubisoft
2008-01-24 11:03 . 2008-01-24 11:08 <DIR> d-------- C:\Program Files\AlphaZIP
2008-01-24 11:03 . 2008-01-24 11:04 58,904 --a------ C:\WINDOWS\system32\sysfolderazipcnt.dll
2008-01-24 11:03 . 2008-01-24 11:04 58,904 --a------ C:\WINDOWS\system32\azipcontmn.dll
2008-01-02 00:54 . 2002-04-11 19:21 13,335 -ra------ C:\WINDOWS\system32\drivers\usbcm.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 08:54 --------- d-----w C:\Program Files\Windows Plus
2008-01-29 07:25 --------- d-----w C:\Program Files\WordPerfect Office 12
2008-01-29 06:01 14 ----a-w C:\Documents and Settings\Junior\getfile.dat
2008-01-29 05:57 --------- d-----w C:\Program Files\Starcraft
2008-01-28 11:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-28 11:21 --------- d-----w C:\Program Files\Dell
2008-01-28 09:51 --------- d-----w C:\Program Files\BitComet
2008-01-28 09:51 --------- d-----w C:\Program Files\AIM
2008-01-26 20:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-25 20:01 --------- d-----w C:\Documents and Settings\Junior\Application Data\Aim
2008-01-20 07:49 --------- d-----w C:\Program Files\Soulseek-Test
2007-12-09 18:45 --------- d-----w C:\Program Files\LimeWire
2007-05-14 23:01 14 ----a-w C:\Documents and Settings\Genesis\getfile.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1C15DD7-49D5-4D88-BE0E-E3B4E395A72D}]
C:\WINDOWS\system32\jkhhg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cd64fb13-7fcf-4f6b-a436-3d4a37cc4295}]
C:\WINDOWS\system32\pxnxctwt.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-03-12 12:22 61440]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00 15360]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-17 11:46 4670704]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-12-07 09:31 9479448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 12:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 21:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 21:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 21:10 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48 32881]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 22:20 339968 C:\WINDOWS\stsystra.exe]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 14:19 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05 127035]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44 81920]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 09:06 106496]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-08 14:00 128920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-04-19 10:07 810576]
"BDMCon"="C:\Program Files\Softwin\BitDefender8\bdmcon.exe" [2005-06-20 11:10 421888]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender8\bdnagent.exe" [2005-05-09 11:19 8192]
"04ee46fe"="C:\WINDOWS\system32\tuaurpuu.dll" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"POSTRBT"="C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-05 15:52:50 24576]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2006-03-05 20:57:37 315392]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 00:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ialcap]
ialcap.dll
R1 mcdd;mcdd;C:\WINDOWS\system32\drivers\mcdd.sys [2008-01-27 17:16]
R2 INSY;Security Service;C:\WINDOWS\system32\svcd\svchost.exe [2008-01-27 18:26]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 17:21:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-28 07:28:06 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-01-28 07:28:04 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 01:01:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
r Running Proce
.
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svcd\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-01-29 1:05:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 09:05:24
.
2008-01-29 06:42:13 --- E O F ---

Response Number 3

Name: jabuck
Date: January 29, 2008 at 18:43:39 Pacific

Reply:

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\uupruaut.ini
C:\WINDOWS\system32\TmpX.exe
C:\WINDOWS\system32\svcd\svchost.exe
C:\WINDOWS\system32\tuaurpuu.dll
C:\WINDOWS\system32\pxnxctwt.dll
C:\WINDOWS\system32\jkhhg.dll
Driver::
mcdd
INSY
Security Service
04ee46fe
Folder::
C:\Temp\tn3
C:\WINDOWS\system32\svcd
C:\WINDOWS\system32\url3
C:\WINDOWS\system32\url2
C:\WINDOWS\system32\url1
C:\WINDOWS\system32\CID
C:\WINDOWS\system32\SvcNm
C:\WINDOWS\system32\wnis6
C:\WINDOWS\system32\nip4
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\ets1
C:\Temp\gTiis19
C:\Temp\cXzz9
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1C15DD7-49D5-4D88-BE0E-E3B4E395A72D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cd64fb13-7fcf-4f6b-a436-3d4a37cc4295}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"04ee46fe"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ialcap]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Post a new Combofix log.

Response Number 4

Name: jrtech33
Date: January 29, 2008 at 19:43:03 Pacific

Reply:

ComboFix 08-01-29.3 - Junior 2008-01-29 19:24:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.603 [GMT -8:00]
Running from: C:\Documents and Settings\Junior\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Junior\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\pxnxctwt.dll
C:\WINDOWS\system32\svcd\svchost.exe
C:\WINDOWS\system32\TmpX.exe
C:\WINDOWS\system32\tuaurpuu.dll
C:\WINDOWS\system32\uupruaut.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\Temp\cXzz9
C:\Temp\gTiis19
C:\Temp\gTiis19\lTig.log
C:\temp\tn3
C:\WINDOWS\system32\CID\
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\ets1
C:\WINDOWS\system32\ets1\ovstadcom2.exe
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\nip4
C:\WINDOWS\system32\svcd
C:\WINDOWS\system32\svcd\svchost.exe
C:\WINDOWS\system32\SvcNm\
C:\WINDOWS\system32\TmpX.exe
C:\WINDOWS\system32\url1\
C:\WINDOWS\system32\url2\
C:\WINDOWS\system32\url3\
C:\WINDOWS\system32\uupruaut.ini
C:\WINDOWS\system32\wnis6
C:\WINDOWS\system32\wnis6\enamd83122.exe
[color=red] C:\WINDOWS\system32\winlogon.exe . . . is infected!![/color]
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_INSY
-------\LEGACY_MCDD
-------\INSY
-------\mcdd

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.
2008-01-29 01:10 . 2008-01-29 01:15 <DIR> d-------- C:\Program Files\Security Task Manager
2008-01-29 01:10 . 2008-01-29 01:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-29 00:05 . 2008-01-29 00:33 <DIR> d-------- C:\VundoFix Backups
2008-01-28 21:38 . 2008-01-28 21:38 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-28 21:29 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-28 21:29 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-28 14:43 . 2008-01-28 14:43 <DIR> d-------- C:\Program Files\Half Life 2
2008-01-28 02:46 . 2008-01-28 02:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-28 02:42 . 2008-01-28 02:42 <DIR> d-------- C:\Deckard
2008-01-28 01:24 . 2008-01-28 02:14 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-28 00:56 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-28 00:41 . 2008-01-28 01:28 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-28 00:41 . 2008-01-28 00:41 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-28 00:41 . 2008-01-28 00:41 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-28 00:41 . 2008-01-28 00:41 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-28 00:15 . 2008-01-28 00:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-01-28 00:14 . 2008-01-28 00:15 <DIR> d-------- C:\Program Files\Dell Support Center
2008-01-28 00:14 . 2008-01-28 00:14 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-01-27 23:34 . 2008-01-28 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-01-27 23:27 . 2008-01-27 23:27 <DIR> d-------- C:\Program Files\Uniblue
2008-01-27 23:12 . 2008-01-27 23:28 <DIR> d-------- C:\Documents and Settings\Junior\Application Data\Uniblue
2008-01-27 23:02 . 2008-01-27 23:02 <DIR> d-------- C:\Documents and Settings\Junior\Application Data\PC Tools
2008-01-27 22:40 . 2004-10-14 19:22 5,110 --a------ C:\WINDOWS\system32\e100b325.din
2008-01-27 22:40 . 2003-11-03 18:15 1,902 --------- C:\WINDOWS\system32\SetupBD.din
2008-01-27 18:26 . 2008-01-29 16:30 114 --a------ C:\WINDOWS\system32\url3
2008-01-27 18:26 . 2008-01-29 16:30 102 --a------ C:\WINDOWS\system32\url2
2008-01-27 18:26 . 2008-01-29 16:30 102 --a------ C:\WINDOWS\system32\url1
2008-01-27 18:26 . 2008-01-29 16:30 8 --a------ C:\WINDOWS\system32\CID
2008-01-27 18:26 . 2008-01-27 18:26 4 --a------ C:\WINDOWS\system32\SvcNm
2008-01-27 17:16 . 2008-01-27 17:16 86,016 --a------ C:\WINDOWS\system32\drivers\mcdd.sys
2008-01-26 11:43 . 2008-01-26 11:43 <DIR> d-------- C:\Program Files\Ubisoft
2008-01-24 11:03 . 2008-01-24 11:08 <DIR> d-------- C:\Program Files\AlphaZIP
2008-01-24 11:03 . 2008-01-24 11:04 58,904 --a------ C:\WINDOWS\system32\sysfolderazipcnt.dll
2008-01-24 11:03 . 2008-01-24 11:04 58,904 --a------ C:\WINDOWS\system32\azipcontmn.dll
2008-01-02 00:54 . 2002-04-11 19:21 13,335 -ra------ C:\WINDOWS\system32\drivers\usbcm.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 23:09 14 ----a-w C:\Documents and Settings\Junior\getfile.dat
2008-01-29 21:52 --------- d-----w C:\Program Files\Starcraft
2008-01-29 08:54 --------- d-----w C:\Program Files\Windows Plus
2008-01-29 07:25 --------- d-----w C:\Program Files\WordPerfect Office 12
2008-01-28 11:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-28 11:21 --------- d-----w C:\Program Files\Dell
2008-01-28 09:51 --------- d-----w C:\Program Files\BitComet
2008-01-28 09:51 --------- d-----w C:\Program Files\AIM
2008-01-26 20:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-25 20:01 --------- d-----w C:\Documents and Settings\Junior\Application Data\Aim
2008-01-20 07:49 --------- d-----w C:\Program Files\Soulseek-Test
2007-12-09 18:45 --------- d-----w C:\Program Files\LimeWire
2007-05-14 23:01 14 ----a-w C:\Documents and Settings\Genesis\getfile.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-03-12 12:22 61440]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00 15360]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-17 11:46 4670704]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-12-07 09:31 9479448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 12:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 21:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 21:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 21:10 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48 32881]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 22:20 339968 C:\WINDOWS\stsystra.exe]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 14:19 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05 127035]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44 81920]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 09:06 106496]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-08 14:00 128920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [ ]
"BDMCon"="C:\Program Files\Softwin\BitDefender8\bdmcon.exe" [2005-06-20 11:10 421888]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender8\bdnagent.exe" [2005-05-09 11:19 8192]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-05 15:52:50 24576]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2006-03-05 20:57:37 315392]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 00:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 17:21:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-28 07:28:06 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-01-28 07:28:04 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 19:35:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
r Running Proce
.
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\program files\softwin\bitdefender8\bdnagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-01-29 19:39:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-30 03:39:48
ComboFix2.txt 2008-01-29 09:05:28
.
2008-01-29 06:42:13 --- E O F ---

Response Number 5

Name: jrtech33
Date: January 29, 2008 at 19:56:25 Pacific

Reply:

hey tahnks for the help it fixed a lot but i still don't see internet explorer and ca'nt seem to locate it.

