PDA

View Full Version : Virtumonde + Trojan.Win32 Yikes!



RCM913
2008-05-24, 23:08
Hi I recently went to Kaspersky and scanned my computer (the report is below). It looks like I have a few viruses and am uncertain as of how to rid myself of them. Please help!

It looks like the two main viruses are:
*Trojan.Win32.Monder.gen
*not-a-virus:AdWare.Win32.Virtumonde.srh (is this just virtumonde?)

What does it mean that all the objects are locked? and on the Kaspersky scanner what is the difference between the skull and the red X?

Thank you so much (in advance :) )


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, May 24, 2008 12:55:06 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/05/2008
Kaspersky Anti-Virus database records: 799502
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 140828
Number of viruses found: 6
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 02:31:52

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.Crwl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001D.ci Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001D.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001D.wsb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy3.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Perflib_Perfdata_2ec.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ryan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ryan\Desktop\New Folder\eavil Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Desktop Search\Logs\OTFSMonLog.txt Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Temp\Perflib_Perfdata_a3c.dat Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Temp\~DF27E3.tmp Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Temp\~DF309F.tmp Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\90JEURNV\query[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.tbs skipped
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\INWF3SEW\kb516107[1] Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\MMY64FGA\kb456456[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.syt skipped
C:\Documents and Settings\Ryan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ryan\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\sw_ae-20080523-113320.log Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\RECYCLER\S-1-5-21-1078081533-1645522239-839522115-1004\Dc9 Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9B432AA3-4A21-48C6-B1D8-D81E776006ED}\RP62\A0033522.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.srh skipped
C:\System Volume Information\_restore{9B432AA3-4A21-48C6-B1D8-D81E776006ED}\RP62\A0034576.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tbs skipped
C:\System Volume Information\_restore{9B432AA3-4A21-48C6-B1D8-D81E776006ED}\RP62\A0034577.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.syt skipped
C:\System Volume Information\_restore{9B432AA3-4A21-48C6-B1D8-D81E776006ED}\RP62\A0035527.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ryv skipped
C:\System Volume Information\_restore{9B432AA3-4A21-48C6-B1D8-D81E776006ED}\RP62\A0035528.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.sta skipped
C:\System Volume Information\_restore{9B432AA3-4A21-48C6-B1D8-D81E776006ED}\RP65\A0037782.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{9B432AA3-4A21-48C6-B1D8-D81E776006ED}\RP66\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Rorschach112
2008-05-24, 23:21
Hello

Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



[kill explorer]
C:\Documents and Settings\Ryan\Desktop\New Folder\eavil
purity
[start explorer]


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Rorschach112
2008-05-29, 03:15
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

RCM913
2008-05-29, 09:26
The link to the previous thread is:

http://forums.spybot.info/showthread.php?p=194945#post194945


I downloaded the OTMoveIt program and the result log is as follows:

C:\Documents and Settings\Ryan\Desktop\New Folder\eavil moved successfully.
< purity >

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05282008_201506


Then I downloaded Combofix and ran the program. The log is as follows:

