Help request with spyware, virus please

Question

algismorales 0 Light Poster

15 Years Ago

Hi DaniWeb miracle workers! Hope all is well with you.

I was wondering if someone would be so kind to help me out with this.
My desktop at home has gotten slower and slower so I came once again to Daniweb to try to figure out the problem.
I followed PhillliePhan's procedure, except for the Deckard's System Scanner, which has a comment saying to skip and follow the remainder of the procedure. Deckard's is currently unavailable.

I am posting the Malwarebyte AntiMalware log and the ESET Online Scanner Log. (I can't submit the Deckard's log nor the Hijack Uninstall list because these weren't used, according to PhilliPhan's procedure). Here they are:

Note: When I ran Malwarebyte's Antimalware and removed the selected infected items, I got a notice saying that a few items were not able to be removed.

Malwarebytes' Anti-Malware 1.34
Database version: 1814
Windows 5.1.2600 Service Pack 2

3/3/2009 3:25:23 AM
mbam-log-2009-03-03 (03-25-23).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 144033
Time elapsed: 5 hour(s), 56 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 16
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
D:\WINDOWS\system32\fxjjtlhq.dll (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\arwehdx.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ade9f68-2b65-4f0d-9b33-e070d1b5e128} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\muzbeqhn (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0ade9f68-2b65-4f0d-9b33-e070d1b5e128} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0786af62-346a-4384-9ef2-c7c50ea4d7df} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0786af62-346a-4384-9ef2-c7c50ea4d7df} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0786af62-346a-4384-9ef2-c7c50ea4d7df} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{dd140a75-b643-4124-97c5-82ba9de5ee99} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\glayrbbs (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\glayrbbs (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\glayrbbs (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ade9f68-2b65-4f0d-9b33-e070d1b5e128} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\aldd (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\searchindexer (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
D:\WINDOWS\system32\LocalService32 (Worm.P2P) -> Quarantined and deleted successfully.

Files Infected:
d:\WINDOWS\system32\arwehdx.dll (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\isnaismi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\imsiansi.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\fxjjtlhq.dll (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\cwywrgb.dll (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\LocalService32\39.music.mp3 (Worm.P2P) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\LocalService32\39.music.mp3.kwd (Worm.P2P) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\LocalService32\41.crack.zip.kwd (Worm.P2P) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\LocalService32\42.keymaker.zip.kwd (Worm.P2P) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\LocalService32\43.setup.zip.kwd (Worm.P2P) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\LocalService32\44.unpack.zip.kwd (Worm.P2P) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\LocalService32\45.keygen.zip.kwd (Worm.P2P) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\LocalService32\46.serial.zip.kwd (Worm.P2P) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\LocalService32\47.music.snd (Worm.P2P) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\LocalService32\47.music.snd.kwd (Worm.P2P) -> Quarantined and deleted successfully.
D:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
D:\WINDOWS\smdat32a.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\smdat32m.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3905 (20090303)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=91acc07dd563c449a33cde4da64df410
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-03-03 11:46:35
# local_time=2009-03-03 06:46:35 (-0500, SA Pacific Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=266650
# found=17
# scan_time=20242
C:\Documents and Settings\Algis\Configuración local\Temp\p3s39.tmp probably unknown NewHeur_PE virus 00000000000000000000000000000000
C:\Documents and Settings\Algis\Configuración local\Temp\p3s39.tmp »ZIP »tcp.exe probably unknown NewHeur_PE virus 00000000000000000000000000000000
C:\Documents and Settings\Algis\Configuración local\Temp\p3s3B.tmp probably unknown NewHeur_PE virus 00000000000000000000000000000000
C:\Documents and Settings\Algis\Configuración local\Temp\p3s3B.tmp »ZIP »WINSYSTEM.exe probably unknown NewHeur_PE virus 00000000000000000000000000000000
C:\Documents and Settings\Algis\Configuración local\Temp\p3s6.tmp probably unknown NewHeur_PE virus 00000000000000000000000000000000
C:\Documents and Settings\Algis\Configuración local\Temp\p3s6.tmp »ZIP »tcp.exe probably unknown NewHeur_PE virus 00000000000000000000000000000000
C:\Documents and Settings\Algis\Configuración local\Temp\p3s7.tmp probably unknown NewHeur_PE virus 00000000000000000000000000000000
C:\Documents and Settings\Algis\Configuración local\Temp\p3s7.tmp »ZIP »tcp.exe probably unknown NewHeur_PE virus 00000000000000000000000000000000
C:\Documents and Settings\Algis\Configuración local\Temp\tcp.exe probably unknown NewHeur_PE virus 00000000000000000000000000000000
C:\WINDOWS\system32\resetservice.exe Win32/VB.NUB trojan 8EC4FB27BE7465BFA35F0649DD7F775C
D:\Documents and Settings\Algis\My Documents\LimeWire\Incomplete\T-3545427-esa muchachita.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan DA74DCC9E10DC27928352BA57535BEAD
D:\Documents and Settings\Algis\My Documents\LimeWire\Incomplete\T-3545427-ines gaviria hoy (256k 44800).mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 2427C66950C96F33932B551FACDB6578
D:\Documents and Settings\Algis\My Documents\LimeWire\Incomplete\T-5088466-ines gaviria hoy(192k 44100 stereo).snd a variant of WMA/TrojanDownloader.GetCodec.gen trojan 4AAFDA936E4F6AF42A22DFB14B93D228
D:\Documents and Settings\Algis\My Documents\LimeWire\Saved\esa muchachita.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 9CE3862437269C76E8BB40BF89ECBF7D
D:\Documents and Settings\Algis\My Documents\LimeWire\Saved\hoy ines gaviria.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan AD18E893F4BD5358B616BDC87D0A0A64
D:\Documents and Settings\Algis\My Documents\LimeWire\Saved\ines gaviria hoy-HQ.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 99D47E9E5F734FA2BD430689219CF205
D:\Documents and Settings\Algis\My Documents\LimeWire\Saved\mauricio y palo de agua esa [cd rip].mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 0C6DCEA8A74AB98D9FF36882ED310CAD

Eagerly and gratefully looking forward to hearing from you.

Thank you!
Algis

windows-virus

4 Contributors
71 Replies
515 Views
1 Month Discussion Span
Latest Post 15 Years Ago Latest Post by crunchie

jholland1964 650 Posting Expert

15 Years Ago

It will take awhile to read this log, as you can well imagine. Will get back with you ASAP.
Judy

algismorales commented: Very helpful, very patient. Wow! +4

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 1 · 2009-03-05T01:22:35+00:00

Note: When I ran Malwarebyte's Antimalware and removed the selected infected items, I got a notice saying that a few items were not able to be removed.

Those would be those noted "Delete on Reboot". Reason then can't be removed immediately is the files are in use.
This means you must reboot the computer in order for these to be removed. When the computer is rebooted MBA-M can then reboot them BEFORE they are put into use again
I always recommend a reboot after running MBA-M and also the ESET scanner just as a matter of course.
So reboot the computer now if you have not done so yet. Otherwise these won't be removed.
Can you download and run HiJackThis and give me both the Full System Scan log and also the Uninstall List.

algismorales 0 Light Poster · Answer 2 · 2009-03-05T01:58:48+00:00

Cool! Thank you for your help jholland1964.