.att file AVP.EXE avp.exe	generic.dx trojan symantec trojan pandex win32 patch
See More

Response Number 6

Name: jabuck
Date: January 29, 2008 at 20:13:31 Pacific

Reply:

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\sysfolderazipcnt.dll
C:\WINDOWS\system32\azipcontmn.dll
C:\WINDOWS\system32\drivers\mcdd.sys
Folder::
C:\WINDOWS\system32\url3
C:\WINDOWS\system32\url2
C:\WINDOWS\system32\url1
C:\WINDOWS\system32\CID
C:\WINDOWS\system32\SvcNm

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Post a new Combofix log.

Response Number 7

Name: jrtech33
Date: January 29, 2008 at 21:10:28 Pacific

Reply:

ComboFix 08-01-29.3 - Junior 2008-01-29 20:55:10.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.576 [GMT -8:00]
Running from: C:\Documents and Settings\Junior\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Junior\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE
C:\WINDOWS\system32\azipcontmn.dll
C:\WINDOWS\system32\drivers\mcdd.sys
C:\WINDOWS\system32\sysfolderazipcnt.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\azipcontmn.dll
C:\WINDOWS\system32\CID\
C:\WINDOWS\system32\drivers\mcdd.sys
C:\WINDOWS\system32\SvcNm\
C:\WINDOWS\system32\sysfolderazipcnt.dll
C:\WINDOWS\system32\url1\
C:\WINDOWS\system32\url2\
C:\WINDOWS\system32\url3\
[color=red] C:\WINDOWS\system32\winlogon.exe . . . is infected!![/color]
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.
2008-01-29 01:10 . 2008-01-29 01:15 <DIR> d-------- C:\Program Files\Security Task Manager
2008-01-29 01:10 . 2008-01-29 01:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-29 00:05 . 2008-01-29 00:33 <DIR> d-------- C:\VundoFix Backups
2008-01-28 21:38 . 2008-01-28 21:38 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-28 21:29 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-28 21:29 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-28 14:43 . 2008-01-28 14:43 <DIR> d-------- C:\Program Files\Half Life 2
2008-01-28 02:46 . 2008-01-28 02:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-28 02:42 . 2008-01-28 02:42 <DIR> d-------- C:\Deckard
2008-01-28 01:24 . 2008-01-28 02:14 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-28 00:56 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-28 00:41 . 2008-01-28 01:28 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-28 00:41 . 2008-01-28 00:41 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-28 00:41 . 2008-01-28 00:41 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-28 00:41 . 2008-01-28 00:41 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-28 00:15 . 2008-01-28 00:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-01-28 00:14 . 2008-01-28 00:15 <DIR> d-------- C:\Program Files\Dell Support Center
2008-01-28 00:14 . 2008-01-28 00:14 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-01-27 23:34 . 2008-01-28 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-01-27 23:27 . 2008-01-27 23:27 <DIR> d-------- C:\Program Files\Uniblue
2008-01-27 23:12 . 2008-01-27 23:28 <DIR> d-------- C:\Documents and Settings\Junior\Application Data\Uniblue
2008-01-27 23:02 . 2008-01-27 23:02 <DIR> d-------- C:\Documents and Settings\Junior\Application Data\PC Tools
2008-01-27 22:40 . 2004-10-14 19:22 5,110 --a------ C:\WINDOWS\system32\e100b325.din
2008-01-27 22:40 . 2003-11-03 18:15 1,902 --------- C:\WINDOWS\system32\SetupBD.din
2008-01-27 18:26 . 2008-01-29 16:30 114 --a------ C:\WINDOWS\system32\url3
2008-01-27 18:26 . 2008-01-29 16:30 102 --a------ C:\WINDOWS\system32\url2
2008-01-27 18:26 . 2008-01-29 16:30 102 --a------ C:\WINDOWS\system32\url1
2008-01-27 18:26 . 2008-01-29 16:30 8 --a------ C:\WINDOWS\system32\CID
2008-01-27 18:26 . 2008-01-27 18:26 4 --a------ C:\WINDOWS\system32\SvcNm
2008-01-26 11:43 . 2008-01-26 11:43 <DIR> d-------- C:\Program Files\Ubisoft
2008-01-24 11:03 . 2008-01-24 11:08 <DIR> d-------- C:\Program Files\AlphaZIP
2008-01-02 00:54 . 2002-04-11 19:21 13,335 -ra------ C:\WINDOWS\system32\drivers\usbcm.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 03:46 --------- d-----w C:\Program Files\Starcraft
2008-01-29 23:09 14 ----a-w C:\Documents and Settings\Junior\getfile.dat
2008-01-29 08:54 --------- d-----w C:\Program Files\Windows Plus
2008-01-29 07:25 --------- d-----w C:\Program Files\WordPerfect Office 12
2008-01-28 11:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-28 11:21 --------- d-----w C:\Program Files\Dell
2008-01-28 09:51 --------- d-----w C:\Program Files\BitComet
2008-01-28 09:51 --------- d-----w C:\Program Files\AIM
2008-01-26 20:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-25 20:01 --------- d-----w C:\Documents and Settings\Junior\Application Data\Aim
2008-01-20 07:49 --------- d-----w C:\Program Files\Soulseek-Test
2007-12-09 18:45 --------- d-----w C:\Program Files\LimeWire
2007-05-14 23:01 14 ----a-w C:\Documents and Settings\Genesis\getfile.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-03-12 12:22 61440]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00 15360]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-17 11:46 4670704]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-12-07 09:31 9479448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 12:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 21:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 21:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 21:10 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48 32881]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 22:20 339968 C:\WINDOWS\stsystra.exe]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 14:19 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05 127035]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44 81920]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 09:06 106496]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-08 14:00 128920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [ ]
"BDMCon"="C:\Program Files\Softwin\BitDefender8\bdmcon.exe" [2005-06-20 11:10 421888]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender8\bdnagent.exe" [2005-05-09 11:19 8192]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-05 15:52:50 24576]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2006-03-05 20:57:37 315392]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 00:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 17:21:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-28 07:28:06 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-01-28 07:28:04 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 21:03:55
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
r Running Proce
.
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-01-29 21:08:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-30 05:08:38
ComboFix2.txt 2008-01-30 03:39:51
ComboFix3.txt 2008-01-29 09:05:28
.
2008-01-29 06:42:13 --- E O F ---

this can't manage to find IE

Response Number 8

Name: jabuck
Date: January 30, 2008 at 03:27:08 Pacific

Reply:

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\Uninstall.ico
C:\WINDOWS\system32\Help.ico

Folder::
C:\WINDOWS\system32\url3
C:\WINDOWS\system32\url2
C:\WINDOWS\system32\url1
C:\WINDOWS\system32\CID
C:\WINDOWS\system32\SvcNm

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Post a new Combofix log.

Response Number 9

Name: jrtech33
Date: January 30, 2008 at 12:23:01 Pacific

Reply:

ComboFix 08-01-29.3 - Junior 2008-01-30 12:07:55.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.718 [GMT -8:00]
Running from: C:\Documents and Settings\Junior\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Junior\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\Uninstall.ico
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\Uninstall.ico
[color=red] C:\WINDOWS\system32\winlogon.exe . . . is infected!![/color]
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.
2008-01-30 02:12 . 2008-01-30 02:12 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-30 01:43 . 2008-01-30 02:27 <DIR> d-------- C:\Program Files\SDFix
2008-01-29 01:10 . 2008-01-29 01:15 <DIR> d-------- C:\Program Files\Security Task Manager
2008-01-29 01:10 . 2008-01-29 01:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-29 00:05 . 2008-01-29 00:33 <DIR> d-------- C:\VundoFix Backups
2008-01-28 21:38 . 2008-01-28 21:38 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-28 21:29 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-28 21:29 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-28 14:43 . 2008-01-28 14:43 <DIR> d-------- C:\Program Files\Half Life 2
2008-01-28 02:46 . 2008-01-28 02:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-28 02:42 . 2008-01-28 02:42 <DIR> d-------- C:\Deckard
2008-01-28 01:24 . 2008-01-28 02:14 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-28 00:56 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-28 00:41 . 2008-01-28 01:28 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-28 00:15 . 2008-01-28 00:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-01-28 00:14 . 2008-01-28 00:15 <DIR> d-------- C:\Program Files\Dell Support Center
2008-01-28 00:14 . 2008-01-28 00:14 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-01-27 23:34 . 2008-01-28 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-01-27 23:27 . 2008-01-27 23:27 <DIR> d-------- C:\Program Files\Uniblue
2008-01-27 23:12 . 2008-01-27 23:28 <DIR> d-------- C:\Documents and Settings\Junior\Application Data\Uniblue
2008-01-27 23:02 . 2008-01-27 23:02 <DIR> d-------- C:\Documents and Settings\Junior\Application Data\PC Tools
2008-01-27 22:40 . 2004-10-14 19:22 5,110 --a------ C:\WINDOWS\system32\e100b325.din
2008-01-27 22:40 . 2003-11-03 18:15 1,902 --------- C:\WINDOWS\system32\SetupBD.din
2008-01-26 11:43 . 2008-01-26 11:43 <DIR> d-------- C:\Program Files\Ubisoft
2008-01-24 11:03 . 2008-01-24 11:08 <DIR> d-------- C:\Program Files\AlphaZIP
2008-01-02 00:54 . 2002-04-11 19:21 13,335 -ra------ C:\WINDOWS\system32\drivers\usbcm.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 20:05 14 ----a-w C:\Documents and Settings\Junior\getfile.dat
2008-01-30 20:04 --------- d-----w C:\Program Files\Starcraft
2008-01-30 10:18 --------- d-----w C:\Program Files\Windows Plus
2008-01-29 07:25 --------- d-----w C:\Program Files\WordPerfect Office 12
2008-01-28 11:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-28 11:21 --------- d-----w C:\Program Files\Dell
2008-01-28 09:51 --------- d-----w C:\Program Files\BitComet
2008-01-28 09:51 --------- d-----w C:\Program Files\AIM
2008-01-26 20:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-25 20:01 --------- d-----w C:\Documents and Settings\Junior\Application Data\Aim
2008-01-20 07:49 --------- d-----w C:\Program Files\Soulseek-Test
2007-12-09 18:45 --------- d-----w C:\Program Files\LimeWire
2007-05-14 23:01 14 ----a-w C:\Documents and Settings\Genesis\getfile.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-03-12 12:22 61440]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00 15360]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-17 11:46 4670704]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-12-07 09:31 9479448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 12:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 21:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 21:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 21:10 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48 32881]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 22:20 339968 C:\WINDOWS\stsystra.exe]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 14:19 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05 127035]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44 81920]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 09:06 106496]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-08 14:00 128920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [ ]
"BDMCon"="C:\Program Files\Softwin\BitDefender8\bdmcon.exe" [2005-06-20 11:10 421888]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender8\bdnagent.exe" [2005-05-09 11:19 8192]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-05 15:52:50 24576]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2006-03-05 20:57:37 315392]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 00:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 17:21:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-28 07:28:06 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-01-28 07:28:04 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 12:15:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
r Running Proce
.
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\program files\softwin\bitdefender8\bdnagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-01-30 12:21:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-30 20:21:34
ComboFix2.txt 2008-01-30 05:08:42
ComboFix3.txt 2008-01-30 03:39:51
ComboFix4.txt 2008-01-29 09:05:28
.
2008-01-30 09:48:17 --- E O F ---