ComboFix 08-05-28.4 - Ryan 2008-05-28 21:37:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.344 [GMT -7:00]
Running from: C:\Documents and Settings\Ryan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ryan\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM8ff7a114.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\HhOprCfe.ini
C:\WINDOWS\system32\HhOprCfe.ini2
C:\WINDOWS\system32\nslemtgg.ini
C:\WINDOWS\system32\pflnoxja.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-28 20:15 . 2008-05-28 20:15 <DIR> d-------- C:\_OTMoveIt
2008-05-23 20:02 . 2008-05-23 20:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-23 20:02 . 2008-05-23 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-23 09:29 . 2008-05-23 09:29 <DIR> d-------- C:\fadc1d5acee966a2d05c13
2008-05-22 20:19 . 2008-05-22 22:26 <DIR> d-------- C:\Temp\ListDLLS
2008-05-22 20:19 . 2008-05-22 20:19 <DIR> d-------- C:\Temp
2008-05-22 14:59 . 2008-05-22 15:34 <DIR> d-------- C:\Program Files\Free Window Registry Repair
2008-05-20 22:26 . 2008-05-20 22:26 <DIR> d-------- C:\Program Files\3B Software
2008-05-19 21:55 . 2008-05-19 21:55 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\vlc
2008-05-19 21:54 . 2008-05-19 21:54 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\dvdcss
2008-05-19 21:44 . 2008-05-19 21:44 <DIR> d-------- C:\Program Files\VideoLAN
2008-05-19 20:51 . 2008-05-19 20:51 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\CyberLink
2008-05-19 20:48 . 2008-05-19 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-16 00:17 . 2008-05-16 00:18 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-05-16 00:17 . 2008-05-16 00:36 <DIR> d-------- C:\Program Files\AVSMedia
2008-05-16 00:09 . 2008-05-20 21:45 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-05-16 00:06 . 2008-05-16 00:06 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-16 00:06 . 2008-05-16 00:07 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-15 23:52 . 2008-05-15 23:52 0 --a------ C:\WINDOWS\iPlayer.INI
2008-05-15 16:06 . 2003-07-23 07:18 159,744 --a------ C:\WINDOWS\system32\CNDUK170.dll
2008-05-15 16:06 . 2003-07-24 12:45 81,920 --a------ C:\WINDOWS\system32\PSCLK170.dll
2008-05-15 16:06 . 2003-07-23 07:18 81,920 --a------ C:\WINDOWS\system32\CNDCK170.dll
2008-05-15 16:06 . 2003-07-23 09:27 40,960 --a------ C:\WINDOWS\system32\CNDNDlg.exe
2008-05-15 15:53 . 2008-05-15 15:53 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\ZoomBrowser EX
2008-05-15 15:24 . 2008-05-15 16:06 <DIR> d-------- C:\Program Files\Canon
2008-05-15 14:59 . 2008-05-15 15:25 <DIR> d-------- C:\Program Files\Common Files\Canon
2008-05-14 09:29 . 2008-05-14 09:29 880,432 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-05-14 09:29 . 2008-05-14 09:29 108,368 --a------ C:\WINDOWS\system32\drivers\veteboot.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 05:20 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-21 05:16 --------- d-----w C:\Program Files\Spyware Doctor
2008-05-20 04:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-20 04:32 --------- d-----w C:\Documents and Settings\Ryan\Application Data\uTorrent
2008-05-14 07:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-12 00:03 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Skype
2008-05-11 23:03 --------- d-----w C:\Documents and Settings\Ryan\Application Data\skypePM
2008-04-30 19:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-04-30 19:00 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-26 01:39 --------- d-----w C:\Program Files\Apple Software Update
2008-04-20 04:24 --------- d-----w C:\Program Files\Netflix
2008-04-17 06:25 --------- d-----w C:\Program Files\Intuit
2008-04-17 06:25 --------- d-----w C:\Program Files\Common Files\supportsoft
2008-04-17 06:25 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Intuit
2008-04-17 06:17 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-17 06:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\COMMON FILES
2008-04-13 05:41 --------- d-----w C:\Program Files\DivX
2008-04-11 19:15 --------- d-----w C:\Program Files\Southwest Airlines
2008-04-11 19:15 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Southwest Airlines
2008-04-11 19:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-11 07:04 --------- d-----w C:\Program Files\ATI Technologies
2008-04-10 23:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-10 22:59 --------- d-----w C:\Program Files\Common Files\Control Panels
2008-04-10 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\ALM
2008-04-10 04:45 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Windows Desktop Search
2008-04-10 04:44 --------- d-----w C:\Program Files\Windows Desktop Search
2008-04-09 06:02 --------- d-----w C:\Program Files\Alcohol Soft
2008-04-09 05:55 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-04-09 05:21 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-04-09 00:03 --------- d-----w C:\Program Files\Bonjour
2008-04-08 23:38 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-04-08 23:37 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2008-04-08 23:31 --------- d-----w C:\Program Files\viewsonic
2008-04-08 23:29 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Leadertech
2008-04-08 16:27 --------- d-----w C:\Documents and Settings\Ryan\Application Data\PC Tools
2008-04-08 05:16 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-04-08 05:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-07 22:01 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-06 19:48 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-06 19:46 --------- d-----w C:\Program Files\HP
2008-04-06 19:05 --------- d-----w C:\Program Files\Microsoft Works
2008-04-06 19:04 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-06 16:29 --------- d-----w C:\Program Files\Google
2008-04-06 07:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-04-06 07:03 --------- d-----w C:\Program Files\uTorrent
2008-04-06 06:41 --------- d-----w C:\Program Files\CA
2008-04-06 06:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2008-04-06 06:39 --------- d-----w C:\Program Files\Skype
2008-04-06 06:39 --------- d-----w C:\Program Files\Common Files\Skype
2008-04-06 06:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-04-06 06:38 --------- d-----w C:\Program Files\QuickTime
2008-04-06 06:38 --------- d-----w C:\Program Files\iTunes
2008-04-06 06:38 --------- d-----w C:\Program Files\iPod
2008-04-06 06:38 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Apple Computer
2008-04-06 06:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-06 06:36 --------- d-----w C:\Program Files\Common Files\Apple
2008-04-06 06:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-06 00:47 --------- d-----w C:\Program Files\CONEXANT
2008-04-06 00:42 --------- d-----w C:\Program Files\Realtek AC97
2008-04-05 23:47 17,801 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-04-05 23:40 --------- d-----w C:\Program Files\Gateway
2008-04-05 23:35 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-05 23:34 --------- d-----w C:\Program Files\Synaptics
2008-04-05 23:34 --------- d-----w C:\Program Files\AMD
2008-04-05 23:28 --------- d-----w C:\Documents and Settings\Ryan\Application Data\U3
2008-04-05 22:02 --------- d-----w C:\Program Files\microsoft frontpage
2002-09-11 14:26 63,730 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 15:44 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 15:43 688218]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 16:28 577536 C:\WINDOWS\soundman.exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 22:25 177416]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 13:42 230664]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 14:22 3739648]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-13 17:13 172032]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-01-13 17:13 49152]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 16:14 576320]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 16:15 600896]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-28 21:05 344064]
"BM8ff7a114"="C:\WINDOWS\system32\desvmkwf.dll" [ ]

