Adware.Ezula + Trojan.Vundo Keeps Infecting My Computer

wahtever · Nov 27, 2007

I recently found several viruses in my computer and removed them immediately, but my Norton keeps detecting Adware.Ezula and Trojan.Vundo. I've used FixVundo and deleted Trojan.Vundo once, but it can't detect it anymore. I get random pop-ups and my computer is consistently making a lot of noise ever since it got infected. I've been scanning my computer everyday with Ad-Aware and Norton, yet only Ad-Aware will find tracking and cookie problems. Here's my logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:00:14 PM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\COMMON~1\AOL\118526~1\EE\AOLHOS~1.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\PROGRA~1\COMMON~1\AOL\118526~1\EE\AOLServiceHost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5056
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\tapeugos.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1185261948\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [302c403e] rundll32.exe "C:\WINDOWS\system32\vlsktfiw.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11134 bytes

wahtever · Nov 28, 2007

I also forgot to add that when my computer restarts, it won't completely load to my desktop.

forhockey · Nov 28, 2007

Hi wahtever,

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

--------------------------------------------------------------

Before beginning the proposed fix, read this post completely. Any questions should be kindly asked before proceeding. Ensure that there are no open browsers when carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to C:\SDFix

DO NOT run SDFix yet. We will shortly

--------------------------------------------------------------

Enter Safe Mode

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8
Instead of Windows loading as normal, a menu should appear
Use the up arrow key to highlight Safe Mode and press Enter.
Login with your usual account
Once you have logged in, a warning message will appear regarding starting windows in Safe mode, click OK and windows will load your desktop environment

Note: Some systems, this may be the F5 key, so try that if F8 doesn't work.

--------------------------------------------------------------

Run SDFix

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
Paste the contents of the Report.txt back on the forum

--------------------------------------------------------------

Restart your computer in Normal Mode

--------------------------------------------------------------

Download combofix from here

**Save it directly to your desktop**

Go to

-> Run -> paste in the following single line command & click OK

"%userprofile%\desktop\combofix.exe" /killall

A log will be produced that will ultimately be named C:\ComboFix.txt I'll need that in your next reply.

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------

Generate an Uninstall List

Open HijackThis.
Click on the "Configure" button on the bottom right.
Click on the tab "Misc Tools".
Click on the Box that says "Open Uninstall Manager".
Click on the button "Save list"

Please save a copy and paste the contents with your next reply.

--------------------------------------------------------------

Please reply back with the following logs:

C:\SDFix\report.txt
C:\ComboFix.txt
Uninstall List

wahtever · Nov 29, 2007

Thank you for your reply. Here are my results:

Report.txt

SDFix: Version 1.116

Run by Owner on Wed 11/28/2007 at 10:49 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\X.DAT - Deleted
C:\Z.DAT - Deleted
C:\Documents and Settings\Owner\x.dat - Deleted
C:\Documents and Settings\Owner\z.dat - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\removalfile.bat - Deleted
C:\n.bat - Deleted
C:\winlogon.exe - Deleted
C:\WINDOWS\Fonts\'\*.zip - 4275 File(s) 731,965 bytes - Deleted

x.dat and z.dat data copied to \SDFix\Data.txt

Folder C:\WINDOWS\Fonts\' - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 23:00:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile"=str(2):"c:\windows\system32\ESENT.dll"
"CategoryMessageFile"=str(2):"c:\windows\system32\ESENT.dll"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1185261948\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1185261948\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe"="C:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe:*:Enabled:Microsoft Broadband Networking Update Utility"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Thu 23 Jun 2005 54,872 A..H. --- "C:\Program Files\America Online 9.0\AOLphx.exe"
Thu 23 Jun 2005 31,832 A..H. --- "C:\Program Files\America Online 9.0\rbm.exe"
Thu 8 Nov 2007 36,924 ..SH. --- "C:\WINDOWS\system32\srqss.tmp"
Wed 14 Nov 2007 455,937 ..SH. --- "C:\WINDOWS\system32\srqss.bak1"
Thu 15 Nov 2007 440,437 ..SH. --- "C:\WINDOWS\system32\srqss.bak2"
Tue 20 Nov 2007 20,810 A.SH. --- "C:\WINDOWS\system32\tapeugos.dllbox"
Wed 28 Nov 2007 294 ..SH. --- "C:\WINDOWS\system32\xrvxqsrt.tmp"
Thu 23 Aug 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 13 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!

ComboFix.txt

ComboFix 07-11-29.3 - Owner 2007-11-28 23:16:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.566 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\system32\ainmpvbe.ini
C:\WINDOWS\system32\bcjjfuet.dll
C:\WINDOWS\system32\cbuaqrph.dll
C:\WINDOWS\system32\drqeaikp.dll
C:\WINDOWS\system32\dsynblan.dll
C:\WINDOWS\system32\ebvpmnia.dll
C:\WINDOWS\system32\efgbqbyx.dll
C:\WINDOWS\system32\fukeqtao.dll
C:\WINDOWS\system32\hprqaubc.ini
C:\WINDOWS\system32\hprqaubc.tmp
C:\WINDOWS\system32\htaleluf.dll
C:\WINDOWS\system32\jdqytdcx.dll
C:\WINDOWS\system32\jjwpldnv.dll
C:\WINDOWS\system32\jkhtfcie.dll
C:\WINDOWS\system32\mfgeonku.dll
C:\WINDOWS\system32\muxvxeiv.dll
C:\WINDOWS\system32\nalbnysd.ini
C:\WINDOWS\system32\ocjwpwfs.dll
C:\WINDOWS\system32\onnmp.ini
C:\WINDOWS\system32\onnmp.ini2
C:\WINDOWS\system32\pmnno.dll
C:\WINDOWS\system32\qpyuhkfu.dll
C:\WINDOWS\system32\rmdujqwn.dll
C:\WINDOWS\system32\srqss.bak1
C:\WINDOWS\system32\srqss.bak2
C:\WINDOWS\system32\srqss.ini
C:\WINDOWS\system32\srqss.ini2
C:\WINDOWS\system32\srqss.tmp
C:\WINDOWS\system32\tapeugos.dllbox
C:\WINDOWS\system32\ufkhuypq.ini
C:\WINDOWS\system32\usbchopn.dll
C:\WINDOWS\system32\vcwxausy.dll
C:\WINDOWS\system32\vlsktfiw.dll
C:\WINDOWS\system32\wiftkslv.ini
C:\WINDOWS\system32\xcdtyqdj.ini
C:\WINDOWS\system32\xltcygjy.dll
C:\WINDOWS\system32\xybqbgfe.ini
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.