Response Number 10

Name: jabuck
Date: January 30, 2008 at 14:32:32 Pacific

Reply:

Your java is out of date and can be exploited.
Download the latest version of java from this link Java
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-1_6_3-windowsi586-p.exe to install the newest version.
Your winlogon.exe is infected per combofix. Do not run a "deleting" type antivirus yet or it may remove the file and cause windows to lock up.
Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Response Number 11

Name: jrtech33
Date: January 30, 2008 at 21:02:52 Pacific

Reply:

i get an error when trying to uninstall the old version of java:

Error 1316. A network error occured while trying to read from the file C:\Windows\installer\java 2 runtime enviroment, SE v1.4.2_03.msi
i don't kno if i should go ahead and skip this and just scan..

Response Number 12

Name: jabuck
Date: January 31, 2008 at 03:50:24 Pacific

Reply:

The old 1.4.2_03 versioin should be remove by going to star> control panel> add/remove programs and uninstalling it. The 1.6.3 version should be installed.
Go ahead with the scan.

Response Number 13

Name: only4me
Date: January 31, 2008 at 08:13:38 Pacific

Reply:

thanks for the help ........

U rock buddy

Response Number 14

Name: jabuck
Date: January 31, 2008 at 14:14:42 Pacific

Reply:

Is your computer operating ok now?

Response Number 15

Name: jrtech33
Date: February 1, 2008 at 10:54:07 Pacific

Reply:

So i scanned with Kapersky and my winlogon is infected but i can't do anything about it.. um.. and also i cna't uninstall my java.. even form the add/remove part it says there is a faliure in the network

Response Number 16

Name: jrtech33
Date: February 2, 2008 at 02:44:44 Pacific

Reply:

Protection
----------
Total scanned: 400163
Detected: 57
Untreated: 55
Start time: 2/1/2008 11:32:28 PM
Duration: 00:00:03
Finish time: 2/1/2008 11:32:31 PM

Detected
--------
Status Object
------ ------
not found: Trojan program Trojan.Win32.Patched.z Running module: winlogon.exe\winlogon.exe
will be disinfected when the computer is restarted: Trojan program Trojan.Win32.Patched.m File: C:\WINDOWS\system32\winlogon.exe
detected: Trojan program Trojan.Win32.Patched.z Running module: winlogon.exe\winlogon.exe
detected: adware not-a-virus:AdWare.Win32.Virtumonde.dnn File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP796\A0132539.dll
detected: Trojan program Trojan-Downloader.Win32.Agent.gwe File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP796\A0132543.exe
detected: adware not-a-virus:AdWare.Win32.Virtumonde.dnn File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP796\A0132549.dll
detected: Trojan program Trojan-Downloader.Win32.Agent.hvx File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132570.exe
detected: Trojan program Trojan-Downloader.Win32.Agent.hvx File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132571.exe
detected: Trojan program Trojan-Downloader.Win32.Agent.hvj File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132572.exe
detected: adware not-a-virus:AdWare.Win32.PurityScan.gt File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132573.dll//PE_Patch.PECompact//PecBundle//PECompact
detected: adware not-a-virus:AdWare.Win32.TTC.a File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132574.dll
detected: adware not-a-virus:AdWare.Win32.TTC.a File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132575.dll
detected: adware not-a-virus:AdWare.Win32.Virtumonde.ar File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132576.dll
detected: adware not-a-virus:AdWare.Win32.Virtumonde.kw File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132577.dll
detected: adware not-a-virus:AdWare.Win32.Virtumonde.ar File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132578.dll
detected: Trojan program Trojan.Win32.Agent.agv File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132579.dll
detected: adware not-a-virus:AdWare.Win32.Virtumonde.ar File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132580.dll
detected: adware not-a-virus:AdWare.Win32.Virtumonde.ar File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132581.dll
detected: Trojan program Trojan.Win32.BHO.auf File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132583.dll
detected: adware not-a-virus:AdWare.Win32.FunWeb.d File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132590.DLL
detected: Trojan program Trojan.Win32.Agent.edq File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132613.exe
detected: adware not-a-virus:AdWare.Win32.PurityScan.gs File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132614.exe//PE_Patch.PECompact//PecBundle//PECompact
detected: Trojan program Trojan-Downloader.Win32.PurityScan.fj File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132616.exe//PE_Patch.UPX//UPX
detected: Trojan program Rootkit.Win32.Agent.eb File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132618.sys
detected: Trojan program Trojan.Win32.Agent.aoy File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132619.exe
detected: adware not-a-virus:AdWare.Win32.RK.m File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132620.dll
detected: Trojan program Trojan-Proxy.Win32.Agent.ji File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132621.sys
detected: Trojan program Backdoor.Win32.Agent.alp File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132622.dll
detected: Trojan program Trojan-Downloader.Win32.VB.asx File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132623.dll
detected: Trojan program Trojan-Downloader.Win32.Agent.bnn File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132624.exe
detected: adware not-a-virus:AdWare.Win32.Relevant.a File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132627.exe//data0002
detected: Trojan program Trojan.Win32.BHO.ab File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132628.exe
detected: adware not-a-virus:AdWare.Win32.TTC.a File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132629.exe//data0002
detected: Trojan program Trojan-Downloader.Win32.Delf.bld File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132631.exe
detected: Trojan program Trojan-Downloader.Win32.VB.cge File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP803\A0133698.exe
detected: Trojan program Trojan-Proxy.Win32.Fackemo.h File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP803\A0133699.exe
detected: adware not-a-virus:AdWare.Win32.TTC.a File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP803\A0133700.exe
detected: adware not-a-virus:AdWare.Win32.TTC.a File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP803\A0133700.exe//data0002
detected: Trojan program Rootkit.Win32.Agent.to File: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP804\A0133774.sys
detected: Trojan program Trojan-Downloader.Win32.Agent.acl File: C:\Deckard\System Scanner\20080129000407\backup\WINDOWS\temp\svchost.exe
detected: adware not-a-virus:AdWare.Win32.Shopper.k File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\219900B9.dll//CryptFF
detected: adware not-a-virus:AdWare.Win32.HotBar.bd File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\23B1666B.exe//CryptFF
detected: Trojan program Trojan-Downloader.Java.Agent.f File: C:\Documents and Settings\Junior\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-26e42dbb.zip/vlocal.class
detected: Trojan program Trojan-Clicker.Win32.Delf.hj File: C:\Program Files\Mozilla Firefox\click.exe//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Downloader.Win32.VB.awj File: C:\Program Files\Mozilla Firefox\CmarP1083.exe//data0005
detected: Trojan program Trojan-Downloader.Win32.Agent.bnn File: C:\Program Files\Mozilla Firefox\leeman.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.bgo File: C:\Program Files\Mozilla Firefox\ucmoreiex.exe
detected: Trojan program Trojan.Win32.Pakes File: C:\Program Files\Softwin\BitDefender8\Quarantine\ws2_32.dll:fork2
detected: adware not-a-virus:AdWare.Win32.Virtumonde.dnn File: C:\VundoFix Backups\clihkdko.dll.bad
detected: adware not-a-virus:AdWare.Win32.Virtumonde.dnn File: C:\VundoFix Backups\jleqdaes.dll.bad
detected: Trojan program Trojan.Win32.BHO.auf File: C:\VundoFix Backups\opnlkjh.dll.bad
detected: Trojan program Trojan-Downloader.Win32.Agent.gwe File: C:\VundoFix Backups\vxkqlluc.exe.bad
detected: Trojan program Trojan-Downloader.Win32.VB.att File: C:\WINDOWS\422x.exe//UPX
detected: Trojan program Trojan-Spy.Win32.BZub.if File: C:\WINDOWS\46x.exe
detected: Trojan program Trojan-Downloader.Win32.ConHook.bf File: C:\WINDOWS\5x.exe//PE_Patch
detected: malware not-virus:Hoax.Win32.Renos.fn File: C:\WINDOWS\system32\msorcl32.exe//UPX
detected: Trojan program Trojan-Spy.Win32.BZub.ip File: C:\WINDOWS\system32\rcp.dll