Here is the HiJackThis log and the Uninstall list

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:46 PM, on 3/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\WgaTray.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\NavNT\defwatch.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\NavNT\rtvscan.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\Program Files\NavNT\vptray.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\system32\MsgSys.EXE
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
d:\program files\common files\mozilla shared\firefox.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Algis\Desktop\HiJackThis.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
O2 - BHO: (no name) - {0786AF62-346A-4384-9EF2-C7C50EA4D7Df} - D:\WINDOWS\system32\fxjjtlhq.dll
O2 - BHO: (no name) - {0ADE9F68-2B65-4F0D-9B33-E070D1B5E128} - d:\windows\system32\arwehdx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PrinTray] D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Mqjehc] C:\Program Files\Ydvq\Pyywyd.exe
O4 - HKLM\..\Run: [ngrkep] d:\windows\system32\ngrkep.exe
O4 - HKLM\..\Run: [PaciSoft] D:\WINDOWS\system32\pacis.exe
O4 - HKLM\..\Run: [exp.exe] D:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [D:\WINDOWS\IEXPLOR.EXE] D:\WINDOWS\IEXPLOR.EXE
O4 - HKLM\..\Run: [AtxBrw] D:\WINDOWS\IEXPLOR.exe
O4 - HKLM\..\Run: [7FoX33l] chkisn.exe
O4 - HKLM\..\Run: [pze] D:\Program Files\prpo\ishxpb.exe
O4 - HKLM\..\Run: [hzmfzpwrxrtysdeutseva] D:\WINDOWS\zrdpktfo.exe
O4 - HKLM\..\Run: [D:\WINDOWS\WinTask.exe] D:\WINDOWS\WinTask.exe
O4 - HKLM\..\Run: [ctmpsd] D:\WINDOWS\ctmpsd.exe
O4 - HKLM\..\Run: [AutoLoader7s7r1NYWJdXZ] "D:\WINDOWS\system32\chkisn.exe" /HideDir /HideUninstall /PC="CP.SAV" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [Ink Monitor] D:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB002" /M "Stylus C67"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Lsass Services] D:\WINDOWS\system\lsass.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Mo77RTJ2S] wshprbda.exe
O4 - HKCU\..\Policies\Explorer\Run: [qdxcuo.exe] D:\WINDOWS\system\qdxcuo.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106511023205
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/BugsLoader20041018.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/pi1_20.exe
O20 - AppInit_DLLs: D:\WINDOWS\System32\dxtmsft32.dll
O20 - Winlogon Notify: 908a0de1530 - D:\WINDOWS\System32\dxtmsft32.dll (file missing)
O20 - Winlogon Notify: muzbeqhn - D:\WINDOWS\SYSTEM32\arwehdx.dll
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe

--
End of file - 6703 bytes

Uninstall List

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Apple Software Update
EPSON Printer Software
ESET Online Scanner
Google Earth
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Ink Monitor
iPod for Windows 2005-09-06
iTunes
Java(TM) 6 Update 11
LiveUpdate 1.6 (Symantec Corporation)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft Office Professional Edition 2003
MSN Music Assistant
MSN Toolbar
Norton AntiVirus Corporate Edition
QuickTime
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Windows Genuine Advantage v1.3.0254.0
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinRAR archiver
WinZip Self-Extractor

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 3 · 2009-03-05T03:13:39+00:00

Did you in fact reboot?
If not do so now. Please update MBA-M and run another Fulls System Scan. Remove all that is found.
Reboot. Post back with the results.

algismorales 0 Light Poster · Answer 4 · 2009-03-05T11:15:56+00:00

Good evening jholland,

Alright, here I am again.
I rebooted as you requested, updated and ran another MBA-M Full System Scan, removed all that was found, AND rebooted after all was completed.

Here is the MBA-M log:

Malwarebytes' Anti-Malware 1.34
Database version: 1817
Windows 5.1.2600 Service Pack 3

3/4/2009 11:58:01 PM
mbam-log-2009-03-04 (23-58-00).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 146750
Time elapsed: 6 hour(s), 46 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
D:\WINDOWS\system32\fxjjtlhq.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ade9f68-2b65-4f0d-9b33-e070d1b5e128} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\muzbeqhn (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0ade9f68-2b65-4f0d-9b33-e070d1b5e128} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0786af62-346a-4384-9ef2-c7c50ea4d7df} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0786af62-346a-4384-9ef2-c7c50ea4d7df} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0786af62-346a-4384-9ef2-c7c50ea4d7df} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\glayrbbs (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\glayrbbs (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\glayrbbs (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ade9f68-2b65-4f0d-9b33-e070d1b5e128} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
d:\WINDOWS\system32\arwehdx.dll (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\fxjjtlhq.dll (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\cwywrgb.dll (Trojan.Vundo.H) -> Delete on reboot.

Thank you again and looking forward to hearing from you.

Algis

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 5 · 2009-03-05T11:49:45+00:00

Please do the following;
Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

When all is complete then please post back here with that log.

algismorales 0 Light Poster · Answer 6 · 2009-03-05T22:52:06+00:00

Hi jholland,
Alright, done!

One thing though, which I think may be trivial. When I try to cut and paste the Combofix log on this quick reply thread, the screen will freeze and the page stops responding. Is it possible that due to the long length of the log, it gives me this trouble?
How can I send you the log?

Thank you again jholland for your patience. It's enormously appreciated.

Algis

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 7 · 2009-03-06T01:45:41+00:00

Hi jholland,
Alright, done!
When I try to cut and paste the Combofix log on this quick reply thread, the screen will freeze and the page stops responding. Is it possible that due to the long length of the log, it gives me this trouble?
How can I send you the log?
Algis

Yes, it is possible because of the length, others have had this problem. Attach the log as a .txt file.
Look below the reply box when you are replying and you will see the button that says Manage Attachments.
Click that button and then a box will pop up which has a button which says Browse. Click that button and you will be given the options of where on your computer the attachment will come from.
Click that file, the name and location will appear in the box then click the Upload button. The file will be uploaded from your computer and attached to your post.
Judy

algismorales 0 Light Poster · Answer 8 · 2009-03-06T03:23:06+00:00

algismorales 0 Light Poster

15 Years Ago

Hi Judy!

Cool. Here goes the Combofix log then:

Thank you again.

Algis

ComboFix.txt (852.09 KB)

The attachment preview is chopped off after the first 10 KB. Please download the entire file.

ComboFix 09-03-04.01 - Algis 2009-03-05 10:39:45.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.383.160 [GMT -5:00]
Running from: d:\documents and settings\Algis\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
d:\program files\Need2Find
d:\program files\Need2Find\bar\History\search
d:\windows\GnuHashes.ini
d:\windows\system32\dumphive.exe
d:\windows\system32\GroupPolicy000.dat
d:\windows\system32\iahqwfrr.ini
d:\windows\system32\oabtnncj.ini
d:\windows\system32\Process.exe
d:\windows\system32\SrchSTS.exe
d:\windows\system32\tmp.reg
d:\windows\system32\VCCLSID.exe
d:\windows\Tasks\At1.job
d:\windows\system32\arwehdx.dll . . . . failed to delete
d:\windows\system32\fxjjtlhq.dll . . . . failed to delete

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GLAYRBBS
-------\Service_glayrbbs


(((((((((((((((((((((((((   Files Created from 2009-02-05 to 2009-03-05  )))))))))))))))))))))))))))))))
.