2007-11-28 22:48 . 2007-11-28 22:48 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-27 12:59 . 2007-11-27 12:59 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-26 10:25 . 2007-11-26 10:25 <DIR> d-------- C:\temp
2007-11-24 18:40 . 2007-11-25 18:38 775,902 --ahs---- C:\WINDOWS\system32\krcwwoxn.ini
2007-11-22 10:19 . 2007-11-22 10:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\4D
2007-11-22 10:16 . 2007-11-22 10:20 <DIR> d-------- C:\Program Files\MasterWriter
2007-11-22 09:25 . 2007-11-22 09:25 <DIR> d-------- C:\Program Files\LimeWire
2007-11-22 09:25 . 2007-11-22 09:31 <DIR> d-------- C:\Documents and Settings\Owner\Shared
2007-11-22 09:25 . 2007-11-22 09:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2007-11-21 18:36 . 2007-11-22 12:25 842,967 --ahs---- C:\WINDOWS\system32\rwwnsehh.ini
2007-11-18 10:45 . 2007-11-20 18:28 689,223 --ahs---- C:\WINDOWS\system32\tamsbfon.ini
2007-11-14 20:00 . 2007-11-15 21:59 655,641 --ahs---- C:\WINDOWS\system32\ovhtfdkb.ini
2007-11-14 03:02 . 2006-12-19 16:52 8,453,632 --a------ C:\WINDOWS\system32\SET51F2.tmp
2007-11-14 03:02 . 2007-06-19 02:24 350,720 --a------ C:\WINDOWS\system32\SET51F3.tmp
2007-11-13 20:00 . 2007-11-13 20:00 668,999 --ahs---- C:\WINDOWS\system32\jqixrsiu.ini
2007-11-13 16:17 . 2007-10-25 22:34 8,460,288 --a------ C:\WINDOWS\system32\SET5416.tmp
2007-11-13 16:17 . 2007-10-25 22:34 8,460,288 --a------ C:\WINDOWS\system32\SET52B4.tmp
2007-11-13 16:17 . 2007-10-25 22:34 8,460,288 --a------ C:\WINDOWS\system32\SET51EF.tmp
2007-11-13 16:17 . 2007-10-29 05:04 350,720 --a------ C:\WINDOWS\system32\SET5417.tmp
2007-11-13 16:17 . 2007-10-29 05:04 350,720 --a------ C:\WINDOWS\system32\SET52B5.tmp
2007-11-13 16:17 . 2007-10-29 05:04 350,720 --a------ C:\WINDOWS\system32\SET51F0.tmp
2007-11-12 20:00 . 2007-11-12 20:01 591,016 --ahs---- C:\WINDOWS\system32\rejymmok.ini
2007-11-11 20:03 . 2007-11-11 20:03 584,776 --ahs---- C:\WINDOWS\system32\rbbpaeqm.ini
2007-11-09 19:09 . 2007-11-09 19:09 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-09 19:09 . 2007-11-09 19:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-09 19:09 . 2007-11-09 19:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-09 07:37 . 2007-11-09 19:58 583,292 --ahs---- C:\WINDOWS\system32\klfvlxby.ini
2007-11-09 07:26 . 2007-11-09 07:29 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-09 07:26 . 2007-11-09 07:29 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-09 00:15 . 2007-11-09 07:35 582,880 --ahs---- C:\WINDOWS\system32\afsvwawb.ini
2007-11-08 21:19 . 2007-11-08 21:18 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-08 21:18 . 2007-11-08 21:23 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2007-11-08 21:08 . 2007-11-22 09:32 <DIR> d-------- C:\Documents and Settings\Owner\Incomplete
2007-11-08 13:20 . 2007-11-08 13:20 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-08 12:03 . 2007-11-08 12:03 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-08 11:58 . 2007-11-18 11:39 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-06 16:05 . 2007-11-28 23:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-06 16:05 . 2007-11-06 16:05 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-06 16:04 . 2007-11-06 16:04 <DIR> d-------- C:\Program Files\iTunes
2007-11-06 16:02 . 2007-11-06 16:03 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-29 04:07 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-11-28 22:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-23 22:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\Smart Recorder
2007-11-09 12:29 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-09 12:29 --------- d-----w C:\Program Files\Symantec
2007-11-09 12:26 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-08 19:00 --------- d-----w C:\Program Files\NoAdware5.0
2007-11-06 21:04 --------- d-----w C:\Program Files\iPod
2007-11-01 17:04 --------- d-----w C:\Program Files\Sims2Pack Clean Installer
2007-10-27 05:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-10-27 05:04 --------- d-----w C:\Program Files\Viewpoint
2007-10-27 05:04 --------- d-----w C:\Program Files\AIM6
2007-10-27 05:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\acccore
2007-10-27 05:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-27 05:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-24 16:08 --------- d-----w C:\Program Files\SecondLife
2007-10-24 15:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\SecondLife
2007-10-19 17:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-19 17:14 --------- d-----w C:\Program Files\Bethesda Softworks
2007-10-19 17:08 --------- d-----w C:\Program Files\Syberia
2007-10-19 17:07 --------- d-----w C:\Program Files\Microids
2007-10-15 23:07 --------- d-----w C:\Program Files\EA GAMES
2007-10-15 18:49 --------- d-----w C:\Program Files\Common Files\EasyInfo
2007-10-15 15:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\SampleView
2007-10-14 18:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Musicnotes
2007-10-14 17:55 1,409 ----a-w C:\WINDOWS\Fonts\HELST___.FOT
2007-10-14 17:55 1,409 ----a-w C:\WINDOWS\Fonts\HELSS___.FOT
2007-10-14 17:55 1,409 ----a-w C:\WINDOWS\Fonts\HELSM___.FOT
2007-10-14 17:55 1,409 ----a-w C:\WINDOWS\Fonts\HELSINKI.FOT
2007-10-14 17:55 --------- d-----w C:\Program Files\Musicnotes
2007-10-12 19:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-10-12 19:20 --------- d-----w C:\Program Files\ATI Technologies
2007-10-01 19:49 98,184 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-10-01 19:49 31,624 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-10-01 19:49 28,040 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-10-01 19:49 23,944 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-01 19:49 189,320 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-01 19:48 12,680 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-09-29 05:46 47,376 ----a-w C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-09-29 03:05 2,456,064 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-09-29 02:19 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 17:07 C:\WINDOWS\soundman.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1185261948\EE\AOLHostManager.exe" [2004-11-03 16:03]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 19:42]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 07:09]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2003-09-17 09:43]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2003-06-18 00:00]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 17:06]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 18:16]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 19:24]
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2006-06-07 06:25]
"CTHelper"="CTHELPER.EXE" [2006-08-11 13:56 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 C:\WINDOWS\system32\CTXFIHLP.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-27 03:03]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-04 14:05]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-11 20:47:45]
Microsoft Broadband Networking.lnk - C:\WINDOWS\Installer\{638547C2-2ABA-46F4-AE28-85FF6E83CB54}\_18be6784.exe [2007-07-24 17:00:34]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjihi]
mljjihi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tapeugos]
tapeugos.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnno.dll