Events
------
Time Event
---- -----
2/1/2008 10:46:31 AM Please restart your computer to complete the installation of new or updated protection components.
2/1/2008 10:46:33 AM Update completed successfully
2/1/2008 10:47:07 AM Running module winlogon.exe\winlogon.exe: detected Trojan program 'Trojan.Win32.Patched.z'.
2/1/2008 10:47:07 AM Security threats have been detected. You are advised to neutralize them immediately.
2/1/2008 10:47:07 AM Running module winlogon.exe\winlogon.exe: is still infected, postponed.
2/1/2008 10:47:07 AM File C:\WINDOWS\system32\winlogon.exe: detected Trojan program 'Trojan.Win32.Patched.m'.
2/1/2008 10:47:07 AM File C:\WINDOWS\system32\winlogon.exe: is still infected, postponed.
2/1/2008 10:48:43 AM Running module winlogon.exe\winlogon.exe: detected Trojan program 'Trojan.Win32.Patched.z'.
2/1/2008 10:52:27 AM Running module winlogon.exe\winlogon.exe: is still infected, skipped by user.
2/1/2008 10:52:27 AM File c:\windows\system32\winlogon.exe: detected Trojan program 'Trojan.Win32.Patched.m'.
2/1/2008 10:52:29 AM File c:\windows\system32\winlogon.exe: is still infected, skipped by user.
2/1/2008 10:55:35 AM Running module winlogon.exe\winlogon.exe: detected Trojan program 'Trojan.Win32.Patched.z'.
2/1/2008 10:55:35 AM Running module winlogon.exe\winlogon.exe: is still infected, postponed.
2/1/2008 10:55:35 AM File C:\WINDOWS\system32\winlogon.exe: detected Trojan program 'Trojan.Win32.Patched.m'.
2/1/2008 10:55:41 AM Running module winlogon.exe\winlogon.exe: detected Trojan program 'Trojan.Win32.Patched.z'.
2/1/2008 10:55:42 AM Running module winlogon.exe\winlogon.exe: is still infected, skipped by user.
2/1/2008 12:51:02 PM Update completed successfully
2/1/2008 2:55:51 PM Update completed successfully
2/1/2008 5:00:51 PM Update completed successfully
2/1/2008 7:05:42 PM Update completed successfully
2/1/2008 9:11:02 PM Update completed successfully
2/1/2008 11:16:16 PM Update completed successfully
2/1/2008 11:32:06 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
2/1/2008 11:32:28 PM Security threats have been detected. You are advised to neutralize them immediately.
2/1/2008 11:34:48 PM Running module winlogon.exe\winlogon.exe: detected Trojan program 'Trojan.Win32.Patched.z'.
2/1/2008 11:34:49 PM Running module winlogon.exe\winlogon.exe: is still infected, postponed.
2/1/2008 11:34:49 PM File C:\WINDOWS\system32\winlogon.exe: detected Trojan program 'Trojan.Win32.Patched.m'.
2/1/2008 11:34:49 PM File C:\WINDOWS\system32\winlogon.exe: is still infected, postponed.
2/1/2008 11:35:44 PM Running module winlogon.exe\winlogon.exe: detected Trojan program 'Trojan.Win32.Patched.z'.
2/1/2008 11:35:46 PM Running module winlogon.exe\winlogon.exe: is still infected, skipped by user.
2/1/2008 11:36:31 PM Running module winlogon.exe\winlogon.exe: detected Trojan program 'Trojan.Win32.Patched.z'.
2/1/2008 11:36:31 PM Running module winlogon.exe\winlogon.exe: is still infected, postponed.
2/1/2008 11:36:31 PM File C:\WINDOWS\system32\winlogon.exe: detected Trojan program 'Trojan.Win32.Patched.m'.
2/1/2008 11:36:38 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP796\A0132539.dll: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/1/2008 11:36:38 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP796\A0132539.dll: is still infected, postponed.
2/1/2008 11:36:40 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP796\A0132543.exe: detected Trojan program 'Trojan-Downloader.Win32.Agent.gwe'.
2/1/2008 11:36:40 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP796\A0132543.exe: is still infected, postponed.
2/1/2008 11:36:42 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP796\A0132549.dll: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/1/2008 11:36:42 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP796\A0132549.dll: is still infected, postponed.
2/1/2008 11:36:45 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132570.exe: detected Trojan program 'Trojan-Downloader.Win32.Agent.hvx'.
2/1/2008 11:36:45 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132570.exe: is still infected, postponed.
2/1/2008 11:36:46 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132571.exe: detected Trojan program 'Trojan-Downloader.Win32.Agent.hvx'.
2/1/2008 11:36:46 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132571.exe: is still infected, postponed.
2/1/2008 11:36:46 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132572.exe: detected Trojan program 'Trojan-Downloader.Win32.Agent.hvj'.
2/1/2008 11:36:46 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132572.exe: is still infected, postponed.
2/1/2008 11:36:47 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132573.dll//PE_Patch.PECompact//PecBundle//PECompact: detected adware 'not-a-virus:AdWare.Win32.PurityScan.gt'.
2/1/2008 11:36:47 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132573.dll//PE_Patch.PECompact//PecBundle//PECompact: is still infected, postponed.
2/1/2008 11:36:49 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132574.dll: detected adware 'not-a-virus:AdWare.Win32.TTC.a'.
2/1/2008 11:36:49 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132574.dll: is still infected, postponed.
2/1/2008 11:36:49 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132575.dll: detected adware 'not-a-virus:AdWare.Win32.TTC.a'.
2/1/2008 11:36:49 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132575.dll: is still infected, postponed.
2/1/2008 11:36:50 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132576.dll: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.ar'.
2/1/2008 11:36:50 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132576.dll: is still infected, postponed.
2/1/2008 11:36:51 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132577.dll: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.kw'.
2/1/2008 11:36:51 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132577.dll: is still infected, postponed.
2/1/2008 11:36:51 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132578.dll: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.ar'.
2/1/2008 11:36:51 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132578.dll: is still infected, postponed.
2/1/2008 11:36:52 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132579.dll: detected Trojan program 'Trojan.Win32.Agent.agv'.
2/1/2008 11:36:52 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132579.dll: is still infected, postponed.
2/1/2008 11:36:53 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132580.dll: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.ar'.
2/1/2008 11:36:53 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132580.dll: is still infected, postponed.
2/1/2008 11:36:53 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132581.dll: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.ar'.
2/1/2008 11:36:53 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132581.dll: is still infected, postponed.
2/1/2008 11:36:56 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132583.dll: detected Trojan program 'Trojan.Win32.BHO.auf'.
2/1/2008 11:36:56 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132583.dll: is still infected, postponed.
2/1/2008 11:37:00 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132590.DLL: detected adware 'not-a-virus:AdWare.Win32.FunWeb.d'.
2/1/2008 11:37:00 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132590.DLL: is still infected, postponed.
2/1/2008 11:37:04 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132613.exe: detected Trojan program 'Trojan.Win32.Agent.edq'.
2/1/2008 11:37:04 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132613.exe: is still infected, postponed.
2/1/2008 11:37:05 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132614.exe//PE_Patch.PECompact//PecBundle//PECompact: detected adware 'not-a-virus:AdWare.Win32.PurityScan.gs'.
2/1/2008 11:37:05 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132614.exe//PE_Patch.PECompact//PecBundle//PECompact: is still infected, postponed.
2/1/2008 11:37:09 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132616.exe//PE_Patch.UPX//UPX: detected Trojan program 'Trojan-Downloader.Win32.PurityScan.fj'.
2/1/2008 11:37:09 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132616.exe//PE_Patch.UPX//UPX: is still infected, postponed.
2/1/2008 11:37:10 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132618.sys: detected Trojan program 'Rootkit.Win32.Agent.eb'.
2/1/2008 11:37:10 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132618.sys: is still infected, postponed.
2/1/2008 11:37:12 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132619.exe: detected Trojan program 'Trojan.Win32.Agent.aoy'.
2/1/2008 11:37:12 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132619.exe: is still infected, postponed.
2/1/2008 11:37:13 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132620.dll: detected adware 'not-a-virus:AdWare.Win32.RK.m'.
2/1/2008 11:37:13 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132620.dll: is still infected, postponed.
2/1/2008 11:37:14 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132621.sys: detected Trojan program 'Trojan-Proxy.Win32.Agent.ji'.
2/1/2008 11:37:14 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132621.sys: is still infected, postponed.
2/1/2008 11:37:15 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132622.dll: detected Trojan program 'Backdoor.Win32.Agent.alp'.
2/1/2008 11:37:15 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132622.dll: is still infected, postponed.
2/1/2008 11:37:15 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132623.dll: detected Trojan program 'Trojan-Downloader.Win32.VB.asx'.
2/1/2008 11:37:15 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132623.dll: is still infected, postponed.
2/1/2008 11:37:15 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132624.exe: detected Trojan program 'Trojan-Downloader.Win32.Agent.bnn'.
2/1/2008 11:37:15 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132624.exe: is still infected, postponed.
2/1/2008 11:37:17 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132627.exe//data0002: detected adware 'not-a-virus:AdWare.Win32.Relevant.a'.
2/1/2008 11:37:17 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132627.exe//data0002: is still infected, postponed.
2/1/2008 11:37:17 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132628.exe: detected Trojan program 'Trojan.Win32.BHO.ab'.
2/1/2008 11:37:17 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132628.exe: is still infected, postponed.
2/1/2008 11:37:19 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132629.exe//data0002: detected adware 'not-a-virus:AdWare.Win32.TTC.a'.
2/1/2008 11:37:19 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132629.exe//data0002: is still infected, postponed.
2/1/2008 11:37:20 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132631.exe: detected Trojan program 'Trojan-Downloader.Win32.Delf.bld'.
2/1/2008 11:37:20 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0132631.exe: is still infected, postponed.
2/1/2008 11:38:53 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP803\A0133698.exe: detected Trojan program 'Trojan-Downloader.Win32.VB.cge'.
2/1/2008 11:38:53 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP803\A0133698.exe: is still infected, postponed.
2/1/2008 11:38:54 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP803\A0133699.exe: detected Trojan program 'Trojan-Proxy.Win32.Fackemo.h'.
2/1/2008 11:38:54 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP803\A0133699.exe: is still infected, postponed.
2/1/2008 11:38:54 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP803\A0133700.exe//data0002: detected adware 'not-a-virus:AdWare.Win32.TTC.a'.
2/1/2008 11:38:54 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP803\A0133700.exe//data0002: is still infected, postponed.
2/1/2008 11:39:04 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP804\A0133774.sys: detected Trojan program 'Rootkit.Win32.Agent.to'.
2/1/2008 11:39:04 PM File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP804\A0133774.sys: is still infected, postponed.
2/1/2008 11:41:24 PM File C:\Deckard\System Scanner\20080129000407\backup\WINDOWS\temp\svchost.exe: detected Trojan program 'Trojan-Downloader.Win32.Agent.acl'.
2/1/2008 11:41:24 PM File C:\Deckard\System Scanner\20080129000407\backup\WINDOWS\temp\svchost.exe: is still infected, postponed.
2/1/2008 11:43:49 PM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\219900B9.dll//CryptFF: detected adware 'not-a-virus:AdWare.Win32.Shopper.k'.
2/1/2008 11:43:49 PM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\219900B9.dll//CryptFF: is still infected, postponed.
2/1/2008 11:43:50 PM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\23B1666B.exe//CryptFF: detected adware 'not-a-virus:AdWare.Win32.HotBar.bd'.
2/1/2008 11:43:50 PM File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\23B1666B.exe//CryptFF: is still infected, postponed.
2/1/2008 11:46:08 PM File C:\Documents and Settings\Junior\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-26e42dbb.zip/vlocal.class: detected Trojan program 'Trojan-Downloader.Java.Agent.f'.
2/1/2008 11:46:08 PM File C:\Documents and Settings\Junior\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-26e42dbb.zip/vlocal.class: is still infected, postponed.
2/2/2008 1:36:45 AM Update completed successfully