2009-03-04 17:11 . 2009-03-04 17:11	<DIR>	d--------	d:\documents and settings\Algis\Application Data\uazmnfvl
2009-03-03 19:57 . 2008-08-14 05:11	2,189,184	-----c---	d:\windows\system32\dllcache\ntoskrnl.exe
2009-03-03 19:57 . 2008-08-14 05:09	2,145,280	-----c---	d:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-03 19:57 . 2008-10-15 11:34	337,408	-----c---	d:\windows\system32\dllcache\netapi32.dll
2009-03-03 19:56 . 2008-08-14 04:33	2,066,048	-----c---	d:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-03 19:56 . 2008-08-14 04:33	2,023,936	-----c---	d:\windows\system32\dllcache\ntkrpamp.exe
2009-03-03 19:55 . 2008-10-24 06:21	455,296	-----c---	d:\windows\system32\dllcache\mrxsmb.sys
2009-03-03 19:55 . 2008-12-11 05:57	333,952	-----c---	d:\windows\system32\dllcache\srv.sys
2009-03-03 15:36 . 2009-03-03 15:36	<DIR>	d--------	d:\windows\system32\scripting
2009-03-03 15:36 . 2009-03-03 15:36	<DIR>	d--------	d:\windows\l2schemas
2009-03-03 15:35 . 2009-03-03 15:35	<DIR>	d--------	d:\windows\system32\en
2009-03-03 03:39 . 2009-03-03 13:06	<DIR>	d--------	d:\program files\EsetOnlineScanner
2009-03-03 03:28 . 2009-03-03 03:28	<DIR>	d--------	d:\windows\Mozilla
2009-03-02 21:20 . 2009-03-02 21:20	<DIR>	d--------	d:\program files\Malwarebytes' Anti-Malware
2009-03-02 21:20 . 2009-03-02 21:20	<DIR>	d--------	d:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-02 21:20 . 2009-03-02 21:20	<DIR>	d--------	d:\documents and settings\Algis\Application Data\Malwarebytes
2009-03-02 21:20 . 2009-02-11 10:19	38,496	--a------	d:\windows\system32\drivers\mbamswissarmy.sys
2009-03-02 21:20 . 2009-02-11 10:19	15,504	--a------	d:\windows\system32\drivers\mbam.sys
2009-03-01 10:54 . 2009-03-01 10:54	<DIR>	d--------	d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvl
2009-02-15 17:44 . 2008-04-13 19:12	276,992	---------	d:\windows\system32\wmphoto.dll
2009-02-15 17:43 . 2008-04-13 19:12	712,704	---------	d:\windows\system32\windowscodecs.dll
2009-02-15 17:43 . 2008-04-13 19:12	346,112	---------	d:\windows\system32\windowscodecsext.dll
2009-02-15 17:43 . 2008-04-13 19:12	69,120	---------	d:\windows\system32\wlanapi.dll
2009-02-15 17:42 . 2008-04-13 19:12	53,248	---------	d:\windows\system32\tsgqec.dll
2009-02-15 17:42 . 2008-04-13 19:12	50,688	---------	d:\windows\system32\tspkg.dll
2009-02-15 17:41 . 2008-04-13 19:12	32,768	---------	d:\windows\system32\setupn.exe
2009-02-15 17:41 . 2008-04-13 13:40	10,240	---------	d:\windows\system32\drivers\sffp_mmc.sys
2009-02-15 17:40 . 2008-04-13 19:12	412,160	---------	d:\windows\system32\photometadatahandler.dll
2009-02-15 17:40 . 2008-04-13 19:12	291,328	---------	d:\windows\system32\qagentrt.dll
2009-02-15 17:40 . 2008-04-13 19:12	290,304	---------	d:\windows\system32\rhttpaa.dll
2009-02-15 17:40 . 2008-04-13 19:12	150,528	---------	d:\windows\system32\qagent.dll
2009-02-15 17:40 . 2008-04-13 19:12	76,800	---------	d:\windows\system32\qutil.dll
2009-02-15 17:40 . 2008-04-13 19:12	62,464	---------	d:\windows\system32\qcliprov.dll
2009-02-15 17:40 . 2008-04-13 19:12	61,952	---------	d:\windows\system32\rasqec.dll
2009-02-15 17:39 . 2008-04-13 19:12	144,384	---------	d:\windows\system32\onex.dll
2009-02-15 17:38 . 2008-09-09 20:14	1,307,648	--a------	d:\windows\system32\msxml6.dll
2009-02-15 17:38 . 2008-09-09 20:14	1,307,648	-----c---	d:\windows\system32\dllcache\msxml6.dll
2009-02-15 17:38 . 2008-04-13 19:12	193,024	---------	d:\windows\system32\napmontr.dll
2009-02-15 17:38 . 2008-04-13 19:12	176,640	---------	d:\windows\system32\napstat.exe
2009-02-15 17:38 . 2008-04-13 12:27	79,872	---------	d:\windows\system32\msxml6r.dll
2009-02-15 17:38 . 2008-04-13 12:27	79,872	-----c---	d:\windows\system32\dllcache\msxml6r.dll
2009-02-15 17:38 . 2008-04-13 19:12	30,208	---------	d:\windows\system32\napipsec.dll
2009-02-15 17:37 . 2008-04-13 19:12	155,136	---------	d:\windows\system32\mssha.dll
2009-02-15 17:37 . 2008-04-13 13:14	76,800	---------	d:\windows\system32\msshavmsg.dll
2009-02-15 17:36 . 2008-04-13 19:11	397,312	---------	d:\windows\system32\mmcex.dll
2009-02-15 17:36 . 2008-04-13 19:11	184,320	---------	d:\windows\system32\microsoft.managementconsole.dll
2009-02-15 17:36 . 2008-04-13 19:11	106,496	---------	d:\windows\system32\mmcfxcommon.dll
2009-02-15 17:36 . 2008-04-13 19:12	33,792	---------	d:\windows\system32\mmcperf.exe
2009-02-15 17:34 . 2008-04-13 19:11	61,440	---------	d:\windows\system32\kmsvc.dll
2009-02-15 17:34 . 2008-04-13 19:11	37,376	---------	d:\windows\system32\l2gpstore.dll
2009-02-15 17:34 . 2008-04-13 19:09	6,144	---------	d:\windows\system32\kbdpash.dll
2009-02-15 17:34 . 2008-04-13 19:09	6,144	---------	d:\windows\system32\kbdnepr.dll
2009-02-15 17:34 . 2008-04-13 19:09	6,144	---------	d:\windows\system32\kbdiultn.dll
2009-02-15 17:34 . 2008-04-13 19:09	6,144	---------	d:\windows\system32\kbdbhc.dll
2009-02-15 17:33 . 2008-04-13 19:10	102,912	-----c---	d:\windows\system32\dllcache\dpcdll.dll
2009-02-15 17:33 . 2008-04-13 19:09	24,064	-----c---	d:\windows\system32\dllcache\pidgen.dll
2009-02-15 17:32 . 2007-06-21 00:52	974	---------	d:\windows\system32\pid.inf
2009-02-15 17:30 . 2008-04-13 11:36	144,384	---------	d:\windows\system32\drivers\hdaudbus.sys
2009-02-15 17:28 . 2008-04-13 19:11	59,392	---------	d:\windows\system32\eapqec.dll
2009-02-15 17:28 . 2008-04-13 19:11	40,960	---------	d:\windows\system32\eappprxy.dll
2009-02-15 17:28 . 2008-04-13 19:11	33,792	---------	d:\windows\system32\eapsvc.dll
2009-02-15 17:28 . 2006-12-28 14:01	19,569	--a------	d:\windows\[u]0[/u]05995_.tmp
2009-02-15 17:27 . 2008-04-13 19:11	650,752	---------	d:\windows\system32\dot3ui.dll
2009-02-15 17:27 . 2008-04-13 19:11	184,832	---------	d:\windows\system32\eapp3hst.dll
2009-02-15 17:27 . 2008-04-13 19:11	180,224	---------	d:\windows\system32\eapphost.dll
2009-02-15 17:27 . 2008-04-13 19:11	132,096	---------	d:\windows\system32\dot3svc.dll
2009-02-15 17:27 . 2008-04-13 19:11	126,976	---------	d:\windows\system32\eappcfg.dll
2009-02-15 17:27 . 2008-04-13 19:11	94,208	---------	d:\windows\system32\eappgnui.dll
2009-02-15 17:27 . 2008-04-13 19:11	57,856	---------	d:\windows\system32\dot3cfg.dll
2009-02-15 17:27 . 2008-04-13 19:11	56,320	---------	d:\windows\system32\dot3msm.dll
2009-02-15 17:27 . 2008-04-13 19:11	39,936	---------	d:\windows\system32\dot3gpclnt.dll
2009-02-15 17:27 . 2008-04-13 19:11	30,720	---------	d:\windows\system32\eapolqec.dll
2009-02-15 17:27 . 2008-04-13 19:11	26,112	---------	d:\windows\system32\dot3api.dll
2009-02-15 17:27 . 2008-04-13 19:11	9,216	---------	d:\windows\system32\dot3dlg.dll
2009-02-15 17:26 . 2008-04-13 19:11	48,640	---------	d:\windows\system32\dhcpqec.dll
2009-02-15 17:26 . 2008-04-13 19:11	39,936	---------	d:\windows\system32\dimsroam.dll
2009-02-15 17:26 . 2008-04-13 19:11	19,456	---------	d:\windows\system32\dimsntfy.dll
2009-02-15 17:26 . 2008-04-13 19:11	12,800	---------	d:\windows\system32\credssp.dll
2009-02-15 17:24 . 2008-04-13 19:11	233,472	---------	d:\windows\system32\azroles.dll
2009-02-15 17:24 . 2008-04-13 19:11	7,168	---------	d:\windows\system32\bitsprx4.dll
2009-02-15 17:23 . 2008-04-13 19:11	136,192	---------	d:\windows\system32\aaclient.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-04 01:35	---------	d-----w	d:\program files\MSN Messenger
2009-03-03 01:52	---------	d-----w	d:\documents and settings\Algis\Application Data\Lavasoft
2009-02-14 05:03	---------	d-----w	d:\program files\LimeWire
2009-02-03 18:07	---------	d-----w	d:\program files\Java
2009-01-28 01:11	---------	d-----w	d:\program files\Google
2007-09-21 08:33	4,944	-c--a-w	d:\program files\hijackthis.log
2007-09-21 01:45	401,720	-c--a-w	d:\program files\imabunny.exe
.