R3 MSFT43XX;Microsoft Wireless Notebook Adapter Driver;C:\WINDOWS\system32\DRIVERS\mn720-50.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\install.EXE id= ver=1.0.0.0

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ffc8a1fa-3b11-11dc-9050-00155820b70c}]
\Shell\AutoRun\command - J:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - J:\system\viewer\FlipVideoforPC.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-27 20:37:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-24 02:59:43 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 23:22:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-28 23:25:36 - machine was rebooted
.
--- E O F ---

Uninstall List

3ivx D4 4.5.1 Decoder (remove only)
Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Illustrator 10
Adobe Photoshop 7.0
Adobe Photoshop Elements 2.0
Adobe Reader 8.1.0
Adobe SVG Viewer 3.0
AIM 6
America Online (Choose which version to remove)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Connectivity Services
AOL Spyware Protection
AOL You've Got Pictures Screensaver
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
ATI Parental Control & Encoder
ATI Problem Report Wizard
BigFix
Browser Address Error Redirector
ccCommon
CEP - Color Enable Package
Create-Ringtone 4.92
Creative Audio Console
Creative MediaSource
Creative System Information
CuteFTP 6 Professional
CuteMAP
Digital Media Reader
DVD Solution
Easy Graphic Converter 1.2
GameShadow
Google Desktop
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Internet Worm Protection
iTunes
J2SE Runtime Environment 5.0 Update 2
Jasc Paint Shop Pro 8
Jasc Paint Shop Pro 9
Jasc Paint Shop Pro 9.01 Patch
JGsoft EditPad Lite 6.3.0
LiveUpdate 3.0 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Flash MX 2004
MasterWriter
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Broadband Networking
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Starter Edition 2006
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (2.0.0.10)
Mozilla Sunbird (0.5)
Mozilla Thunderbird (2.0.0.9)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Napster
Napster Burn Engine
NAVShortcut
NoAdware v5.0
Norton AntiVirus 2006
Norton AntiVirus 2006 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Protection Center
Norton WMI Update
NVIDIA Drivers
Oblivion
Power2Go 4.0
PowerDVD
Project64 1.6
Pure Networks Port Magic
QuickTime
RealPlayer
Realtek AC'97 Audio
Rhapsody Player Engine
Samsung CLP-300 Series
SecondLife (remove only)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB943460)
Sibelius Scorch Plugin
SimCoaster
Sims2Pack Clean Installer
SlingPlayer
Sonic Encoders
Sony DVD Architect 2.0
Sony Vegas 5.0a
Sound Blaster Audigy 2
SPBBC
Syberia
Symantec
Symantec KB-DocID:2003093015493306
The Sims 2
The Sims 2 Family Fun Stuff
The Sims 2 Glamour Life Stuff
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 University
The Sims™ 2 Bon Voyage
The Sims™ 2 Celebration! Stuff
The Sims™ 2 H&M® Fashion Stuff
The Sims™ 2 Seasons
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Media Center Edition 2005 KB925766
WinRAR archiver

forhockey · Nov 29, 2007

Hi wahtever,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

--------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

File::
C:\WINDOWS\system32\krcwwoxn.ini
C:\WINDOWS\system32\rwwnsehh.ini
C:\WINDOWS\system32\tamsbfon.ini
C:\WINDOWS\system32\ovhtfdkb.ini
C:\WINDOWS\system32\jqixrsiu.ini
C:\WINDOWS\system32\rejymmok.ini
C:\WINDOWS\system32\rbbpaeqm.ini
C:\WINDOWS\system32\klfvlxby.ini
C:\WINDOWS\system32\afsvwawb.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\xrvxqsrt.tmp

