padams3_98
2007-07-16, 19:28
AVG found a threat
Trojan horse Generic5.GUH
It can't fix it.
I ran combofix
"Pamela Adams" - 2007-07-16 8:57:14 - ComboFix 07-07-14.6 - Service Pack 2 NTFS
((((((((((((((((((((((((( Files Created from 2007-06-16 to 2007-07-16 )))))))))))))))))))))))))))))))
2007-07-16 08:56 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-16 07:05 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-16 07:05 <DIR> d-------- C:\WINDOWS\LastGood
2007-07-16 07:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-04 22:02 <DIR> d-------- C:\Program Files\MSECache
2007-07-03 08:51 <DIR> d-------- C:\DOCUME~1\PAMELA~1\APPLIC~1\Real
2007-07-02 05:19 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-07-02 04:19 <DIR> d-------- C:\DOCUME~1\PAMELA~1\APPLIC~1\Talkback
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-07 09:04:03 -------- d-----w C:\Program Files\Google
2007-07-07 08:47:07 2,756 ----a-w C:\WINDOWS\mozver.dat
2007-07-07 08:37:32 -------- d-----w C:\Program Files\Common Files\Scanner
2007-07-02 12:19:51 -------- d-----w C:\Program Files\Common Files\Real
2007-05-28 09:53:52 -------- d-----w C:\Program Files\Common Files\AOL
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2006-12-27 02:04:16 87,608 ----a-w C:\DOCUME~1\PAMELA~1\APPLIC~1\ezpinst.exe
2006-12-27 02:04:16 47,360 ----a-w C:\DOCUME~1\PAMELA~1\APPLIC~1\pcouffin.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2006-10-26 08:28 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 01:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-30 23:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
2006-10-31 13:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}]
2007-01-02 14:49 5157944 --a------ C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 00:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-08-15 14:37 C:\WINDOWS\system32\nwiz.exe]
"SkyTel"="SkyTel.EXE" [2006-08-15 14:28 C:\WINDOWS\SkyTel.exe]
"SMSERIAL"="sm56hlpr.exe" [2006-08-15 13:56 C:\WINDOWS\sm56hlpr.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-08-15 14:15]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-15 14:25 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [2006-08-15 14:21 C:\WINDOWS\Alcmtr.exe]
"farstone"="" []
"RestoreIT!"="C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.exe" [2005-02-03 19:18]
"Guard"="C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" [2005-02-19 11:33]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-23 04:02]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 21:46]
"HostManager"="C:\Program Files\Common Files\AOL\1172093860\ee\AOLSoftware.exe" [2006-09-25 17:52]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 05:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-21 14:40]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 00:43]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-02 05:18]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2005-09-16 11:05]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2006-02-01 14:45]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2006-12-22 14:04]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 19:49]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-07-29 17:34]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.exe" [2005-07-12 03:17]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-01-02 14:49]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc
**************************************************************************
catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-16 09:00:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-16 9:01:45
--- E O F ---
help
Trojan horse Generic5.GUH
It can't fix it.
I ran combofix
"Pamela Adams" - 2007-07-16 8:57:14 - ComboFix 07-07-14.6 - Service Pack 2 NTFS
((((((((((((((((((((((((( Files Created from 2007-06-16 to 2007-07-16 )))))))))))))))))))))))))))))))
2007-07-16 08:56 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-16 07:05 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-16 07:05 <DIR> d-------- C:\WINDOWS\LastGood
2007-07-16 07:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-04 22:02 <DIR> d-------- C:\Program Files\MSECache
2007-07-03 08:51 <DIR> d-------- C:\DOCUME~1\PAMELA~1\APPLIC~1\Real
2007-07-02 05:19 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-07-02 04:19 <DIR> d-------- C:\DOCUME~1\PAMELA~1\APPLIC~1\Talkback
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-07 09:04:03 -------- d-----w C:\Program Files\Google
2007-07-07 08:47:07 2,756 ----a-w C:\WINDOWS\mozver.dat
2007-07-07 08:37:32 -------- d-----w C:\Program Files\Common Files\Scanner
2007-07-02 12:19:51 -------- d-----w C:\Program Files\Common Files\Real
2007-05-28 09:53:52 -------- d-----w C:\Program Files\Common Files\AOL
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2006-12-27 02:04:16 87,608 ----a-w C:\DOCUME~1\PAMELA~1\APPLIC~1\ezpinst.exe
2006-12-27 02:04:16 47,360 ----a-w C:\DOCUME~1\PAMELA~1\APPLIC~1\pcouffin.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2006-10-26 08:28 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 01:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-30 23:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
2006-10-31 13:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}]
2007-01-02 14:49 5157944 --a------ C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 00:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-08-15 14:37 C:\WINDOWS\system32\nwiz.exe]
"SkyTel"="SkyTel.EXE" [2006-08-15 14:28 C:\WINDOWS\SkyTel.exe]
"SMSERIAL"="sm56hlpr.exe" [2006-08-15 13:56 C:\WINDOWS\sm56hlpr.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-08-15 14:15]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-15 14:25 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [2006-08-15 14:21 C:\WINDOWS\Alcmtr.exe]
"farstone"="" []
"RestoreIT!"="C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.exe" [2005-02-03 19:18]
"Guard"="C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" [2005-02-19 11:33]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-23 04:02]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 21:46]
"HostManager"="C:\Program Files\Common Files\AOL\1172093860\ee\AOLSoftware.exe" [2006-09-25 17:52]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 05:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-21 14:40]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 00:43]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-02 05:18]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2005-09-16 11:05]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2006-02-01 14:45]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2006-12-22 14:04]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 19:49]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-07-29 17:34]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.exe" [2005-07-12 03:17]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-01-02 14:49]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc
**************************************************************************
catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-16 09:00:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-16 9:01:45
--- E O F ---
help