(((((((((((((((((((((((((((((   snapshot_2007-09-21_ 31244.68   )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-09 13:16:16	582,656	-c--a-w	d:\windows\$hf_mig$\KB933729\SP2QFE\rpcrt4.dll
+ 2007-06-19 07:24:36	350,720	-c--a-w	d:\windows\$hf_mig$\KB933729\SP2QFE\xpsp3res.dll
+ 2005-10-12 23:12:25	14,048	-c--a-w	d:\windows\$hf_mig$\KB933729\spmsg.dll
+ 2005-10-12 23:12:26	213,216	-c--a-w	d:\windows\$hf_mig$\KB933729\spuninst.exe
+ 2005-10-12 23:12:25	22,752	-c--a-w	d:\windows\$hf_mig$\KB933729\update\spcustom.dll
+ 2005-10-12 23:12:28	716,000	-c--a-w	d:\windows\$hf_mig$\KB933729\update\update.exe
+ 2005-10-12 23:12:33	371,424	-c--a-w	d:\windows\$hf_mig$\KB933729\update\updspapi.dll
+ 2007-07-06 09:52:38	72,960	-c--a-w	d:\windows\$hf_mig$\KB937894\SP2QFE\mqac.sys
+ 2007-07-06 13:08:11	138,240	-c--a-w	d:\windows\$hf_mig$\KB937894\SP2QFE\mqad.dll
+ 2007-07-06 13:08:11	47,104	-c--a-w	d:\windows\$hf_mig$\KB937894\SP2QFE\mqdscli.dll
+ 2007-07-06 13:08:11	16,896	-c--a-w	d:\windows\$hf_mig$\KB937894\SP2QFE\mqise.dll
+ 2007-07-06 13:08:11	660,992	-c--a-w	d:\windows\$hf_mig$\KB937894\SP2QFE\mqqm.dll
+ 2007-07-06 13:08:11	177,152	-c--a-w	d:\windows

algismorales 0 Light Poster · Answer 9 · 2009-03-06T04:34:44+00:00

You're awesome Judy, thank you! I'll await.

Algis

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 10 · 2009-03-06T05:09:33+00:00

Go to http://virusscan.jotti.org/
Upload these two files there for scanning and see what they show

d:\windows\system32\fxjjtlhq.dll

d:\windows\system32\arwehdx.dll

algismorales 0 Light Poster · Answer 11 · 2009-03-06T06:17:36+00:00

Hi Judy,
Alright.
The first file's scan shows the following:

File: fxjjtlhq.dll
Status: POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5: c708046c1db5cc1faaf251d6c2a8ff92
Packers detected: -

Scanner results
Scan taken on 06 Mar 2009 00:11:28 (GMT)
A-Squared Found nothing
AntiVir Found TR/Trash.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

And the second file scan shows the following:

File: arwehdx.dll_
Status: POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5: 854aaead2ad4f69a1156990a127a643f
Packers detected: -

Scanner results
Scan taken on 06 Mar 2009 00:14:46 (GMT)
A-Squared Found nothing
AntiVir Found TR/Trash.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 12 · 2009-03-06T11:27:29+00:00

Please run the Housecall online virus scan located at:
http://housecall.trendmicro.com/housecall/start_corp.asp
Follow the prompts to scan your hard drive for viruses. Select the "Autoclean" option so that Housecall will remove any viruses from your system. I don't believe Trend Micro produces a log, if it does of course save it. If not please make note of the names and locations of anything found
When the scan is finished, please restart your computer.

Update MBA-M. Run another Full System scan with it and of course have it REMOVE EVERYTHING found.
Reboot.
Run another HJT scan, save the log and post back here with the MBA-M log, and HJT log.

algismorales 0 Light Poster · Answer 13 · 2009-03-08T01:31:19+00:00

Hi Judy,
Thanks for your help so far.

As I followed the first part of the procedure, going to TrendMicro Housecall, I have tried 3 times to run the scan but with no luck. The first time, after about 4 hours of scanning, the window simply disappeared and never came back. I have tried 2 other times, but when I try to begin running the scan, I get a popup window that says "An error occurred while trying to transfer data from the internet! Do you want TrendMicro Housecall to try again transferring the required data?" OK CANCEL.

When I click on OK, the popup shows up over and over again. So I click on the X above to close the popup, and the scan will prompt me to run. However, as soon as I run the scan, it'll run for a while and it'll then stall and go nowhere. I even tried running it under a different Housecall Kernel, and still no luck.

Did I screw up somewhere?

Thank you Judy for your patience.

Algis

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 14 · 2009-03-08T01:43:56+00:00

No, there are just some online scans that don't work for everyone.
Try one of these, all don't give the option to remove but do produce a log.

http://support.f-secure.com/enu/home/ols.shtml

http://www.pandasoftware.com/products/activescan.htm

http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

algismorales 0 Light Poster · Answer 15 · 2009-03-09T11:24:34+00:00

Hi Judy,
Finally got everything done that you asked me. Wheew was that time consuming...

Okay. I tried the F-Secure online scan but after about 5 hours, it just failed. I tried the Kaspersky online scanner afterwards, and after about 7 hours of scanning, it finished, and produced a log that I am attaching along with the MalwareByte's Malware log and the HJT log.

Here is the MBA-M log:

Malwarebytes' Anti-Malware 1.34
Database version: 1827
Windows 5.1.2600 Service Pack 3

3/9/2009 12:07:02 AM
mbam-log-2009-03-09 (00-06-50).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 147995
Time elapsed: 10 hour(s), 42 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0786af62-346a-4384-9ef2-c7c50ea4d7df} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{0786af62-346a-4384-9ef2-c7c50ea4d7df} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ade9f68-2b65-4f0d-9b33-e070d1b5e128} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{0ade9f68-2b65-4f0d-9b33-e070d1b5e128} (Trojan.BHO.H) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\WINDOWS\system32\fxjjtlhq.dll (Trojan.Vundo.H) -> No action taken.
d:\WINDOWS\system32\arwehdx.dll (Trojan.BHO.H) -> No action taken.