Save this as CFScript

Refering to the picture above, drag CFScript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------

Please go to: VirusTotal

On the page you'll find a "Browse" button.
Next to the browse button you'll see a box to enter text.
Please copy/paste the following in BOLD:

C:\WINDOWS\system32\SET52B5.tmp
Then click the "Send File" button just below.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

If VirusTotal is busy, try the same at Jotti

--------------------------------------------------------------

Please reply back with the following logs:

C:\ComboFix.txt
Virus Total Results

wahtever · Nov 29, 2007

Here's the new ComboFix.txt

ComboFix 07-11-29.3 - Owner 2007-11-28 23:16:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.566 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\system32\ainmpvbe.ini
C:\WINDOWS\system32\bcjjfuet.dll
C:\WINDOWS\system32\cbuaqrph.dll
C:\WINDOWS\system32\drqeaikp.dll
C:\WINDOWS\system32\dsynblan.dll
C:\WINDOWS\system32\ebvpmnia.dll
C:\WINDOWS\system32\efgbqbyx.dll
C:\WINDOWS\system32\fukeqtao.dll
C:\WINDOWS\system32\hprqaubc.ini
C:\WINDOWS\system32\hprqaubc.tmp
C:\WINDOWS\system32\htaleluf.dll
C:\WINDOWS\system32\jdqytdcx.dll
C:\WINDOWS\system32\jjwpldnv.dll
C:\WINDOWS\system32\jkhtfcie.dll
C:\WINDOWS\system32\mfgeonku.dll
C:\WINDOWS\system32\muxvxeiv.dll
C:\WINDOWS\system32\nalbnysd.ini
C:\WINDOWS\system32\ocjwpwfs.dll
C:\WINDOWS\system32\onnmp.ini
C:\WINDOWS\system32\onnmp.ini2
C:\WINDOWS\system32\pmnno.dll
C:\WINDOWS\system32\qpyuhkfu.dll
C:\WINDOWS\system32\rmdujqwn.dll
C:\WINDOWS\system32\srqss.bak1
C:\WINDOWS\system32\srqss.bak2
C:\WINDOWS\system32\srqss.ini
C:\WINDOWS\system32\srqss.ini2
C:\WINDOWS\system32\srqss.tmp
C:\WINDOWS\system32\tapeugos.dllbox
C:\WINDOWS\system32\ufkhuypq.ini
C:\WINDOWS\system32\usbchopn.dll
C:\WINDOWS\system32\vcwxausy.dll
C:\WINDOWS\system32\vlsktfiw.dll
C:\WINDOWS\system32\wiftkslv.ini
C:\WINDOWS\system32\xcdtyqdj.ini
C:\WINDOWS\system32\xltcygjy.dll
C:\WINDOWS\system32\xybqbgfe.ini
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.