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/Ad-Aware SE Default.skn: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/arrow1.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/arrow2.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bck1.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt11.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt12.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt13.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt21.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt22.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt23.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt31.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt32.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt33.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt41.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt42.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt43.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt51.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt52.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt53.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt61.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt62.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/checkbox1.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/checkbox2.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/checkbox3.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/checkbox4.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/defbtn1.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/defbtn2.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/defbtn3.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/glyph1.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/glyph2.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/glyph3.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/glyph4.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/glyph5.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/glyph6.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/glyph7.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/main.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/preview.bmp: is password protected.
2/2/2008 2:02:58 AM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/sprite1.bmp: is password protected.
2/2/2008 2:06:43 AM File C:\Program Files\Mozilla Firefox\click.exe//PE_Patch.UPX//UPX: detected Trojan program 'Trojan-Clicker.Win32.Delf.hj'.
2/2/2008 2:06:43 AM File C:\Program Files\Mozilla Firefox\click.exe//PE_Patch.UPX//UPX: is still infected, postponed.
2/2/2008 2:06:44 AM File C:\Program Files\Mozilla Firefox\CmarP1083.exe//data0005: detected Trojan program 'Trojan-Downloader.Win32.VB.awj'.
2/2/2008 2:06:44 AM File C:\Program Files\Mozilla Firefox\CmarP1083.exe//data0005: is still infected, postponed.
2/2/2008 2:06:46 AM File C:\Program Files\Mozilla Firefox\leeman.exe: detected Trojan program 'Trojan-Downloader.Win32.Agent.bnn'.
2/2/2008 2:06:46 AM File C:\Program Files\Mozilla Firefox\leeman.exe: is still infected, postponed.
2/2/2008 2:06:49 AM File C:\Program Files\Mozilla Firefox\ucmoreiex.exe: detected Trojan program 'Trojan-Dropper.Win32.Agent.bgo'.
2/2/2008 2:06:49 AM File C:\Program Files\Mozilla Firefox\ucmoreiex.exe: is still infected, postponed.
2/2/2008 2:07:57 AM File C:\Program Files\Softwin\BitDefender8\Quarantine\ws2_32.dll:fork2: detected Trojan program 'Trojan.Win32.Pakes'.
2/2/2008 2:07:57 AM File C:\Program Files\Softwin\BitDefender8\Quarantine\ws2_32.dll:fork2: is still infected, postponed.
2/2/2008 2:20:13 AM File C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL.vir: detected adware 'not-a-virus:AdWare.Win32.FunWeb.d'.
2/2/2008 2:20:13 AM File C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL.vir: is still infected, postponed.
2/2/2008 2:20:16 AM File C:\QooBox\Quarantine\C\Program Files\Online Services\vizykinu4444.dll.vir: detected adware 'not-a-virus:AdWare.Win32.TTC.a'.
2/2/2008 2:20:16 AM File C:\QooBox\Quarantine\C\Program Files\Online Services\vizykinu4444.dll.vir: is still infected, postponed.
2/2/2008 2:20:16 AM File C:\QooBox\Quarantine\C\Program Files\Online Services\vizykinu83122.dll.vir: detected adware 'not-a-virus:AdWare.Win32.TTC.a'.
2/2/2008 2:20:16 AM File C:\QooBox\Quarantine\C\Program Files\Online Services\vizykinu83122.dll.vir: is still infected, postponed.
2/2/2008 2:20:17 AM File C:\QooBox\Quarantine\C\Program Files\Temporary\kernInst.exe.vir: detected Trojan program 'Trojan.Win32.Agent.edq'.
2/2/2008 2:20:17 AM File C:\QooBox\Quarantine\C\Program Files\Temporary\kernInst.exe.vir: is still infected, postponed.
2/2/2008 2:20:17 AM File C:\QooBox\Quarantine\C\Program Files\Windows Plus\dirto.html.vir: detected Trojan program 'Trojan-Clicker.HTML.IFrame.dn'.
2/2/2008 2:20:17 AM File C:\QooBox\Quarantine\C\Program Files\Windows Plus\dirto.html.vir: is still infected, postponed.
2/2/2008 2:20:17 AM File C:\QooBox\Quarantine\C\WINDOWS\159x.exe.vir: detected Trojan program 'Trojan-Downloader.Win32.Agent.bnn'.
2/2/2008 2:20:17 AM File C:\QooBox\Quarantine\C\WINDOWS\159x.exe.vir: is still infected, postponed.
2/2/2008 2:20:17 AM File C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir: detected Trojan program 'Trojan-Downloader.Win32.Agent.hvj'.
2/2/2008 2:20:17 AM File C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir: is still infected, postponed.
2/2/2008 2:20:18 AM File C:\QooBox\Quarantine\C\WINDOWS\byyawv.dll.vir: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.ar'.
2/2/2008 2:20:18 AM File C:\QooBox\Quarantine\C\WINDOWS\byyawv.dll.vir: is still infected, postponed.
2/2/2008 2:20:18 AM File C:\QooBox\Quarantine\C\WINDOWS\iihhfe.dll.vir: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.kw'.
2/2/2008 2:20:18 AM File C:\QooBox\Quarantine\C\WINDOWS\iihhfe.dll.vir: is still infected, postponed.
2/2/2008 2:20:18 AM File C:\QooBox\Quarantine\C\WINDOWS\iihifc.dll.vir: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.ar'.
2/2/2008 2:20:18 AM File C:\QooBox\Quarantine\C\WINDOWS\iihifc.dll.vir: is still infected, postponed.
2/2/2008 2:20:18 AM File C:\QooBox\Quarantine\C\WINDOWS\itpb_3.exe.vir//data0002: detected adware 'not-a-virus:AdWare.Win32.Relevant.a'.
2/2/2008 2:20:18 AM File C:\QooBox\Quarantine\C\WINDOWS\itpb_3.exe.vir//data0002: is still infected, postponed.
2/2/2008 2:20:19 AM File C:\QooBox\Quarantine\C\WINDOWS\jkkhgg.dll.vir: detected Trojan program 'Trojan.Win32.Agent.agv'.
2/2/2008 2:20:19 AM File C:\QooBox\Quarantine\C\WINDOWS\jkkhgg.dll.vir: is still infected, postponed.
2/2/2008 2:20:19 AM File C:\QooBox\Quarantine\C\WINDOWS\khebax.dll.vir: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.ar'.
2/2/2008 2:20:19 AM File C:\QooBox\Quarantine\C\WINDOWS\khebax.dll.vir: is still infected, postponed.
2/2/2008 2:20:19 AM File C:\QooBox\Quarantine\C\WINDOWS\ljijgh.dll.vir: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.ar'.
2/2/2008 2:20:19 AM File C:\QooBox\Quarantine\C\WINDOWS\ljijgh.dll.vir: is still infected, postponed.
2/2/2008 2:20:19 AM File C:\QooBox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir: detected Trojan program 'Trojan-Downloader.Win32.Agent.hvx'.
2/2/2008 2:20:19 AM File C:\QooBox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir: is still infected, postponed.
2/2/2008 2:20:19 AM File C:\QooBox\Quarantine\C\WINDOWS\mrofinu572.exe.vir: detected Trojan program 'Trojan-Downloader.Win32.Agent.hvx'.
2/2/2008 2:20:19 AM File C:\QooBox\Quarantine\C\WINDOWS\mrofinu572.exe.vir: is still infected, postponed.
2/2/2008 2:20:19 AM File C:\QooBox\Quarantine\C\WINDOWS\tk58.exe.vir: detected Trojan program 'Trojan.Win32.BHO.ab'.
2/2/2008 2:20:19 AM File C:\QooBox\Quarantine\C\WINDOWS\tk58.exe.vir: is still infected, postponed.
2/2/2008 2:20:20 AM File C:\QooBox\Quarantine\C\WINDOWS\TTC-4444.exe.vir//data0002: detected adware 'not-a-virus:AdWare.Win32.TTC.a'.
2/2/2008 2:20:20 AM File C:\QooBox\Quarantine\C\WINDOWS\TTC-4444.exe.vir//data0002: is still infected, postponed.
2/2/2008 2:20:20 AM File C:\QooBox\Quarantine\C\WINDOWS\zzzx.exe.vir: detected Trojan program 'Trojan-Downloader.Win32.Delf.bld'.
2/2/2008 2:20:20 AM File C:\QooBox\Quarantine\C\WINDOWS\zzzx.exe.vir: is still infected, postponed.
2/2/2008 2:20:20 AM File C:\QooBox\Quarantine\C\WINDOWS\FNTS~1\wuaclt.exe.vir//PE_Patch.UPX//UPX: detected Trojan program 'Trojan-Downloader.Win32.PurityScan.fj'.
2/2/2008 2:20:20 AM File C:\QooBox\Quarantine\C\WINDOWS\FNTS~1\wuaclt.exe.vir//PE_Patch.UPX//UPX: is still infected, postponed.
2/2/2008 2:20:20 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\bmtl.dll.vir//PE_Patch.PECompact//PecBundle//PECompact: detected adware 'not-a-virus:AdWare.Win32.PurityScan.gt'.
2/2/2008 2:20:20 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\bmtl.dll.vir//PE_Patch.PECompact//PecBundle//PECompact: is still infected, postponed.
2/2/2008 2:20:21 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\ksys.sys.vir: detected Trojan program 'Rootkit.Win32.Agent.eb'.
2/2/2008 2:20:21 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\ksys.sys.vir: is still infected, postponed.
2/2/2008 2:20:21 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\opnlkjh.dll.vir: detected Trojan program 'Trojan.Win32.BHO.auf'.
2/2/2008 2:20:21 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\opnlkjh.dll.vir: is still infected, postponed.
2/2/2008 2:20:21 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\perfc000.dat.vir: detected Trojan program 'Backdoor.Win32.Small.os'.
2/2/2008 2:20:21 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\perfc000.dat.vir: is still infected, postponed.
2/2/2008 2:20:21 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\qwerty12.exe.vir: detected Trojan program 'Trojan.Win32.Agent.aoy'.
2/2/2008 2:20:21 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\qwerty12.exe.vir: is still infected, postponed.
2/2/2008 2:20:22 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\rlxf.dll.vir: detected adware 'not-a-virus:AdWare.Win32.RK.m'.
2/2/2008 2:20:22 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\rlxf.dll.vir: is still infected, postponed.
2/2/2008 2:20:22 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\spoolsvv.sys.vir: detected Trojan program 'Trojan-Proxy.Win32.Agent.ji'.
2/2/2008 2:20:22 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\spoolsvv.sys.vir: is still infected, postponed.
2/2/2008 2:20:22 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\windows.vir: detected Trojan program 'Trojan.Win32.Zapchast.dt'.
2/2/2008 2:20:22 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\windows.vir: is still infected, postponed.
2/2/2008 2:20:22 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\WinHealer.dll.vir: detected Trojan program 'Backdoor.Win32.Agent.alp'.
2/2/2008 2:20:22 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\WinHealer.dll.vir: is still infected, postponed.
2/2/2008 2:20:22 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\wmvds32.dll.vir: detected Trojan program 'Trojan-Downloader.Win32.VB.asx'.
2/2/2008 2:20:22 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\wmvds32.dll.vir: is still infected, postponed.
2/2/2008 2:20:23 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\mcdd.sys.vir: detected Trojan program 'Rootkit.Win32.Agent.to'.
2/2/2008 2:20:23 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\mcdd.sys.vir: is still infected, postponed.
2/2/2008 2:20:23 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\nGpxx01\nGpxx011065.exe.vir: detected Trojan program 'Trojan-Downloader.Win32.VB.cge'.
2/2/2008 2:20:23 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\nGpxx01\nGpxx011065.exe.vir: is still infected, postponed.
2/2/2008 2:20:23 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\RACLE~1\s?anregw.exe.vir//PE_Patch.PECompact//PecBundle//PECompact: detected adware 'not-a-virus:AdWare.Win32.PurityScan.gs'.
2/2/2008 2:20:23 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\RACLE~1\s?anregw.exe.vir//PE_Patch.PECompact//PecBundle//PECompact: is still infected, postponed.
2/2/2008 2:20:24 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\svcd\svchost.exe.vir: detected Trojan program 'Trojan-Proxy.Win32.Fackemo.h'.
2/2/2008 2:20:24 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\svcd\svchost.exe.vir: is still infected, postponed.
2/2/2008 2:20:24 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\wnis6\enamd83122.exe.vir//data0002: detected adware 'not-a-virus:AdWare.Win32.TTC.a'.
2/2/2008 2:20:24 AM File C:\QooBox\Quarantine\C\WINDOWS\system32\wnis6\enamd83122.exe.vir//data0002: is still infected, postponed.
2/2/2008 2:20:31 AM File C:\VundoFix Backups\clihkdko.dll.bad: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/2/2008 2:20:31 AM File C:\VundoFix Backups\clihkdko.dll.bad: is still infected, postponed.
2/2/2008 2:20:32 AM File C:\VundoFix Backups\jleqdaes.dll.bad: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/2/2008 2:20:32 AM File C:\VundoFix Backups\jleqdaes.dll.bad: is still infected, postponed.
2/2/2008 2:20:32 AM File C:\VundoFix Backups\opnlkjh.dll.bad: detected Trojan program 'Trojan.Win32.BHO.auf'.
2/2/2008 2:20:32 AM File C:\VundoFix Backups\opnlkjh.dll.bad: is still infected, postponed.
2/2/2008 2:20:32 AM File C:\VundoFix Backups\vxkqlluc.exe.bad: detected Trojan program 'Trojan-Downloader.Win32.Agent.gwe'.
2/2/2008 2:20:32 AM File C:\VundoFix Backups\vxkqlluc.exe.bad: is still infected, postponed.
2/2/2008 2:20:33 AM File C:\WINDOWS\422x.exe//UPX: detected Trojan program 'Trojan-Downloader.Win32.VB.att'.
2/2/2008 2:20:33 AM File C:\WINDOWS\422x.exe//UPX: is still infected, postponed.
2/2/2008 2:20:34 AM File C:\WINDOWS\46x.exe: detected Trojan program 'Trojan-Spy.Win32.BZub.if'.
2/2/2008 2:20:34 AM File C:\WINDOWS\46x.exe: is still infected, postponed.
2/2/2008 2:20:34 AM File C:\WINDOWS\5x.exe//PE_Patch: detected Trojan program 'Trojan-Downloader.Win32.ConHook.bf'.
2/2/2008 2:20:34 AM File C:\WINDOWS\5x.exe//PE_Patch: is still infected, postponed.
2/2/2008 2:33:33 AM File C:\WINDOWS\system32\msorcl32.exe//UPX: detected malware 'not-virus:Hoax.Win32.Renos.fn'.
2/2/2008 2:33:33 AM File C:\WINDOWS\system32\msorcl32.exe//UPX: is still infected, postponed.
2/2/2008 2:33:44 AM File C:\WINDOWS\system32\rcp.dll: detected Trojan program 'Trojan-Spy.Win32.BZub.ip'.
2/2/2008 2:33:44 AM File C:\WINDOWS\system32\rcp.dll: is still infected, postponed.