And here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:05 AM, on 3/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\WgaTray.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\NavNT\defwatch.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\NavNT\rtvscan.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\MsgSys.EXE
D:\Program Files\NavNT\vptray.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Algis\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {0ADE9F68-2B65-4F0D-9B33-E070D1B5E128} - d:\windows\system32\arwehdx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PrinTray] D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Ink Monitor] D:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB002" /M "Stylus C67"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106511023205
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/BugsLoader20041018.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/pi1_20.exe
O20 - AppInit_DLLs: D:\WINDOWS\System32\dxtmsft32.dll
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe

--
End of file - 5627 bytes

~Note: For some reason, I am trying to attach the Kaspersky log, but it won't let me do it. When the Kaspersky scan finished, it just showed the results, which I saved to my desktop~ I will try to send this separately.

algismorales 0 Light Poster · Answer 16 · 2009-03-09T11:28:50+00:00

Judy, here is the Kaspersky log:

Sunday, March 8, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, March 08, 2009 03:43:51
Records in database: 1879128

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
F:\

Scan statistics
Files scanned 80467
Threat name 16
Infected objects 1269
Suspicious objects 0
Duration of the scan 07:54:09

File name Threat name Threats count
C:\Archivos de programa\Norton AntiVirus\Quarantine\00216E52.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\00371BF1.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\004443E3.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\00486627.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\00560660.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\005E13C6.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\006F1CD7.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\007059F4.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\00766CC8.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\009655D1.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\00D241D8.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\00D915D1.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\00F41F21.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\00F715AB.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\011E1C99.0XE Infected: Backdoor.Win32.Rbot.gen 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\012343C9.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\01266DC5.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\013A69AF.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\018163A9.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\01B22250.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\01E3181A.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\022416F5.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\024F6FE9.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0265278B.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\02860289.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\02D11114.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\02D85352.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\03232E6B.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\032D20F7.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\034770DA.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\03477893.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\034A228F.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\034A59B2.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\03574A81.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\035842C8.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\036814B6.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\037F1B30.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\03932ED0.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\03A95C6F.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\03B32C09.0XE Infected: Backdoor.Win32.Rbot.gen 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\03BC6011.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\03D41244.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\03E21E79.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\03EB1A24.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\03EC1C6E.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\03EF466B.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\03FD27C9.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\04203C35.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\042175A2.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\043669D4.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\044965BE.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\04600BA5.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\046A4876.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\046D7272.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\047E4058.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\048757C0.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0491776D.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\04B50E23.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\04E31113.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\04E976C7.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\05164294.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\053E32B1.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\05522E9B.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\057E4C65.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\05BD5700.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\05E60841.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\05E84DFB.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\05F557E5.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\06255F6A.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\063D5E2B.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0645653F.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\065E2175.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\06675E45.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\06B60F14.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\06CF1DD2.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\06DB5534.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\06F42CCF.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\070D046B.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\07102E67.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\071D5659.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\07242A52.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\07514063.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\07536E67.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\07706847.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\079D72F0.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\07BA35AC.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\08040479.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\083E3362.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\08546EB4.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0855634B.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0869577E.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\08BF3686.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\08F42B76.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\094D3ACD.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\097603C4.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\099053A7.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\09B93C0B.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\09E64E6C.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0A200B09.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0A4E2364.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0A5C6D0E.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0A601D05.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0A6826BA.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0A6F7AB3.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0AC734DF.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0AF7285F.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0B6728C4.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0B7A6D8C.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0B7E1788.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0BB5614B.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0BC06B8D.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0BE379A7.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0BEB71A1.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0C145A06.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0C385F01.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0C4266F8.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0C581498.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0C6673AC.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0C72647B.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0C930857.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0CAA2E3E.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0CAB1C83.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0CE0011F.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0CE03E94.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0CF43E2F.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0D3067AA.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0D686890.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0D6E3C89.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0D712F62.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0DA97925.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0DDA3B7D.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0E0B52FF.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0E2A52D9.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0E302322.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0E333569.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0E455879.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0E5D76A8.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0E804C38.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0E8A4DDE.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0E972942.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0EC20236.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0F0031AC.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0F00355D.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0F151E26.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0F2F09C6.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0F894C38.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0F9D14B0.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0FD45AC2.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0FE4793E.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0FEE61C8.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\0FF20BC5.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\10274D43.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\10547759.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\107B3053.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1096787E.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\109B5BE7.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\10FB15C7.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1101289B.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\110E508C.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\11114366.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\11117A89.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\111337A6.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\11F13B94.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\12255B5A.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\12352D48.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\124431C5.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\12492933.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\12662312.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\126E0708.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\12734B04.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\128072F6.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\12A440CE.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\12B83CB8.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\12BF10B1.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\12CA1EA4.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\13135454.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\133F0622.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\141D2D2E.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\142C6F1F.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\14391710.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\143B6832.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\143F122F.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\147331F5.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\14740AD0.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\14742A3D.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\148342BE.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\14860226.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\14CE4991.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\14D0226B.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\14FA63AA.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\150E4027.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\15AE4977.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\15CE6D53.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\15F16251.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\162D2EEB.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\16330A9C.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\166C2931.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\167006A0.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1698202C.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\169A3DDC.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\16F12931.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\16F36B3A.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\170E7FF3.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\178A5AD8.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\17952DF6.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\17B2333F.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\17DC5510.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\17E91C6F.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\18125162.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\182F7EB3.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\183442AF.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\18920BFF.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\18B07E27.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\18B54D8B.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\18DA471E.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\18E26888.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\18FA6AFA.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\190F3FBE.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\191110E0.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1930639A.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\19640361.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\19672D5D.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\19A75B16.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\19BD6597.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\19BE4222.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\19CE52EB.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\19D06CEA.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\19D316E7.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\19DA5F77.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\19E83839.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\19F03034.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1A1C4295.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1A1E5C94.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1A455469.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1A513785.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1A74459F.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1A965008.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1A9B0CA3.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1AB467EF.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1AC863D9.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1AD95B30.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1AEF5BAE.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1B017EBE.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1B2E343D.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1B3F1C7A.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1B70511F.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1B856709.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1B9B3415.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1BCB68BA.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1BDD54A8.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1BF64BB1.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1C0B2075.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1C117C27.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1C144590.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1C182A60.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1C242B83.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1C4B1ABC.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1C52634C.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1CA37CF2.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1CAD7AE7.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1CE11AAE.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1D3257C9.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1D7B640A.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1D9D4CBB.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1DC6548D.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1DC813F5.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1DCC2886.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1E333A0F.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1E356813.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1E492523.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1E5051F6.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1E5D01A0.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1E6233E1.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1E6E4BD5.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1E7305CF.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1ED85C85.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1F274C2E.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1F7B1B3A.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1FA307A6.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1FAE5E75.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1FE0643C.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1FEB2357.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\1FFC3018.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\201B57FC.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\204066F9.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\206A47A6.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\2071550B.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\207730BC.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\20B54E78.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\20EE7115.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\210E501B.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\21376951.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\213C42B8.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\21602E97.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\21853743.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\21A115BD.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\21A645B4.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\21AC19AD.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\21B23CD5.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\21DC6A0F.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\21E33E08.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\21FD0DEB.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\22180336.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\222E03B5.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\224065A0.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\22657096.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\22671E9A.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\22723094.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\230556C8.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\231164BA.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\23332295.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\233771FA.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\233B1BF7.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\23460079.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\23664A14.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\236C11C1.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\23950E2A.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\239E13D7.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\23A046F2.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\23B80328.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\23BC05FF.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\240D46CA.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\24192D97.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\241B6704.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\242A213D.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\242B38F2.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\242D6AA6.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\243128A7.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\244E4D5D.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\24505BF4.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\2455627B.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\24563B56.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\245F58B8.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\248A5B1C.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\24BD2208.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\2502744F.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\25150FA7.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\251A0715.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\252F6AF3.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\253C077C.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\25460571.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\25496E49.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\254A4372.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\25557AD4.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\2572001D.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\2582520B.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\25AF44FE.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\25D63CD3.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\260E7EDE.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\2681118A.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\26AD0FE6.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\26B866B6.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\26CE1455.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\26D15DBF.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\26E53A3C.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\26F60471.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\2706118A.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\2708665C.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\271E7C46.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\274D1936.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\27592AD9.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\277669E5.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\277C5D4B.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\278334F5.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\27BA5B9A.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\27CB418C.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\27E60D68.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\27F81C74.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\281612A3.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\281C472E.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\282F4AD1.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\284E318F.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\28735BF3.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\28825CBF.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\28836CBC.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\289B4C0F.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\28D40A69.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\291B1216.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\291D2213.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\29814D0E.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\29951828.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\29AC6EE0.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\29D73C6B.0XE Infected: Backdoor.Win32.Rbot.bd 1

C:\Archivos de programa\Norton AntiVirus\Quarantine\2A1A5CFD.0XE Infected: Backdoor.Win32

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 17 · 2009-03-10T03:51:22+00:00

Ok, the bulk of those found were in the Norton Quarantine. Empty that quarantine. They really shouldn't hurt anything because they are LOCKED up, but get rid of them you don't need them.
The other one was found in combofix quarantine, leave that for now we will get rid of it later.
I am concerned with the MBA-M log, it shows that there was no action taken on any of those found. Update it, run a full scan again and this time Remove Selected.
Reboot.
Post back with that log.

algismorales 0 Light Poster · Answer 18 · 2009-03-10T04:28:20+00:00

Hi Judy,
Cool. I'll go ahead and do that. With regards to the MBA-M scan, I followed your instructions carefully, removed selected, AND rebooted. Strange that the log hasn't showed you that. Anyhow, I'll go ahead and do it again and get back to you.
Thanks again,
Algis

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 19 · 2009-03-10T04:50:04+00:00

jholland1964 650 Posting Expert

15 Years Ago

Good enough.

algismorales 0 Light Poster · Answer 20 · 2009-03-11T00:40:47+00:00

Hi jholland,

Okay, here we go again:

I emptied the Norton quarantine like you requested.
I updated and ran the MBA-M scan that you requested, removed selected, and rebooted when it was done.

Here is the MBA-M log:

Malwarebytes' Anti-Malware 1.34
Database version: 1831
Windows 5.1.2600 Service Pack 3

3/10/2009 1:29:29 PM
mbam-log-2009-03-10 (13-29-29).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 148161
Time elapsed: 10 hour(s), 35 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ade9f68-2b65-4f0d-9b33-e070d1b5e128} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0ade9f68-2b65-4f0d-9b33-e070d1b5e128} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
d:\WINDOWS\system32\arwehdx.dll (Trojan.BHO.H) -> Delete on reboot.

Thank you again for your help and patience.

Algis

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 21 · 2009-03-11T01:15:24+00:00

Of course reboot if you have not done so.
Then run HJT again and post the new log.

algismorales 0 Light Poster · Answer 22 · 2009-03-11T02:27:18+00:00

Yup, story of my life these past 10 days: Scan, reboot, post log, scan, reboot, post log, ad nauseam. Hahahaha...

I appreciate your help Judy, thank you so much!

Here is the new HJT log below, after rebooting the computer:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:22:42 PM, on 3/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\NavNT\defwatch.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\NavNT\rtvscan.exe
D:\WINDOWS\system32\WgaTray.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\NavNT\vptray.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\system32\MsgSys.EXE
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Algis\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {0ADE9F68-2B65-4F0D-9B33-E070D1B5E128} - d:\windows\system32\arwehdx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PrinTray] D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Ink Monitor] D:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB002" /M "Stylus C67"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106511023205
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/BugsLoader20041018.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/pi1_20.exe
O20 - AppInit_DLLs: D:\WINDOWS\System32\dxtmsft32.dll
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe

--
End of file - 5627 bytes

algismorales 0 Light Poster · Answer 23 · 2009-03-13T03:08:58+00:00

Hi jholland,
Thank you for your help all throughout the virus cleaning process.
I finished the scans you requested and the HiJackThis log is posted above.

Looking forward to hearing from you!

Algis

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 24 · 2009-03-13T03:26:06+00:00

Sorry Algis,
Please do this:
Make sure that combofix.exe that you downloaded is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.

Open Notepad and copy/paste the text in the below code box into it

KillAll::
File::
d:\WINDOWS\system32\arwehdx.dll
D:\WINDOWS\system32\fxjjtlhq.dll

· Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
Now use your mouse to drag CFscript.txt on top of ComboFix.exe
Follow the prompts.
When it finishes, a log will be produced please post back with that log.

algismorales 0 Light Poster · Answer 25 · 2009-03-13T05:42:19+00:00

Hi Judy,
Alright, back in the game.

I followed the above procedure that you requested, and here below is the ComboFix log:

ComboFix 09-03-10.03 - Algis 2009-03-12 18:13:58.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.383.174 [GMT -5:00]
Running from: d:\documents and settings\Algis\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Algis\Desktop\CFscript.txt
* Created a new restore point

FILE ::
d:\windows\system32\arwehdx.dll
d:\windows\system32\fxjjtlhq.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\system32\arwehdx.dll . . . . failed to delete
d:\windows\system32\fxjjtlhq.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))
.