2007-11-28 22:48 . 2007-11-28 22:48 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-27 12:59 . 2007-11-27 12:59 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-26 10:25 . 2007-11-26 10:25 <DIR> d-------- C:\temp
2007-11-24 18:40 . 2007-11-25 18:38 775,902 --ahs---- C:\WINDOWS\system32\krcwwoxn.ini
2007-11-22 10:19 . 2007-11-22 10:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\4D
2007-11-22 10:16 . 2007-11-22 10:20 <DIR> d-------- C:\Program Files\MasterWriter
2007-11-22 09:25 . 2007-11-22 09:25 <DIR> d-------- C:\Program Files\LimeWire
2007-11-22 09:25 . 2007-11-22 09:31 <DIR> d-------- C:\Documents and Settings\Owner\Shared
2007-11-22 09:25 . 2007-11-22 09:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2007-11-21 18:36 . 2007-11-22 12:25 842,967 --ahs---- C:\WINDOWS\system32\rwwnsehh.ini
2007-11-18 10:45 . 2007-11-20 18:28 689,223 --ahs---- C:\WINDOWS\system32\tamsbfon.ini
2007-11-14 20:00 . 2007-11-15 21:59 655,641 --ahs---- C:\WINDOWS\system32\ovhtfdkb.ini
2007-11-14 03:02 . 2006-12-19 16:52 8,453,632 --a------ C:\WINDOWS\system32\SET51F2.tmp
2007-11-14 03:02 . 2007-06-19 02:24 350,720 --a------ C:\WINDOWS\system32\SET51F3.tmp
2007-11-13 20:00 . 2007-11-13 20:00 668,999 --ahs---- C:\WINDOWS\system32\jqixrsiu.ini
2007-11-13 16:17 . 2007-10-25 22:34 8,460,288 --a------ C:\WINDOWS\system32\SET5416.tmp
2007-11-13 16:17 . 2007-10-25 22:34 8,460,288 --a------ C:\WINDOWS\system32\SET52B4.tmp
2007-11-13 16:17 . 2007-10-25 22:34 8,460,288 --a------ C:\WINDOWS\system32\SET51EF.tmp
2007-11-13 16:17 . 2007-10-29 05:04 350,720 --a------ C:\WINDOWS\system32\SET5417.tmp
2007-11-13 16:17 . 2007-10-29 05:04 350,720 --a------ C:\WINDOWS\system32\SET52B5.tmp
2007-11-13 16:17 . 2007-10-29 05:04 350,720 --a------ C:\WINDOWS\system32\SET51F0.tmp
2007-11-12 20:00 . 2007-11-12 20:01 591,016 --ahs---- C:\WINDOWS\system32\rejymmok.ini
2007-11-11 20:03 . 2007-11-11 20:03 584,776 --ahs---- C:\WINDOWS\system32\rbbpaeqm.ini
2007-11-09 19:09 . 2007-11-09 19:09 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-09 19:09 . 2007-11-09 19:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-09 19:09 . 2007-11-09 19:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-09 07:37 . 2007-11-09 19:58 583,292 --ahs---- C:\WINDOWS\system32\klfvlxby.ini
2007-11-09 07:26 . 2007-11-09 07:29 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-09 07:26 . 2007-11-09 07:29 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-09 00:15 . 2007-11-09 07:35 582,880 --ahs---- C:\WINDOWS\system32\afsvwawb.ini
2007-11-08 21:19 . 2007-11-08 21:18 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-08 21:18 . 2007-11-08 21:23 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2007-11-08 21:08 . 2007-11-22 09:32 <DIR> d-------- C:\Documents and Settings\Owner\Incomplete
2007-11-08 13:20 . 2007-11-08 13:20 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-08 12:03 . 2007-11-08 12:03 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-08 11:58 . 2007-11-18 11:39 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-06 16:05 . 2007-11-28 23:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-06 16:05 . 2007-11-06 16:05 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-06 16:04 . 2007-11-06 16:04 <DIR> d-------- C:\Program Files\iTunes
2007-11-06 16:02 . 2007-11-06 16:03 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-29 04:07 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-11-28 22:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-23 22:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\Smart Recorder
2007-11-09 12:29 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-09 12:29 --------- d-----w C:\Program Files\Symantec
2007-11-09 12:26 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-08 19:00 --------- d-----w C:\Program Files\NoAdware5.0
2007-11-06 21:04 --------- d-----w C:\Program Files\iPod
2007-11-01 17:04 --------- d-----w C:\Program Files\Sims2Pack Clean Installer
2007-10-27 05:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-10-27 05:04 --------- d-----w C:\Program Files\Viewpoint
2007-10-27 05:04 --------- d-----w C:\Program Files\AIM6
2007-10-27 05:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\acccore
2007-10-27 05:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-27 05:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-24 16:08 --------- d-----w C:\Program Files\SecondLife
2007-10-24 15:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\SecondLife
2007-10-19 17:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-19 17:14 --------- d-----w C:\Program Files\Bethesda Softworks
2007-10-19 17:08 --------- d-----w C:\Program Files\Syberia
2007-10-19 17:07 --------- d-----w C:\Program Files\Microids
2007-10-15 23:07 --------- d-----w C:\Program Files\EA GAMES
2007-10-15 18:49 --------- d-----w C:\Program Files\Common Files\EasyInfo
2007-10-15 15:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\SampleView
2007-10-14 18:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Musicnotes
2007-10-14 17:55 1,409 ----a-w C:\WINDOWS\Fonts\HELST___.FOT
2007-10-14 17:55 1,409 ----a-w C:\WINDOWS\Fonts\HELSS___.FOT
2007-10-14 17:55 1,409 ----a-w C:\WINDOWS\Fonts\HELSM___.FOT
2007-10-14 17:55 1,409 ----a-w C:\WINDOWS\Fonts\HELSINKI.FOT
2007-10-14 17:55 --------- d-----w C:\Program Files\Musicnotes
2007-10-12 19:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-10-12 19:20 --------- d-----w C:\Program Files\ATI Technologies
2007-10-01 19:49 98,184 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-10-01 19:49 31,624 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-10-01 19:49 28,040 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-10-01 19:49 23,944 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-01 19:49 189,320 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-01 19:48 12,680 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-09-29 05:46 47,376 ----a-w C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-09-29 03:05 2,456,064 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-09-29 02:19 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 17:07 C:\WINDOWS\soundman.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1185261948\EE\AOLHostManager.exe" [2004-11-03 16:03]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 19:42]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 07:09]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2003-09-17 09:43]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2003-06-18 00:00]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 17:06]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 18:16]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 19:24]
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2006-06-07 06:25]
"CTHelper"="CTHELPER.EXE" [2006-08-11 13:56 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 C:\WINDOWS\system32\CTXFIHLP.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-27 03:03]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-04 14:05]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-11 20:47:45]
Microsoft Broadband Networking.lnk - C:\WINDOWS\Installer\{638547C2-2ABA-46F4-AE28-85FF6E83CB54}\_18be6784.exe [2007-07-24 17:00:34]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjihi]
mljjihi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tapeugos]
tapeugos.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnno.dll

R3 MSFT43XX;Microsoft Wireless Notebook Adapter Driver;C:\WINDOWS\system32\DRIVERS\mn720-50.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\install.EXE id= ver=1.0.0.0

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ffc8a1fa-3b11-11dc-9050-00155820b70c}]
\Shell\AutoRun\command - J:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - J:\system\viewer\FlipVideoforPC.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-27 20:37:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-24 02:59:43 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 23:22:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-28 23:25:36 - machine was rebooted
.
--- E O F ---

and the scan gave me 0/32. Here's the permalink.

forhockey · Nov 30, 2007

Hello,

It appears you have given me the same logs from the last time you ran ComboFix. Did you experience any problems running the program?

ComboFix 07-11-29.3 - Owner 2007-11-28 23:16:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.566 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: /killall
* Created a new restore point

Lets see if the log was created.

Go to Start -> Run
Type -> C:\ComboFix.txt<hit enter key>

You will be displayed with the log which should've been produced after your second run.

Please post the results of that.

----------------------------------------------------------------------

Also, the link to the VirusTotal Scan shows results for xpsp3res.dll.