C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 14:15:48 462848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-03-18 18:41:30 972064]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 DCamUSBSony4;Sony Visual Communication Camera;C:\WINDOWS\system32\DRIVERS\snyucam4.sys [2003-01-17 21:36]
R3 DCamUSBSonyA4;Sony USB Microphone;C:\WINDOWS\system32\drivers\snyuflt4.sys [2003-01-17 21:37]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad5e6deb-035f-11dd-9991-c4d95ac49160}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-05-11 05:59:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 22:20:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
C:\WINDOWS\system32\searchindexer.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-05-28 22:22:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-29 05:22:23

Pre-Run: 50,142,089,216 bytes free
Post-Run: 50,115,727,360 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

211 --- E O F --- 2008-05-28 22:01:11

Is there more that I need to do? I am not sure of what else might be necessary or even really what these logs reveal. I'd really appreciate any assistance that you might be able to give me. Thanks!

-Ryan

Rorschach112
2008-05-29, 15:52
Please don't use large fonts


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:


File::
E:\LaunchU3.exe

Folder::

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad5e6deb-035f-11dd-9991-c4d95ac49160}]

Driver::



Save this as CFScript.txt, in the same location as ComboFix.exe


http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Also post a new HijackThis log

RCM913
2008-05-30, 09:05
Sorry about the caps :)

So I followed the instructions you gave me. Here are the results:

Combofix Log:

ComboFix 08-05-28.4 - Ryan 2008-05-29 22:28:35.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.325 [GMT -7:00]
Running from: C:\Documents and Settings\Ryan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ryan\Desktop\CFScript.txt
* Created a new restore point

FILE ::
E:\LaunchU3.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-28 20:15 . 2008-05-28 20:15 <DIR> d-------- C:\_OTMoveIt
2008-05-23 20:02 . 2008-05-23 20:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-23 20:02 . 2008-05-23 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-23 09:29 . 2008-05-23 09:29 <DIR> d-------- C:\fadc1d5acee966a2d05c13
2008-05-22 20:19 . 2008-05-22 22:26 <DIR> d-------- C:\Temp\ListDLLS
2008-05-22 20:19 . 2008-05-22 20:19 <DIR> d-------- C:\Temp
2008-05-22 14:59 . 2008-05-22 15:34 <DIR> d-------- C:\Program Files\Free Window Registry Repair
2008-05-20 22:26 . 2008-05-20 22:26 <DIR> d-------- C:\Program Files\3B Software
2008-05-19 21:55 . 2008-05-19 21:55 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\vlc
2008-05-19 21:54 . 2008-05-19 21:54 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\dvdcss
2008-05-19 21:44 . 2008-05-19 21:44 <DIR> d-------- C:\Program Files\VideoLAN
2008-05-19 20:51 . 2008-05-19 20:51 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\CyberLink
2008-05-19 20:48 . 2008-05-19 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-16 00:17 . 2008-05-16 00:18 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-05-16 00:17 . 2008-05-16 00:36 <DIR> d-------- C:\Program Files\AVSMedia
2008-05-16 00:09 . 2008-05-20 21:45 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-05-16 00:06 . 2008-05-16 00:06 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-16 00:06 . 2008-05-16 00:07 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-15 23:52 . 2008-05-15 23:52 0 --a------ C:\WINDOWS\iPlayer.INI
2008-05-15 16:06 . 2003-07-23 07:18 159,744 --a------ C:\WINDOWS\system32\CNDUK170.dll
2008-05-15 16:06 . 2003-07-24 12:45 81,920 --a------ C:\WINDOWS\system32\PSCLK170.dll
2008-05-15 16:06 . 2003-07-23 07:18 81,920 --a------ C:\WINDOWS\system32\CNDCK170.dll
2008-05-15 16:06 . 2003-07-23 09:27 40,960 --a------ C:\WINDOWS\system32\CNDNDlg.exe
2008-05-15 15:53 . 2008-05-15 15:53 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\ZoomBrowser EX
2008-05-15 15:24 . 2008-05-15 16:06 <DIR> d-------- C:\Program Files\Canon
2008-05-15 14:59 . 2008-05-15 15:25 <DIR> d-------- C:\Program Files\Common Files\Canon
2008-05-14 09:29 . 2008-05-14 09:29 880,432 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-05-14 09:29 . 2008-05-14 09:29 108,368 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-04-25 18:39 . 2008-04-25 18:39 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-19 21:24 . 2008-04-19 21:24 <DIR> d-------- C:\Program Files\Netflix
2008-04-16 23:25 . 2008-04-16 23:25 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-04-16 23:25 . 2008-04-16 23:25 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\Intuit
2008-04-16 23:24 . 2006-04-12 10:11 1,933,312 --a------ C:\WINDOWS\system32\cdintf251.dll
2008-04-16 23:16 . 2008-04-30 12:00 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-16 23:15 . 2008-04-16 23:25 <DIR> d-------- C:\Program Files\Intuit
2008-04-16 23:15 . 2008-04-16 23:17 <DIR> d-------- C:\Program Files\Common Files\Intuit
2008-04-16 23:15 . 2008-04-30 12:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2008-04-16 23:13 . 2008-04-16 23:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\COMMON FILES
2008-04-12 22:41 . 2008-04-12 22:41 <DIR> d-------- C:\Program Files\DivX
2008-04-11 12:15 . 2008-04-11 12:15 <DIR> d-------- C:\Program Files\Southwest Airlines
2008-04-11 12:15 . 2008-04-11 12:15 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\Southwest Airlines
2008-04-11 12:14 . 2008-04-11 12:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-10 23:58 . 2008-04-11 00:04 <DIR> d-------- C:\Program Files\ATI Technologies
2008-04-10 23:51 . 2008-04-10 23:51 10 --a------ C:\WINDOWS\WININIT.INI
2008-04-10 23:46 . 2008-04-10 23:46 <DIR> d-------- C:\ATI
2008-04-10 19:25 . 2004-12-21 15:51 7,794 --a------ C:\WINDOWS\vp171b-2.cat
2008-04-10 19:25 . 2005-03-04 04:41 7,786 --a------ C:\WINDOWS\g90f-3.cat
2008-04-10 19:25 . 2005-03-03 03:36 7,782 --a------ C:\WINDOWS\q51-9.cat
2008-04-10 19:25 . 2004-12-20 10:38 1,224 --a------ C:\WINDOWS\VP171b-2.inf
2008-04-10 19:25 . 2005-03-01 15:43 1,204 --a------ C:\WINDOWS\Q51-9.inf
2008-04-10 19:25 . 2005-03-01 15:43 1,164 --a------ C:\WINDOWS\G90f-3.inf
2008-04-10 19:25 . 2004-09-16 05:18 512 --a------ C:\WINDOWS\VP171b-2.icm
2008-04-10 19:25 . 2004-11-04 00:00 512 --a------ C:\WINDOWS\Q51-9.icm
2008-04-10 19:25 . 2004-07-23 00:00 512 --a------ C:\WINDOWS\G90f-3.icm
2008-04-10 15:59 . 2008-04-10 15:59 <DIR> d-------- C:\Program Files\Common Files\Control Panels
2008-04-10 15:56 . 2008-04-10 15:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2008-04-10 14:29 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-04-10 14:29 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-04-09 21:45 . 2008-04-09 21:45 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\Windows Desktop Search
2008-04-09 21:44 . 2008-04-09 21:44 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-04-08 23:02 . 2008-04-08 23:02 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-04-08 22:55 . 2008-04-08 22:55 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-04-08 22:21 . 2008-05-11 16:03 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\skypePM
2008-04-08 22:21 . 2008-04-08 22:21 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-04-08 17:08 . 2004-08-03 23:10 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2008-04-08 17:08 . 2004-08-03 23:10 10,880 --a--c--- C:\WINDOWS\system32\dllcache\ndisip.sys
2008-04-08 17:01 . 2008-04-08 17:01 <DIR> d-------- C:\WINDOWS\Drivers
2008-04-08 16:38 . 2008-04-08 16:38 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-04-08 16:37 . 2008-04-08 16:37 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2008-04-08 16:30 . 2008-04-08 16:30 <DIR> d-------- C:\Documents and Settings\Ryan\WINDOWS
2008-04-08 16:30 . 1998-10-29 15:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-04-08 16:29 . 2008-04-08 16:29 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\Leadertech
2008-04-08 16:26 . 2008-04-08 16:31 <DIR> d-------- C:\Program Files\viewsonic
2008-04-08 16:24 . 2008-04-10 21:19 101 --a------ C:\WINDOWS\VSWizard.ini
2008-04-08 09:27 . 2008-05-20 22:16 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-08 09:27 . 2008-04-08 09:27 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\PC Tools
2008-04-08 09:27 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-08 09:27 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-08 09:27 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-08 09:27 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-07 22:23 . 2008-05-28 22:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-07 22:16 . 2008-04-07 22:16 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-04-07 22:16 . 2008-04-07 22:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-07 22:09 . 2008-04-10 16:03 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-07 15:01 . 2008-04-07 15:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-06 14:12 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-04-06 14:12 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-04-06 14:12 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-06 14:12 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-04-06 14:12 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-04-06 14:12 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-04-06 14:12 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-04-06 14:12 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-04-06 14:12 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-04-06 14:12 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-04-06 14:11 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-06 14:11 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-04-06 12:58 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-06 12:58 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-04-06 12:58 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-06 12:48 . 2003-12-11 11:15 626,960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2008-04-06 12:48 . 2003-12-11 11:15 487,424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2008-04-06 12:48 . 2003-12-11 11:15 344,064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2008-04-06 12:48 . 2003-12-11 11:15 82,432 -ra------ C:\WINDOWS\system32\MSXML4r.dll
2008-04-06 12:48 . 2003-12-11 11:15 44,544 -ra------ C:\WINDOWS\system32\MSXML4a.dll
2008-04-06 12:47 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-06 12:47 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-04-06 12:46 . 2008-04-06 12:46 <DIR> d-------- C:\Program Files\HP
2008-04-06 12:46 . 2008-04-06 12:48 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-04-06 12:46 . 2008-04-06 12:49 248,867 --a------ C:\WINDOWS\hpdj3840.his
2008-04-06 12:46 . 2008-04-06 12:49 10,475 --a------ C:\WINDOWS\hpdj3840.ini
2008-04-06 12:05 . 2008-04-06 12:05 <DIR> d-------- C:\Program Files\Microsoft Works
2008-04-06 12:04 . 2008-04-06 12:04 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-06 12:02 . 2008-04-06 12:03 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-06 12:02 . 2008-05-14 00:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-06 12:01 . 2008-04-06 12:01 <DIR> dr-h----- C:\MSOCache
2008-04-06 09:29 . 2008-04-06 09:29 <DIR> d-------- C:\Program Files\Google
2008-04-06 00:11 . 2008-04-06 00:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-04-06 00:05 . 2008-04-12 22:41 1,410 --a------ C:\WINDOWS\mozver.dat
2008-04-06 00:03 . 2008-04-06 00:03 <DIR> d-------- C:\Program Files\uTorrent
2008-04-06 00:03 . 2008-05-19 21:32 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\uTorrent
2008-04-06 00:00 . 2008-05-23 11:04 <DIR> d-------- C:\WINDOWS\CAVTemp
2008-04-05 23:54 . 2008-05-11 17:03 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\Skype
2008-04-05 23:41 . 2008-04-05 23:41 <DIR> d-------- C:\Program Files\CA
2008-04-05 23:41 . 2008-04-05 23:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-05 23:47 17,801 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-04-05 22:02 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-26 11:59 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2002-09-11 14:26 63,730 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 15:44 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 15:43 688218]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 16:28 577536 C:\WINDOWS\soundman.exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 22:25 177416]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 13:42 230664]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 14:22 3739648]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-13 17:13 172032]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-01-13 17:13 49152]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 16:14 576320]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 16:15 600896]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-28 21:05 344064]
"BM8ff7a114"="C:\WINDOWS\system32\desvmkwf.dll" [ ]

C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 14:15:48 462848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-03-18 18:41:30 972064]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 DCamUSBSony4;Sony Visual Communication Camera;C:\WINDOWS\system32\DRIVERS\snyucam4.sys [2003-01-17 21:36]
R3 DCamUSBSonyA4;Sony USB Microphone;C:\WINDOWS\system32\drivers\snyuflt4.sys [2003-01-17 21:37]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-11 05:59:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 22:33:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-29 22:36:19
ComboFix-quarantined-files.txt 2008-05-30 05:35:06
ComboFix2.txt 2008-05-29 05:22:52

Pre-Run: 50,054,541,312 bytes free
Post-Run: 50,041,683,968 bytes free

217 --- E O F --- 2008-05-28 22:01:11


Malwarebytes Log:


Malwarebytes' Anti-Malware 1.13
Database version: 800

10:51:43 PM 5/29/2008
mbam-log-5-29-2008 (22-51-43).txt

Scan type: Quick Scan
Objects scanned: 35381
Time elapsed: 6 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{28f85800-2969-4966-8894-eda174875e71} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM8ff7a114 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

So my last question now (if those logs look okay to you, that is) is that earlier on in my quest to rid the malware from my computer, I deleted a DLL file from my sys32 folder. This DLL file was a recognized trojan, and after I deleted it my internet browser started working again (the problem was that the malware prevented my browser from functioning). Now everytime I start my computer there is an error that says I have a missing DLL file. Is there a way to get rid of this message? Is it a sign of a larger problem?

Thanks a lot.
RCM913

Rorschach112
2008-05-30, 14:42
What does the error say ?

Post a new HijackThis log

RCM913
2008-05-30, 19:38
I just restarted my computer again and the error message didn't come up any more. Thanks so much for the help. I really appreciate it. HAve a good one.

RCM

Rorschach112
2008-05-30, 20:15
Post a new HijackThis log

Rorschach112
2008-06-04, 02:07
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.