2/2/2008 2:33:57 AM File C:\WINDOWS\system32\winlogon.exe: detected Trojan program 'Trojan.Win32.Patched.m'.
2/2/2008 2:35:46 AM Running module winlogon.exe\winlogon.exe: detected Trojan program 'Trojan.Win32.Patched.z'.
2/2/2008 2:35:53 AM Running module winlogon.exe\winlogon.exe: is still infected, skipped by user.
2/2/2008 2:35:53 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp796\a0132539.dll: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/2/2008 2:35:56 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp796\a0132539.dll: is still infected, skipped by user.
2/2/2008 2:35:56 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp796\a0132543.exe: detected Trojan program 'Trojan-Downloader.Win32.Agent.gwe'.
2/2/2008 2:35:58 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp796\a0132543.exe: is still infected, skipped by user.
2/2/2008 2:35:58 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp796\a0132549.dll: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/2/2008 2:36:00 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp796\a0132549.dll: is still infected, skipped by user.
2/2/2008 2:36:01 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132570.exe: detected Trojan program 'Trojan-Downloader.Win32.Agent.hvx'.
2/2/2008 2:36:01 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132570.exe: is still infected, skipped by user.
2/2/2008 2:36:01 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132571.exe: detected Trojan program 'Trojan-Downloader.Win32.Agent.hvx'.
2/2/2008 2:36:01 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132571.exe: is still infected, skipped by user.
2/2/2008 2:36:01 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132572.exe: detected Trojan program 'Trojan-Downloader.Win32.Agent.hvj'.
2/2/2008 2:36:01 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132572.exe: is still infected, skipped by user.
2/2/2008 2:36:01 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132573.dll//PE_Patch.PECompact//PecBundle//PECompact: detected adware 'not-a-virus:AdWare.Win32.PurityScan.gt'.
2/2/2008 2:36:01 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132573.dll//PE_Patch.PECompact//PecBundle//PECompact: is still infected, skipped by user.
2/2/2008 2:36:01 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132574.dll: detected adware 'not-a-virus:AdWare.Win32.TTC.a'.
2/2/2008 2:36:01 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132574.dll: is still infected, skipped by user.
2/2/2008 2:36:01 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132575.dll: detected adware 'not-a-virus:AdWare.Win32.TTC.a'.
2/2/2008 2:36:01 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132575.dll: is still infected, skipped by user.
2/2/2008 2:36:01 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132576.dll: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.ar'.
2/2/2008 2:36:01 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132576.dll: is still infected, skipped by user.
2/2/2008 2:36:01 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132577.dll: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.kw'.
2/2/2008 2:36:01 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132577.dll: is still infected, skipped by user.
2/2/2008 2:36:02 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132578.dll: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.ar'.
2/2/2008 2:36:02 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132578.dll: is still infected, skipped by user.
2/2/2008 2:36:02 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132579.dll: detected Trojan program 'Trojan.Win32.Agent.agv'.
2/2/2008 2:36:02 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132579.dll: is still infected, skipped by user.
2/2/2008 2:36:02 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132580.dll: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.ar'.
2/2/2008 2:36:02 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132580.dll: is still infected, skipped by user.
2/2/2008 2:36:02 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132581.dll: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.ar'.
2/2/2008 2:36:02 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132581.dll: is still infected, skipped by user.
2/2/2008 2:36:02 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132583.dll: detected Trojan program 'Trojan.Win32.BHO.auf'.
2/2/2008 2:36:02 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132583.dll: is still infected, skipped by user.
2/2/2008 2:36:02 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132590.dll: detected adware 'not-a-virus:AdWare.Win32.FunWeb.d'.
2/2/2008 2:36:02 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132590.dll: is still infected, skipped by user.
2/2/2008 2:36:02 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132613.exe: detected Trojan program 'Trojan.Win32.Agent.edq'.
2/2/2008 2:36:02 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132613.exe: is still infected, skipped by user.
2/2/2008 2:36:02 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132614.exe//PE_Patch.PECompact//PecBundle//PECompact: detected adware 'not-a-virus:AdWare.Win32.PurityScan.gs'.
2/2/2008 2:36:02 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132614.exe//PE_Patch.PECompact//PecBundle//PECompact: is still infected, skipped by user.
2/2/2008 2:36:03 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132616.exe//PE_Patch.UPX//UPX: detected Trojan program 'Trojan-Downloader.Win32.PurityScan.fj'.
2/2/2008 2:36:03 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132616.exe//PE_Patch.UPX//UPX: is still infected, skipped by user.
2/2/2008 2:36:03 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132618.sys: detected Trojan program 'Rootkit.Win32.Agent.eb'.
2/2/2008 2:36:03 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132618.sys: is still infected, skipped by user.
2/2/2008 2:36:03 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132619.exe: detected Trojan program 'Trojan.Win32.Agent.aoy'.
2/2/2008 2:36:03 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132619.exe: is still infected, skipped by user.
2/2/2008 2:36:04 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132620.dll: detected adware 'not-a-virus:AdWare.Win32.RK.m'.
2/2/2008 2:36:04 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132620.dll: is still infected, skipped by user.
2/2/2008 2:36:04 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132621.sys: detected Trojan program 'Trojan-Proxy.Win32.Agent.ji'.
2/2/2008 2:36:04 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132621.sys: is still infected, skipped by user.
2/2/2008 2:36:04 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132622.dll: detected Trojan program 'Backdoor.Win32.Agent.alp'.
2/2/2008 2:36:04 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132622.dll: is still infected, skipped by user.
2/2/2008 2:36:04 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132623.dll: detected Trojan program 'Trojan-Downloader.Win32.VB.asx'.
2/2/2008 2:36:04 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132623.dll: is still infected, skipped by user.
2/2/2008 2:36:04 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132624.exe: detected Trojan program 'Trojan-Downloader.Win32.Agent.bnn'.
2/2/2008 2:36:04 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132624.exe: is still infected, skipped by user.
2/2/2008 2:36:04 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132627.exe//data0002: detected adware 'not-a-virus:AdWare.Win32.Relevant.a'.
2/2/2008 2:36:04 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132627.exe//data0002: is still infected, skipped by user.
2/2/2008 2:36:04 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132628.exe: detected Trojan program 'Trojan.Win32.BHO.ab'.
2/2/2008 2:36:04 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132628.exe: is still infected, skipped by user.
2/2/2008 2:36:04 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132629.exe//data0002: detected adware 'not-a-virus:AdWare.Win32.TTC.a'.
2/2/2008 2:36:04 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132629.exe//data0002: is still infected, skipped by user.
2/2/2008 2:36:04 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132631.exe: detected Trojan program 'Trojan-Downloader.Win32.Delf.bld'.
2/2/2008 2:36:04 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp798\a0132631.exe: is still infected, skipped by user.
2/2/2008 2:36:04 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp803\a0133698.exe: detected Trojan program 'Trojan-Downloader.Win32.VB.cge'.
2/2/2008 2:36:04 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp803\a0133698.exe: is still infected, skipped by user.
2/2/2008 2:36:05 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp803\a0133699.exe: detected Trojan program 'Trojan-Proxy.Win32.Fackemo.h'.
2/2/2008 2:36:05 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp803\a0133699.exe: is still infected, skipped by user.
2/2/2008 2:36:05 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp803\a0133700.exe: detected adware 'not-a-virus:AdWare.Win32.TTC.a'.
2/2/2008 2:36:05 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp803\a0133700.exe: is still infected, skipped by user.
2/2/2008 2:36:05 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp804\a0133774.sys: detected Trojan program 'Rootkit.Win32.Agent.to'.
2/2/2008 2:36:05 AM File c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp804\a0133774.sys: is still infected, skipped by user.
2/2/2008 2:36:05 AM File c:\deckard\system scanner\20080129000407\backup\windows\temp\svchost.exe: detected Trojan program 'Trojan-Downloader.Win32.Agent.acl'.
2/2/2008 2:36:05 AM File c:\deckard\system scanner\20080129000407\backup\windows\temp\svchost.exe: is still infected, skipped by user.
2/2/2008 2:36:05 AM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\219900b9.dll//CryptFF: detected adware 'not-a-virus:AdWare.Win32.Shopper.k'.
2/2/2008 2:36:05 AM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\219900b9.dll//CryptFF: is still infected, skipped by user.
2/2/2008 2:36:06 AM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\23b1666b.exe//CryptFF: detected adware 'not-a-virus:AdWare.Win32.HotBar.bd'.
2/2/2008 2:36:06 AM File c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine\23b1666b.exe//CryptFF: is still infected, skipped by user.
2/2/2008 2:36:06 AM File c:\documents and settings\junior\application data\sun\java\deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-26e42dbb.zip/vlocal.class: detected Trojan program 'Trojan-Downloader.Java.Agent.f'.
2/2/2008 2:36:06 AM File c:\documents and settings\junior\application data\sun\java\deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-26e42dbb.zip/vlocal.class: is still infected, skipped by user.
2/2/2008 2:36:06 AM File c:\program files\mozilla firefox\click.exe//PE_Patch.UPX//UPX: detected Trojan program 'Trojan-Clicker.Win32.Delf.hj'.
2/2/2008 2:36:06 AM File c:\program files\mozilla firefox\click.exe//PE_Patch.UPX//UPX: is still infected, skipped by user.
2/2/2008 2:36:06 AM File c:\program files\mozilla firefox\cmarp1083.exe//data0005: detected Trojan program 'Trojan-Downloader.Win32.VB.awj'.
2/2/2008 2:36:06 AM File c:\program files\mozilla firefox\cmarp1083.exe//data0005: is still infected, skipped by user.
2/2/2008 2:36:07 AM File c:\program files\mozilla firefox\leeman.exe: detected Trojan program 'Trojan-Downloader.Win32.Agent.bnn'.
2/2/2008 2:36:07 AM File c:\program files\mozilla firefox\leeman.exe: is still infected, skipped by user.
2/2/2008 2:36:07 AM File c:\program files\mozilla firefox\ucmoreiex.exe: detected Trojan program 'Trojan-Dropper.Win32.Agent.bgo'.
2/2/2008 2:36:07 AM File c:\program files\mozilla firefox\ucmoreiex.exe: is still infected, skipped by user.
2/2/2008 2:36:07 AM File c:\program files\softwin\bitdefender8\quarantine\ws2_32.dll:fork2: detected Trojan program 'Trojan.Win32.Pakes'.
2/2/2008 2:36:07 AM File c:\program files\softwin\bitdefender8\quarantine\ws2_32.dll:fork2: is still infected, skipped by user.
2/2/2008 2:36:07 AM File c:\vundofix backups\clihkdko.dll.bad: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/2/2008 2:36:07 AM File c:\vundofix backups\clihkdko.dll.bad: is still infected, skipped by user.
2/2/2008 2:36:07 AM File c:\vundofix backups\jleqdaes.dll.bad: detected adware 'not-a-virus:AdWare.Win32.Virtumonde.dnn'.
2/2/2008 2:36:07 AM File c:\vundofix backups\jleqdaes.dll.bad: is still infected, skipped by user.
2/2/2008 2:36:07 AM File c:\vundofix backups\opnlkjh.dll.bad: detected Trojan program 'Trojan.Win32.BHO.auf'.
2/2/2008 2:36:07 AM File c:\vundofix backups\opnlkjh.dll.bad: is still infected, skipped by user.
2/2/2008 2:36:08 AM File c:\vundofix backups\vxkqlluc.exe.bad: detected Trojan program 'Trojan-Downloader.Win32.Agent.gwe'.
2/2/2008 2:36:08 AM File c:\vundofix backups\vxkqlluc.exe.bad: is still infected, skipped by user.
2/2/2008 2:36:08 AM File c:\windows\422x.exe//UPX: detected Trojan program 'Trojan-Downloader.Win32.VB.att'.
2/2/2008 2:36:08 AM File c:\windows\422x.exe//UPX: is still infected, skipped by user.
2/2/2008 2:36:08 AM File c:\windows\46x.exe: detected Trojan program 'Trojan-Spy.Win32.BZub.if'.
2/2/2008 2:36:08 AM File c:\windows\46x.exe: is still infected, skipped by user.
2/2/2008 2:36:08 AM File c:\windows\5x.exe//PE_Patch: detected Trojan program 'Trojan-Downloader.Win32.ConHook.bf'.
2/2/2008 2:36:08 AM File c:\windows\5x.exe//PE_Patch: is still infected, skipped by user.
2/2/2008 2:36:08 AM File c:\windows\system32\msorcl32.exe//UPX: detected malware 'not-virus:Hoax.Win32.Renos.fn'.
2/2/2008 2:36:08 AM File c:\windows\system32\msorcl32.exe//UPX: is still infected, skipped by user.
2/2/2008 2:36:08 AM File c:\windows\system32\rcp.dll: detected Trojan program 'Trojan-Spy.Win32.BZub.ip'.
2/2/2008 2:36:08 AM File c:\windows\system32\rcp.dll: is still infected, skipped by user.