Did you scan the following file?

C:\WINDOWS\system32\SET52B5.tmp

You can copy and past the text from the page starting at file and up to the Additional Additional information section.

wahtever · Nov 30, 2007

Oops, here's the updated report:

ComboFix 07-11-29.3 - Owner 2007-11-29 17:33:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.581 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\afsvwawb.ini
C:\WINDOWS\system32\jqixrsiu.ini
C:\WINDOWS\system32\klfvlxby.ini
C:\WINDOWS\system32\krcwwoxn.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ovhtfdkb.ini
C:\WINDOWS\system32\rbbpaeqm.ini
C:\WINDOWS\system32\rejymmok.ini
C:\WINDOWS\system32\rwwnsehh.ini
C:\WINDOWS\system32\tamsbfon.ini
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\xrvxqsrt.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\afsvwawb.ini
C:\WINDOWS\system32\jqixrsiu.ini
C:\WINDOWS\system32\klfvlxby.ini
C:\WINDOWS\system32\krcwwoxn.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ovhtfdkb.ini
C:\WINDOWS\system32\rbbpaeqm.ini
C:\WINDOWS\system32\rejymmok.ini
C:\WINDOWS\system32\rwwnsehh.ini
C:\WINDOWS\system32\tamsbfon.ini
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\xrvxqsrt.tmp

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.

2007-11-27 12:59 . 2007-11-27 12:59 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-26 10:25 . 2007-11-26 10:25 <DIR> d-------- C:\temp
2007-11-22 10:19 . 2007-11-22 10:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\4D
2007-11-22 10:16 . 2007-11-22 10:20 <DIR> d-------- C:\Program Files\MasterWriter
2007-11-22 09:25 . 2007-11-22 09:31 <DIR> d-------- C:\Documents and Settings\Owner\Shared
2007-11-22 09:25 . 2007-11-22 09:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2007-11-14 03:02 . 2006-12-19 16:52 8,453,632 --a------ C:\WINDOWS\system32\SET51F2.tmp
2007-11-14 03:02 . 2006-12-19 16:52 8,453,632 --a--c--- C:\WINDOWS\system32\dllcache\SET51F4.tmp
2007-11-14 03:02 . 2007-06-19 02:24 350,720 --a------ C:\WINDOWS\system32\SET51F3.tmp
2007-11-13 16:17 . 2007-10-25 22:34 8,460,288 --a------ C:\WINDOWS\system32\SET52B4.tmp
2007-11-13 16:17 . 2007-10-25 22:34 8,460,288 --a------ C:\WINDOWS\system32\SET51EF.tmp
2007-11-13 16:17 . 2007-10-25 22:34 8,460,288 --a--c--- C:\WINDOWS\system32\dllcache\SET5418.tmp
2007-11-13 16:17 . 2007-10-25 22:34 8,460,288 --a--c--- C:\WINDOWS\system32\dllcache\SET52B6.tmp
2007-11-13 16:17 . 2007-10-29 05:04 350,720 --a------ C:\WINDOWS\system32\SET51F0.tmp
2007-11-09 19:09 . 2007-11-09 19:09 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-09 19:09 . 2007-11-09 19:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-09 19:09 . 2007-11-09 19:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-09 07:26 . 2007-11-09 07:29 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-09 07:26 . 2007-11-09 07:29 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-08 21:19 . 2007-11-08 21:18 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-08 21:18 . 2007-11-08 21:23 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2007-11-08 21:08 . 2007-11-22 09:32 <DIR> d-------- C:\Documents and Settings\Owner\Incomplete
2007-11-08 11:58 . 2007-11-18 11:39 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-06 16:04 . 2007-11-06 16:04 <DIR> d-------- C:\Program Files\iTunes
2007-11-06 16:02 . 2007-11-06 16:03 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-29 22:22 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-11-28 22:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-23 22:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\Smart Recorder
2007-11-09 12:29 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-09 12:29 --------- d-----w C:\Program Files\Symantec
2007-11-09 12:26 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-08 19:00 --------- d-----w C:\Program Files\NoAdware5.0
2007-11-06 21:04 --------- d-----w C:\Program Files\iPod
2007-11-01 17:04 --------- d-----w C:\Program Files\Sims2Pack Clean Installer
2007-10-27 05:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-10-27 05:04 --------- d-----w C:\Program Files\Viewpoint
2007-10-27 05:04 --------- d-----w C:\Program Files\AIM6
2007-10-27 05:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\acccore
2007-10-27 05:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-27 05:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-24 16:08 --------- d-----w C:\Program Files\SecondLife
2007-10-24 15:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\SecondLife
2007-10-19 17:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-19 17:14 --------- d-----w C:\Program Files\Bethesda Softworks
2007-10-19 17:08 --------- d-----w C:\Program Files\Syberia
2007-10-19 17:07 --------- d-----w C:\Program Files\Microids
2007-10-15 23:07 --------- d-----w C:\Program Files\EA GAMES
2007-10-15 18:49 --------- d-----w C:\Program Files\Common Files\EasyInfo
2007-10-15 15:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\SampleView
2007-10-14 18:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Musicnotes
2007-10-14 17:55 1,409 ----a-w C:\WINDOWS\Fonts\HELST___.FOT
2007-10-14 17:55 1,409 ----a-w C:\WINDOWS\Fonts\HELSS___.FOT
2007-10-14 17:55 1,409 ----a-w C:\WINDOWS\Fonts\HELSM___.FOT
2007-10-14 17:55 1,409 ----a-w C:\WINDOWS\Fonts\HELSINKI.FOT
2007-10-14 17:55 --------- d-----w C:\Program Files\Musicnotes
2007-10-12 19:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-10-12 19:20 --------- d-----w C:\Program Files\ATI Technologies
2007-10-01 19:49 98,184 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-10-01 19:49 31,624 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-10-01 19:49 28,040 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-10-01 19:49 23,944 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-01 19:49 189,320 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-01 19:48 12,680 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-09-29 05:46 47,376 ----a-w C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-09-29 03:05 2,456,064 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-09-29 02:19 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 17:07 C:\WINDOWS\soundman.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1185261948\EE\AOLHostManager.exe" [2004-11-03 16:03]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 19:42]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 07:09]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2003-09-17 09:43]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2003-06-18 00:00]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 17:06]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 18:16]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 19:24]
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2006-06-07 06:25]
"CTHelper"="CTHELPER.EXE" [2006-08-11 13:56 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 C:\WINDOWS\system32\CTXFIHLP.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-27 03:03]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-04 14:05]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-11 20:47:45]
Microsoft Broadband Networking.lnk - C:\WINDOWS\Installer\{638547C2-2ABA-46F4-AE28-85FF6E83CB54}\_18be6784.exe [2007-07-24 17:00:34]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjihi]
mljjihi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tapeugos]
tapeugos.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

R3 MSFT43XX;Microsoft Wireless Notebook Adapter Driver;C:\WINDOWS\system32\DRIVERS\mn720-50.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\install.EXE id= ver=1.0.0.0

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ffc8a1fa-3b11-11dc-9050-00155820b70c}]
\Shell\AutoRun\command - J:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - J:\system\viewer\FlipVideoforPC.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-27 20:37:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-24 02:59:43 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 17:39:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-29 17:42:26 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-28 23:25
.
--- E O F ---

I did have one concern while running ComboFix, which was that it stated early on that it was unable to locate a specified path. Is this typical?

I have no idea why it scanned the wrong file because I copied and pasted the bold text you provided, but here are the results from the second attempt.

File SET52B5.tmp received on 11.30.2007 06:20:05 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.11.30.1 2007.11.30 -
AntiVir 7.6.0.34 2007.11.29 -
Authentium 4.93.8 2007.11.30 -
Avast 4.7.1074.0 2007.11.29 -
AVG 7.5.0.503 2007.11.29 -
BitDefender 7.2 2007.11.30 -
CAT-QuickHeal 9.00 2007.11.29 -
ClamAV 0.91.2 2007.11.30 -
DrWeb 4.44.0.09170 2007.11.29 -
eSafe 7.0.15.0 2007.11.29 -
eTrust-Vet 31.3.5337 2007.11.29 -
Ewido 4.0 2007.11.29 -
FileAdvisor 1 2007.11.30 -
Fortinet 3.14.0.0 2007.11.30 -
F-Prot 4.4.2.54 2007.11.29 -
F-Secure 6.70.13030.0 2007.11.29 -
Ikarus T3.1.1.12 2007.11.30 -
Kaspersky 7.0.0.125 2007.11.30 -
McAfee 5174 2007.11.29 -
Microsoft 1.3007 2007.11.30 -
NOD32v2 2694 2007.11.30 -
Norman 5.80.02 2007.11.29 -
Panda 9.0.0.4 2007.11.29 -
Prevx1 V2 2007.11.30 -
Rising 20.20.22.00 2007.11.29 -
Sophos 4.23.0 2007.11.30 -
Sunbelt 2.2.907.0 2007.11.30 -
Symantec 10 2007.11.30 -
TheHacker 6.2.9.145 2007.11.30 -
VBA32 3.12.2.5 2007.11.28 -
VirusBuster 4.3.26:9 2007.11.29 -
Webwasher-Gateway 6.6.2 2007.11.30 -
Additional information
File size: 350720 bytes
MD5: f7406aa5739b30d46518f48b9bd70769
SHA1: e7eb614fa1ef9210c47e141a3a3580fd96211830

forhockey · Nov 30, 2007

I did have one concern while running ComboFix, which was that it stated early on that it was unable to locate a specified path. Is this typical?

I've never heard of this before. Do you remember what path it was trying to look for?

On a side note, your computer was infected by a backdoor trojan. Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing other rootkits. While we can attempt to clean what we see in your logs, we can't guarantee that your computer will be completely in the clear since we have no way of knowing what has been done to the computer. You may want to consider backing up important files, and doing a reformat.

1. If this computer has been used for sensitive transactions, then you should immediately change your online banking passwords and contact your bank.

2. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

Take a look at the following file located below, to see what information they were stealing:

C:\SDFix\Data.txt

--------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on

located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on

then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------

Please reply back with the results from the Panda Online Scan.

wahtever · Nov 30, 2007

No, it didn't say what path they were trying to locate. By "reformat," do you mean restarting the computer as if it is new? Would that get rid of everything because I was planning to do that within' the next month or so.

Is Data.txt the only information they've been able to steal?

I'll post the report as soon as the scan finishes.

wahtever · Nov 30, 2007

Incident Status Location

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7g6t96d.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7g6t96d.default\cookies.txt[.com.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7g6t96d.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7g6t96d.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7g6t96d.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7g6t96d.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7g6t96d.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7g6t96d.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7g6t96d.default\cookies.txt[.target.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7g6t96d.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7g6t96d.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7g6t96d.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7g6t96d.default\cookies.txt[.gamearena.com.au/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7g6t96d.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7g6t96d.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA06JB6U.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA07WY83.txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA0I508U.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA0W6HE4.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA12O8VA.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA15GAYJ.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA15KLXO.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA1CAQ5E.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA1J9FHS.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA1SGIPK.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA27P15I.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA27XL8H.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA2AIEPP.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA2DMQCC.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA3E2VFH.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA3EHT6C.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA3H94WM.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA3NOEEZ.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA3QJOCD.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA4043NT.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA451TID.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA4JFIUI.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA4O5C0J.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA4R2GB6.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA56XV2H.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA5B1FX1.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA5GNBHU.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA5X1S73.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA5Y4TU0.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA68XWIP.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA6C0W8W.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA6F27CC.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA798X6B.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA79Y7L7.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA7C2BT6.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA7CEE8K.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA7FTSTL.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA7K6MPM.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA7PC08E.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA8SRYZA.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA924LH6.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA93XP8P.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA96BGLQ.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA9CE9BO.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CA9DL2RC.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAA0QMCQ.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAAAB0Z4.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAAG3HSZ.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAAJJ3UC.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAAO06W6.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAAOG9SD.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAARUP1M.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAAWQ66A.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAB04H1Y.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CABADLYF.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CABD0NAS.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CABMPIB4.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CABXLDWF.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAC0GGMJ.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CACD4E90.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CACD4QMU.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CACH9R1N.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CACQBDIK.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CACQDDAW.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAD7DO41.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CADASIPL.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CADQQAU7.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CADRORHE.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CADYMRUS.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAEEVT15.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAEJM2ES.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAEXJBQD.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAFBEFJ4.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAFQFGRS.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAFX910D.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAGGQJY9.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAGKMGZN.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAGKXCZW.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAHIKYIY.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAHPDS19.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAI3A2DF.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAIK4DPM.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAILGZCR.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAIMY1GD.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAIPGOHY.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAIRGC1S.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAITJ5Y9.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAJ4CY27.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAJFUFP6.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAJRJWA1.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAJTSV64.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAK4564G.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAK8HZQ5.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAKI9PW6.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAKIOVDU.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAKKLO4E.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAKW8EET.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAL0AP3R.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAL532B5.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CALYPH56.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CALZ3QVX.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CALZ53EP.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAME4REF.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAMF5OLF.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAMQB6BZ.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAMUJ567.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAN0W2SD.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAN1P27Q.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAN5OULK.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAN80H03.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAN9IEOZ.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CANAH51Q.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CANJTG9H.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CANZV340.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAO6Y3XC.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAPSWAYN.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAQ36JNG.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAQ6MHFD.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAQGGJXJ.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAQR5792.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAQRE4BN.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CARNASC2.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CASGZ9ZU.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CASK3T87.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAT6UMRS.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAT83MLK.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CATHGYEF.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CATSHPS0.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAUNOYMH.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAUOM2OM.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAUQYZNL.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAURQNX2.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAUW4AI3.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAV93CS6.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAVB5EIH.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAVIKBCY.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAVN2CWM.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAW7EXMD.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAW9H3I3.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAWLHSK0.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAWS7V82.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAXEUKY5.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAYBMWH3.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAYF0O0M.txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAYLTK0N.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAYP0H6B.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAYQPOGZ.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAYUG2HU.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAZ6YUC8.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAZF55O6.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@CAZR72BN.txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@web.tickle[10].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@web.tickle[11].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@web.tickle[1].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@web.tickle[2].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@web.tickle[3].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@web.tickle[4].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@web.tickle[5].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@web.tickle[6].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@web.tickle[7].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@web.tickle[8].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@web.tickle[9].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Spyware:Spyware/Vundo Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\bcjjfuet.dll.vir
Spyware:Spyware/Vundo Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\drqeaikp.dll.vir
Spyware:Spyware/Vundo Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\rmdujqwn.dll.vir
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Virus:Trj/Multidropper.RJS Disinfected C:\SDFix\backups\backups.zip[backups/winlogon.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe

forhockey · Nov 30, 2007

By "reformat," do you mean restarting the computer as if it is new? Would that get rid of everything because I was planning to do that within' the next month or so.

Yes.

Is Data.txt the only information they've been able to steal?

They could've possibly stolen anything you log into on your computer. Passwords for forums, bank accounts, email accounts, etc. You should take this time to change all your passwords.

Your logs look clean now, but as I said earlier it is hard to tell what damage this trojan has done to your system. It could've opened up more backdoors, leaving your system vulnerable to re-infection.

Also, delete the following Folder in BLUE

C:\SDFix

Well done, your logs are clean! There are just a few more things I would like you to do.

Go to Start > Run - type ComboFix /u

Click OK

----------------------------------------------------------------

Microsoft Updates

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Malware Prevention Tools

These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.

SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates.
IE-Spyad - Here is an installation guide -> http://www.techsupportforum.com/content/Security/Articles/63.html
MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites.
McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox.
SpywareGuard - real-time protection that detects and blocks spyware before it can execute.

Alternative Web Browsers

Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites.

Firefox [*] Opera

Firewalls

If you do not have a firewall, here are a few free ones available for personal use:

Understanding and Using Firewalls

Informational Reading

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

PC SAFETY AND SECURITY
How Did I Get Infected In The First Place?.
THE ANTI-SPYWARE TUTORIAL
STRONG PASSWORDS

Please respond to this thread one more time so we can mark this thread as resolved.

wahtever · Dec 1, 2007

One problem, I just received another notification from Norton that a Trojan.Vundo was detected but it was able to remove it. If I reformat my computer, would it still continue to attack my computer?

forhockey · Dec 2, 2007

If you reformat, then no it wont attack your computer.

If you want to try and get rid of Vundo, then do the following:

Download combofix from here or Alternate link

**Save it directly to your desktop**

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

A log will be produced that will ultimately be named C:\ComboFix.txt I'll need that in your next reply

Adware.Ezula + Trojan.Vundo Keeps Infecting My Computer

Top Contributors this Month

Recommended Communities