2009-03-07 14:04 . 2009-03-07 14:03 73,728 --a------ d:\windows\system32\javacpl.cpl
2009-03-06 17:25 . 2009-03-07 14:11 <DIR> d-------- d:\documents and settings\Algis\.housecall6.6
2009-03-06 09:55 . 2009-03-06 09:55 <DIR> d--hs---- D:\found.000
2009-03-04 17:11 . 2009-03-04 17:11 <DIR> d-------- d:\documents and settings\Algis\Application Data\uazmnfvl
2009-03-03 19:57 . 2008-08-14 05:11 2,189,184 -----c--- d:\windows\system32\dllcache\ntoskrnl.exe
2009-03-03 19:57 . 2008-08-14 05:09 2,145,280 -----c--- d:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-03 19:57 . 2008-10-15 11:34 337,408 -----c--- d:\windows\system32\dllcache\netapi32.dll
2009-03-03 19:56 . 2008-08-14 04:33 2,066,048 -----c--- d:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-03 19:56 . 2008-08-14 04:33 2,023,936 -----c--- d:\windows\system32\dllcache\ntkrpamp.exe
2009-03-03 19:55 . 2008-10-24 06:21 455,296 -----c--- d:\windows\system32\dllcache\mrxsmb.sys
2009-03-03 19:55 . 2008-12-11 05:57 333,952 -----c--- d:\windows\system32\dllcache\srv.sys
2009-03-03 15:36 . 2009-03-03 15:36 <DIR> d-------- d:\windows\system32\scripting
2009-03-03 15:36 . 2009-03-03 15:36 <DIR> d-------- d:\windows\l2schemas
2009-03-03 15:35 . 2009-03-03 15:35 <DIR> d-------- d:\windows\system32\en
2009-03-03 03:39 . 2009-03-03 13:06 <DIR> d-------- d:\program files\EsetOnlineScanner
2009-03-03 03:28 . 2009-03-03 03:28 <DIR> d-------- d:\windows\Mozilla
2009-03-02 21:20 . 2009-03-02 21:20 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2009-03-02 21:20 . 2009-03-02 21:20 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-02 21:20 . 2009-03-02 21:20 <DIR> d-------- d:\documents and settings\Algis\Application Data\Malwarebytes
2009-03-02 21:20 . 2009-02-11 10:19 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2009-03-02 21:20 . 2009-02-11 10:19 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2009-03-01 10:54 . 2009-03-01 10:54 <DIR> d-------- d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvl
2009-02-15 17:44 . 2008-04-13 19:12 276,992 --------- d:\windows\system32\wmphoto.dll
2009-02-15 17:43 . 2008-04-13 19:12 712,704 --------- d:\windows\system32\windowscodecs.dll
2009-02-15 17:43 . 2008-04-13 19:12 346,112 --------- d:\windows\system32\windowscodecsext.dll
2009-02-15 17:43 . 2008-04-13 19:12 69,120 --------- d:\windows\system32\wlanapi.dll
2009-02-15 17:42 . 2008-04-13 19:12 53,248 --------- d:\windows\system32\tsgqec.dll
2009-02-15 17:42 . 2008-04-13 19:12 50,688 --------- d:\windows\system32\tspkg.dll
2009-02-15 17:41 . 2008-04-13 19:12 32,768 --------- d:\windows\system32\setupn.exe
2009-02-15 17:41 . 2008-04-13 13:40 10,240 --------- d:\windows\system32\drivers\sffp_mmc.sys
2009-02-15 17:40 . 2008-04-13 19:12 412,160 --------- d:\windows\system32\photometadatahandler.dll
2009-02-15 17:40 . 2008-04-13 19:12 291,328 --------- d:\windows\system32\qagentrt.dll
2009-02-15 17:40 . 2008-04-13 19:12 290,304 --------- d:\windows\system32\rhttpaa.dll
2009-02-15 17:40 . 2008-04-13 19:12 150,528 --------- d:\windows\system32\qagent.dll
2009-02-15 17:40 . 2008-04-13 19:12 76,800 --------- d:\windows\system32\qutil.dll
2009-02-15 17:40 . 2008-04-13 19:12 62,464 --------- d:\windows\system32\qcliprov.dll
2009-02-15 17:40 . 2008-04-13 19:12 61,952 --------- d:\windows\system32\rasqec.dll
2009-02-15 17:39 . 2008-04-13 19:12 144,384 --------- d:\windows\system32\onex.dll
2009-02-15 17:38 . 2008-09-09 20:14 1,307,648 --a------ d:\windows\system32\msxml6.dll
2009-02-15 17:38 . 2008-09-09 20:14 1,307,648 -----c--- d:\windows\system32\dllcache\msxml6.dll
2009-02-15 17:38 . 2008-04-13 19:12 193,024 --------- d:\windows\system32\napmontr.dll
2009-02-15 17:38 . 2008-04-13 19:12 176,640 --------- d:\windows\system32\napstat.exe
2009-02-15 17:38 . 2008-04-13 12:27 79,872 --------- d:\windows\system32\msxml6r.dll
2009-02-15 17:38 . 2008-04-13 12:27 79,872 -----c--- d:\windows\system32\dllcache\msxml6r.dll
2009-02-15 17:38 . 2008-04-13 19:12 30,208 --------- d:\windows\system32\napipsec.dll
2009-02-15 17:37 . 2008-04-13 19:12 155,136 --------- d:\windows\system32\mssha.dll
2009-02-15 17:37 . 2008-04-13 13:14 76,800 --------- d:\windows\system32\msshavmsg.dll
2009-02-15 17:36 . 2008-04-13 19:11 397,312 --------- d:\windows\system32\mmcex.dll
2009-02-15 17:36 . 2008-04-13 19:11 184,320 --------- d:\windows\system32\microsoft.managementconsole.dll
2009-02-15 17:36 . 2008-04-13 19:11 106,496 --------- d:\windows\system32\mmcfxcommon.dll
2009-02-15 17:36 . 2008-04-13 19:12 33,792 --------- d:\windows\system32\mmcperf.exe
2009-02-15 17:34 . 2008-04-13 19:11 61,440 --------- d:\windows\system32\kmsvc.dll
2009-02-15 17:34 . 2008-04-13 19:11 37,376 --------- d:\windows\system32\l2gpstore.dll
2009-02-15 17:34 . 2008-04-13 19:09 6,144 --------- d:\windows\system32\kbdpash.dll
2009-02-15 17:34 . 2008-04-13 19:09 6,144 --------- d:\windows\system32\kbdnepr.dll
2009-02-15 17:34 . 2008-04-13 19:09 6,144 --------- d:\windows\system32\kbdiultn.dll
2009-02-15 17:34 . 2008-04-13 19:09 6,144 --------- d:\windows\system32\kbdbhc.dll
2009-02-15 17:33 . 2008-04-13 19:10 102,912 -----c--- d:\windows\system32\dllcache\dpcdll.dll
2009-02-15 17:33 . 2008-04-13 19:09 24,064 -----c--- d:\windows\system32\dllcache\pidgen.dll
2009-02-15 17:32 . 2007-06-21 00:52 974 --------- d:\windows\system32\pid.inf
2009-02-15 17:30 . 2008-04-13 11:36 144,384 --------- d:\windows\system32\drivers\hdaudbus.sys
2009-02-15 17:28 . 2008-04-13 19:11 59,392 --------- d:\windows\system32\eapqec.dll
2009-02-15 17:28 . 2008-04-13 19:11 40,960 --------- d:\windows\system32\eappprxy.dll
2009-02-15 17:28 . 2008-04-13 19:11 33,792 --------- d:\windows\system32\eapsvc.dll
2009-02-15 17:28 . 2006-12-28 14:01 19,569 --a------ d:\windows\005995_.tmp
2009-02-15 17:27 . 2008-04-13 19:11 650,752 --------- d:\windows\system32\dot3ui.dll
2009-02-15 17:27 . 2008-04-13 19:11 184,832 --------- d:\windows\system32\eapp3hst.dll
2009-02-15 17:27 . 2008-04-13 19:11 180,224 --------- d:\windows\system32\eapphost.dll
2009-02-15 17:27 . 2008-04-13 19:11 132,096 --------- d:\windows\system32\dot3svc.dll
2009-02-15 17:27 . 2008-04-13 19:11 126,976 --------- d:\windows\system32\eappcfg.dll
2009-02-15 17:27 . 2008-04-13 19:11 94,208 --------- d:\windows\system32\eappgnui.dll
2009-02-15 17:27 . 2008-04-13 19:11 57,856 --------- d:\windows\system32\dot3cfg.dll
2009-02-15 17:27 . 2008-04-13 19:11 56,320 --------- d:\windows\system32\dot3msm.dll
2009-02-15 17:27 . 2008-04-13 19:11 39,936 --------- d:\windows\system32\dot3gpclnt.dll
2009-02-15 17:27 . 2008-04-13 19:11 30,720 --------- d:\windows\system32\eapolqec.dll
2009-02-15 17:27 . 2008-04-13 19:11 26,112 --------- d:\windows\system32\dot3api.dll
2009-02-15 17:27 . 2008-04-13 19:11 9,216 --------- d:\windows\system32\dot3dlg.dll
2009-02-15 17:26 . 2008-04-13 19:11 48,640 --------- d:\windows\system32\dhcpqec.dll
2009-02-15 17:26 . 2008-04-13 19:11 39,936 --------- d:\windows\system32\dimsroam.dll
2009-02-15 17:26 . 2008-04-13 19:11 19,456 --------- d:\windows\system32\dimsntfy.dll
2009-02-15 17:26 . 2008-04-13 19:11 12,800 --------- d:\windows\system32\credssp.dll
2009-02-15 17:24 . 2008-04-13 19:11 233,472 --------- d:\windows\system32\azroles.dll
2009-02-15 17:24 . 2008-04-13 19:11 7,168 --------- d:\windows\system32\bitsprx4.dll
2009-02-15 17:23 . 2008-04-13 19:11 136,192 --------- d:\windows\system32\aaclient.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 19:03 --------- d-----w d:\program files\Java
2009-03-04 01:35 --------- d-----w d:\program files\MSN Messenger
2009-03-03 01:52 --------- d-----w d:\documents and settings\Algis\Application Data\Lavasoft
2009-02-14 05:03 --------- d-----w d:\program files\LimeWire
2009-01-28 01:11 --------- d-----w d:\program files\Google
2007-09-21 08:33 4,944 -c--a-w d:\program files\hijackthis.log
2007-09-21 01:45 401,720 -c--a-w d:\program files\imabunny.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-03-05_10.56.38.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-27 20:59:28 290,816 ----a-w d:\windows\Downloaded Program Files\auc_lib.dll
+ 2008-02-27 20:59:28 495,616 ----a-w d:\windows\Downloaded Program Files\daas_s.dll
+ 2008-02-27 21:00:12 262,144 ----a-w d:\windows\Downloaded Program Files\fscax.dll
+ 2008-02-27 20:59:16 588,392 ----a-w d:\windows\Downloaded Program Files\gatelauncher.exe
+ 2008-12-24 20:38:24 386,048 ----a-w d:\windows\Downloaded Program Files\Housecall_ActiveX.dll
- 2009-02-03 18:07:48 410,984 ----a-w d:\windows\system32\deploytk.dll
+ 2009-03-07 19:03:21 410,984 ----a-w d:\windows\system32\deploytk.dll
+ 2008-12-05 06:54:55 144,896 -c----w d:\windows\system32\dllcache\schannel.dll
- 2008-09-15 12:12:56 1,846,400 -c----w d:\windows\system32\dllcache\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 -c----w d:\windows\system32\dllcache\win32k.sys
- 2009-03-04 00:44:57 189,792 ----a-w d:\windows\system32\FNTCACHE.DAT
+ 2009-03-11 13:56:41 189,792 ----a-w d:\windows\system32\FNTCACHE.DAT
- 2009-02-03 18:07:51 144,792 ----a-w d:\windows\system32\java.exe
+ 2009-03-07 19:03:23 144,792 ----a-w d:\windows\system32\java.exe
- 2009-02-03 18:07:51 144,792 ----a-w d:\windows\system32\javaw.exe
+ 2009-03-07 19:03:23 144,792 ----a-w d:\windows\system32\javaw.exe
- 2009-02-03 18:07:51 148,888 ----a-w d:\windows\system32\javaws.exe
+ 2009-03-07 19:03:23 148,888 ----a-w d:\windows\system32\javaws.exe
- 2008-04-14 00:12:05 144,384 ----a-w d:\windows\system32\schannel.dll
+ 2008-12-05 06:54:55 144,896 ----a-w d:\windows\system32\schannel.dll
- 2007-11-30 12:39:22 17,272 ------w d:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w d:\windows\system32\spmsg.dll
- 2008-09-15 12:12:56 1,846,400 ----a-w d:\windows\system32\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 ----a-w d:\windows\system32\win32k.sys
+ 2009-03-12 23:24:38 16,384 ----atw d:\windows\temp\Perflib_Perfdata_678.dat
+ 2008-04-15 17:47:33 1,724,416 ----a-w d:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0ADE9F68-2B65-4F0D-9B33-E070D1B5E128}]
2009-03-05 10:51 105472 --a------ d:\windows\system32\arwehdx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="d:\program files\NavNT\vptray.exe" [2001-09-24 73728]
"PrinTray"="d:\windows\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-06-07 36864]
"Ink Monitor"="d:\program files\EPSON\Ink Monitor\InkMonitor.exe" [2004-05-05 262210]
"EPSON Stylus C67 Series"="d:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE" [2005-01-24 98304]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"QuickTime Task"="D:\qttask.exe" [2007-06-29 286720]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-03-07 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="d:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=d:\windows\System32\dxtmsft32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\WINDOWS\\system32\\BugsSvr.exe"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"d:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57034:TCP"= 57034:TCP:@xpsp2res.dll,-22009
"80:TCP"= 80:TCP:@xpsp2res.dll,-22009
"15674:TCP"= 15674:TCP:@xpsp2res.dll,-22009
"13662:TCP"= 13662:TCP:@xpsp2res.dll,-22009
"47605:TCP"= 47605:TCP:@xpsp2res.dll,-22009
"52939:TCP"= 52939:TCP:@xpsp2res.dll,-22009

R3 mgau;mgau;d:\windows\system32\drivers\mgaum.sys [2005-01-23 320384]
R3 QCEmerald;Logitech QuickCam Web;d:\windows\system32\drivers\OVCE.sys [2005-01-23 31872]
S3 AvFlt;Antivirus Filter Driver;d:\windows\system32\drivers\av5flt.sys --> d:\windows\system32\drivers\av5flt.sys [?]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\d:\docume~1\Algis\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> d:\docume~1\Algis\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - BITS
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - DefWatch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - ImapiService
*Deregistered* - iPod Service
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LexBceS
*Deregistered* - LmHosts
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Norton AntiVirus Server
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - UMWdf
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WS2IFSL
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
*Deregistered* - xuxsdlez
.
Contents of the 'Scheduled Tasks' folder

2009-03-07 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
IE: E&xportar a Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - hxxp://www.riffinteractive.com/setup/RiffLick.cab
DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} - hxxp://player.bugs.co.kr/install/BugsInstall.cab
DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} - hxxp://player.bugs.co.kr/install/BugsLoader20041018.cab
DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - hxxp://64.7.220.98/downloads/pi1_20.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-12 18:25:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(516)
d:\windows\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\LexBceS.exe
d:\windows\system32\Lexpps.exe
d:\windows\system32\WgaTray.exe
d:\program files\NavNT\defwatch.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\NavNT\rtvscan.exe
d:\windows\system32\wdfmgr.exe
d:\windows\system32\MSGSYS.EXE
d:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-12 18:37:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-12 23:36:22
ComboFix2.txt 2009-03-05 16:00:27
ComboFix3.txt 2007-09-21 08:14:40

Pre-Run: 7,679,094,784 bytes free
Post-Run: 7,929,954,304 bytes free

286 --- E O F --- 2009-03-11 03:49:23

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 26 · 2009-03-13T14:40:35+00:00

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

d:\windows\System32\dxtmsft32.dll

==

1. Please open Notepad Click Start , then Run
Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

DirLook::

d:\documents and settings\Algis\Application Data\uazmnfvl



d:\documents and settings\NetworkService.NT AUTHORITY\Application Data\uazmnfvl

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter youre-enable all the programs that were disabled during the running of ComboFix:Combofix.txt
A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

algismorales 0 Light Poster · Answer 27 · 2009-03-13T23:50:37+00:00

Crunchie, hi!
Good to see you again. You were nice enough in helping me a few years ago as well.

Crunchie, in the above instructions where you request going to Jotti's or Virustotal and scanning that file, do you want me to report back to you immediately after this step, or just run that and continue going through the whole procedure before getting back to you?

Thanks again and I'm glad you're doing well.

Algis

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 28 · 2009-03-14T01:33:13+00:00

Yeah, I'm still kickin' :).
Whatever is in my post needs to be done.