Reports
-------
Component Status Start Finish Size
----
Scan startup objects completed 2/1/2008 11:34:35 PM 2/1/2008 11:35:46 PM 473.2 KB
Scan My Computer completed 2/1/2008 11:36:30 PM 2/2/2008 2:36:08 AM 78.4 MB
Update completed 2/2/2008 1:35:54 AM 2/2/2008 1:36:45 AM 14.3 KB

Quarantine
----------
Status Object Size Added
------ ------ ---- -----

Backup
------
Status Object Size
------ ------ ----
Infected: Trojan program Trojan.Win32.Patched.m c:\windows\system32\winlogon.exe 490.5 KB
that is the log.. seems i can't disinfect any of the files and i still can't uninstall my java without the error message popping up

Response Number 17

Name: jabuck
Date: February 2, 2008 at 16:07:57 Pacific

Reply:

Sorry for the delay.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download ATF Cleaner from this link:
ATF Cleaner
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer

Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Empty the contents of these folders, not the folders themselves:
c:\documents and settings\all users\application data\symantec\norton antivirus\quarantine
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\Program Files\Mozilla Firefox\click.exe
C:\Program Files\Mozilla Firefox\CmarP1083.exe
C:\WINDOWS\46x.exe
C:\WINDOWS\5x.exe
C:\WINDOWS\system32\msorcl32.exe
C:\WINDOWS\system32\rcp.dll
C:\Program Files\Mozilla Firefox\leeman.exe C:\Program Files\Mozilla Firefox\ucmoreiex.exe
C:\WINDOWS\422x.exe
C:\Documents and Settings\Junior\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-26e42dbb.zip

Folder::
C:\VundoFix Backups
C:\Qoobox
C:\Deckard\System Scanner\20080129000407\backup

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Post a new Combofix log and a new Hijack This log please.

Response Number 18

Name: jrtech33
Date: February 2, 2008 at 21:28:17 Pacific

Reply:

ComboFix 08-01-29.3 - Junior 2008-02-02 20:56:38.5 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.985 [GMT -8:00]
Running from: C:\Documents and Settings\Junior\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Junior\Desktop\cfscript.txt
FILE
C:\Documents and Settings\Junior\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-26e42dbb.zip
C:\Program Files\Mozilla Firefox\click.exe
C:\Program Files\Mozilla Firefox\CmarP1083.exe
C:\Program Files\Mozilla Firefox\leeman.exe C:\Program Files\Mozilla Firefox\ucmoreiex.exe
C:\WINDOWS\422x.exe
C:\WINDOWS\46x.exe
C:\WINDOWS\5x.exe
C:\WINDOWS\system32\msorcl32.exe
C:\WINDOWS\system32\rcp.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Mozilla Firefox\click.exe
C:\Program Files\Mozilla Firefox\CmarP1083.exe
C:\Qoobox
C:\Qoobox\BackEnv\appdata.folder.dat
C:\Qoobox\BackEnv\cache.folder.dat
C:\Qoobox\BackEnv\desktop.folder.dat
C:\Qoobox\BackEnv\favorites.folder.dat
C:\Qoobox\BackEnv\local appdata.folder.dat
C:\Qoobox\BackEnv\local settings.folder.dat
C:\Qoobox\BackEnv\my pictures.folder.dat
C:\Qoobox\BackEnv\personal.folder.dat
C:\Qoobox\BackEnv\profiles.folder.dat
C:\Qoobox\BackEnv\programs.folder.dat
C:\Qoobox\BackEnv\setpath.bat
C:\Qoobox\BackEnv\setpath.dat
C:\Qoobox\BackEnv\start menu.folder.dat
C:\Qoobox\BackEnv\startup.folder.dat
C:\Qoobox\BackEnv\templates.folder.dat
C:\Qoobox\CFScript_used_2008-01-29@19.24.txt
C:\Qoobox\CFScript_used_2008-01-29@20.55.txt
C:\Qoobox\CFScript_used_2008-01-30@12.07.txt
C:\Qoobox\cfscript_used_2008-02-02@20.56.txt
C:\Qoobox\ComboFix-quarantined-files.txt
C:\Qoobox\ComboFix2.txt
C:\Qoobox\ComboFix3.txt
C:\Qoobox\ComboFix4.txt
C:\Qoobox\ComboFix5.txt
C:\Qoobox\snapshot@2008-01-29_ 1.05.10.46.dat
C:\Qoobox\snapshot@2008-01-29_ 1.05.10.46_B.dat
C:\VundoFix Backups
C:\VundoFix Backups\clihkdko.dll.bad
C:\VundoFix Backups\ghhkj.ini.bad
C:\VundoFix Backups\ghhkj.ini2.bad
C:\VundoFix Backups\jkhhg.dll.bad
C:\VundoFix Backups\jleqdaes.dll.bad
C:\VundoFix Backups\jleqdaes.dllbox.bad
C:\VundoFix Backups\opnlkjh.dll.bad
C:\VundoFix Backups\pxnxctwt.dll.bad
C:\VundoFix Backups\tuaurpuu.dll.bad
C:\VundoFix Backups\vxkqlluc.exe.bad
C:\WINDOWS\422x.exe
C:\WINDOWS\46x.exe
C:\WINDOWS\5x.exe
C:\WINDOWS\system32\msorcl32.exe
C:\WINDOWS\system32\rcp.dll
[color=red] C:\WINDOWS\system32\winlogon.exe . . . is infected!![/color]
.
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.
2008-02-02 00:04 . 2008-02-02 00:04 <DIR> d-------- C:\Program Files\Azureus
2008-02-02 00:04 . 2008-02-02 00:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-02-01 23:27 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-01 23:27 . 2005-12-25 15:09 209 --a------ C:\Boot.bak
2008-02-01 10:53 . 2008-02-02 12:26 502,272 --a------ C:\WINDOWS\system32\winlogon.exe.kav
2008-02-01 10:46 . 2008-02-02 20:51 3,834,912 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-01 10:46 . 2008-02-02 21:05 12,832 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-01 10:46 . 2008-02-02 20:51 6,860 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-01 10:46 . 2008-02-02 20:51 2,252 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-01 10:44 . 2008-02-01 10:44 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-01 10:44 . 2008-02-02 12:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-01 10:43 . 2008-02-01 10:43 <DIR> d-------- C:\KAV
2008-01-31 13:33 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-31 13:32 . 2008-01-31 13:32 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-30 02:12 . 2008-01-30 02:12 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-30 01:43 . 2008-01-30 02:27 <DIR> d-------- C:\Program Files\SDFix
2008-01-29 01:10 . 2008-01-29 01:15 <DIR> d-------- C:\Program Files\Security Task Manager
2008-01-29 01:10 . 2008-01-29 01:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-28 21:38 . 2008-01-28 21:38 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-28 21:29 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-28 21:29 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-28 14:43 . 2008-01-28 14:43 <DIR> d-------- C:\Program Files\Half Life 2
2008-01-28 02:46 . 2008-01-28 02:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-28 02:42 . 2008-01-28 02:42 <DIR> d-------- C:\Deckard
2008-01-28 01:24 . 2008-01-28 02:14 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-28 00:56 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-28 00:41 . 2008-01-28 01:28 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-28 00:15 . 2008-01-28 00:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-01-28 00:14 . 2008-01-28 00:15 <DIR> d-------- C:\Program Files\Dell Support Center
2008-01-28 00:14 . 2008-01-28 00:14 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-01-27 23:34 . 2008-01-28 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-01-27 23:27 . 2008-01-27 23:27 <DIR> d-------- C:\Program Files\Uniblue
2008-01-27 23:12 . 2008-01-27 23:28 <DIR> d-------- C:\Documents and Settings\Junior\Application Data\Uniblue
2008-01-27 23:02 . 2008-01-27 23:02 <DIR> d-------- C:\Documents and Settings\Junior\Application Data\PC Tools
2008-01-27 22:40 . 2004-10-14 19:22 5,110 --a------ C:\WINDOWS\system32\e100b325.din
2008-01-27 22:40 . 2003-11-03 18:15 1,902 --------- C:\WINDOWS\system32\SetupBD.din
2008-01-26 11:43 . 2008-01-26 11:43 <DIR> d-------- C:\Program Files\Ubisoft
2008-01-24 11:03 . 2008-01-24 11:08 <DIR> d-------- C:\Program Files\AlphaZIP
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 04:43 --------- d-----w C:\Program Files\Starcraft
2008-02-02 10:45 --------- d-----w C:\Documents and Settings\Junior\Application Data\Azureus
2008-02-02 07:41 14 ----a-w C:\Documents and Settings\Junior\getfile.dat
2008-01-31 21:33 --------- d-----w C:\Program Files\Java
2008-01-30 10:18 --------- d-----w C:\Program Files\Windows Plus
2008-01-29 07:25 --------- d-----w C:\Program Files\WordPerfect Office 12
2008-01-28 11:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-28 11:21 --------- d-----w C:\Program Files\Dell
2008-01-28 09:51 --------- d-----w C:\Program Files\BitComet
2008-01-28 09:51 --------- d-----w C:\Program Files\AIM
2008-01-26 20:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-25 20:01 --------- d-----w C:\Documents and Settings\Junior\Application Data\Aim
2008-01-20 07:49 --------- d-----w C:\Program Files\Soulseek-Test
2007-12-09 18:45 --------- d-----w C:\Program Files\LimeWire
2007-05-14 23:01 14 ----a-w C:\Documents and Settings\Genesis\getfile.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-03-12 12:22 61440]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00 15360]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-17 11:46 4670704]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-12-07 09:31 9479448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 12:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 21:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 21:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 21:10 114688]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 22:20 339968 C:\WINDOWS\stsystra.exe]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 14:19 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05 127035]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44 81920]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 09:06 106496]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-08 14:00 128920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [ ]
"BDMCon"="C:\Program Files\Softwin\BitDefender8\bdmcon.exe" [2005-06-20 11:10 421888]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender8\bdnagent.exe" [2005-05-09 11:19 8192]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-05 15:52:50 24576]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2006-03-05 20:57:37 315392]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 00:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 17:21:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-28 07:28:06 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-01-28 07:28:04 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 21:05:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
r Running Proce
.
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-02-02 21:13:18 - machine was rebooted
.
2008-01-30 09:48:17 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:59 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
c:\program files\softwin\bitdefender8\bdmcon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "c:\program files\softwin\bitdefender8\bdnagent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/active...
O21 - SSODL: itNvUfnoPKDSkA - {04EE4652-AE44-ECF8-7E0E-53444C0D25FB} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: Spyware Doctor Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
--
End of file - 8293 bytes

Response Number 19

Name: jabuck
Date: February 3, 2008 at 16:11:25 Pacific

Reply:

Do a search for winlogon.exe and let me know what you find. Go to start> search> all files and folders> click more advanced options and check the boxes beside "search for system files", "search for hidden files and folders" and "serach for sub folders" then do the search.
Please go to Virus Total and upload the following file for analysis:
C:\Windows\System32\winlogon.exe

Post the results in your reply.

Response Number 20

Name: jrtech33
Date: February 3, 2008 at 16:39:16 Pacific

Reply:

I did the search and there were 2 winlogon.exe, and one winlogon.exe.kav. Winlogon.exe and .kav are in C:\windows\system32 folder, and the other winlogon.exe is in the C:\i386 folder
Here are the results for the Virus total:
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - Win32:Patched-I
AVG - - Generic5.QLF
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - Trojan.Starter.236
eSafe - - -
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - WLHack.A!tr
F-Prot - - -
F-Secure - - Trojan.Win32.Patched.m
Ikarus - - Trojan.Win32.Patched.m
Kaspersky - - Trojan.Win32.Patched.m
McAfee - - Generic.dx
Microsoft - - Trojan:Win32/Patched.A
NOD32v2 - - -
Norman - - -
Panda - - W32/Patchlog.B
Prevx1 - - -
Rising - - Trojan.Patched.wz
Sophos - - Troj/WLHack-A
Sunbelt - - -
Symantec - - Trojan.Pandex!inf
TheHacker - - W32/PatchLog
VBA32 - - Trojan.Win32.Patched
VirusBuster - - -
Webwasher-Gateway - - Trojan.LooksLike.Patched!502272
Additional information
MD5: 5fb172bf49cb698131ca4c502cb769da
SHA1: 005a8ab06d660ddb27228e261659b78748f964b0
SHA256: 65937f110c1f58d7aa23d90cdb9c91910cc7a8bf714a8e5c29970d5cad762e26
SHA512: 7af05c1aeb7f650907461928216ee4d3ffb606b71b57f25ca342218df847d764 a2c4594a92280fb94ab9ddf8a417e52630d0bc2eb992dea8bb7c0d7be9fb2ac0

Response Number 21

Name: jabuck
Date: February 3, 2008 at 17:42:20 Pacific

Reply:

Navigate to C:\Windows\System32 and delete both winlogon.exe and winlogon.exe.kav
Navigate to C:\i386\winlogon.exe and right click on it> click copy> navigate to C:\Windows\System32\winlogon.exe> click a blank spot in the folder then> click paste. That should put a clean copy of the winlogon.exe file in the system32 folder.
Exit out of system32 then navigate back and verify that the winlogon.exe file is there, don't restart the computer until you are sure you have a copy of winlogon.exe in the system32 folder.
Now run the new winlogon.exe through virus total and check it, let me know what you find. Don't be suprised if it is infected but maybe this will get it.

Response Number 22

Name: jrtech33
Date: February 4, 2008 at 08:36:18 Pacific

Reply:

I can't delete winlogon.exe or replace it because the system says its currently in use.

Response Number 23

Name: jabuck
Date: February 4, 2008 at 15:06:12 Pacific

Reply:

Lets try it in safe mode following the steps in response #21.
Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once finished navigate to and make sure there is a winlogon.exe files in the system32 folder before you restart the computer in normal mode. If the is not restore the one in the recycle bin then restart the computer.

Response Number 24

Name: jrtech33
Date: February 4, 2008 at 19:22:27 Pacific

Reply:

I deleted the winlogon and replaced it with the other.

Response Number 25

Name: jabuck
Date: February 4, 2008 at 19:31:49 Pacific

Reply:

Please run it through VirusTotal and post a new Combofix log.

Sponsored Link

Ads by Google

how to delete gnida[1].sw...

pos.tmp files problem

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: pos.tmp and more

POS.TMP and more issues

Summary

www.computing.net/answers/security/postmp-and-more-issues/22279.html

Viruses ddcyx.dll, pos.tmp, nnnlmlk

Summary

www.computing.net/answers/security/viruses-ddcyxdll-postmp-nnnlmlk/22066.html

pos.tmp and red x on harddrive

Summary

www.computing.net/answers/security/postmp-and-red-x-on-harddrive/22336.html

From the Geek Dictionary
nix - An abbreviated name for Linux.

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes Today.
Discuss in The Lounge
Poll History

Recent Posts
Adapters for monitor cables

What PSU????

converting video

windows 7 on a non active partion

Dos and sata

All Awaiting Reply

Tom's News
New Final Fantasy XIII Trailer is 5 Minutes Long

TV Market to Launch Cross-Platform App Store

Used ATM Machines for Sale on Craigslist

Rival Publishers Collaborate on iTunes-type Store

Guy Quits Job With Error Message

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE