Command Service and Virtumonde

C

Capital12

New member
can't get rid of command service and virtumonde infections. Here are the logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:54 AM, on 2/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Aspen Touch Solutions\Drivers\Touchscreen\UTCServiceApp.exe
C:\WINDOWS\VXNlcg\command.exe
C:\pdirect\bin\foodtecappserver.exe
c:\oracle\bin\oracle.exe
c:\oracle\bin\tnslsnr.exe
C:\NtResKit\SrvAny.exe
C:\Program Files\Active-Charge\Active-Charge.exe
C:\WINDOWS\system32\r_server.exe
C:\ntreskit\TimeServ.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\838082878387868.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\WINDOWS\system32\Pelmiced.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

F3 - REG:win.ini: load=C:\WINDOWS\system32\awtst.exe
O1 - Hosts: 205.1.1.1 DBSERVER
O1 - Hosts: 205.1.1.2 TERM_A
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [FBF8FAFFFBFFFE060] 838082878387868.exe
O4 - HKLM\..\Run: [5c9d790d] rundll32.exe "C:\WINDOWS\system32\tfxtecpx.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA4203] command /c del "C:\WINDOWS\system32\awtst.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2363] cmd /c del "C:\WINDOWS\system32\awtst.dll_old"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKUS\S-1-5-21-2821431653-2996998366-2724477760-1007\..\RunOnce: [configmsi] cmd /c "rmdir /q C:\config.msi" (User 'LogMeInRemoteUser')
O4 - HKUS\S-1-5-21-2821431653-2996998366-2724477760-1007\..\RunOnce: [supportdir] cmd /c "rmdir /q /s "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{BF90215F-2D7B-4C84-8A24-A03BC41B95DD}"" (User 'LogMeInRemoteUser')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A752C58-F30D-4CC8-ABCE-5DDA2856F45C}: NameServer = 205.1.1.100,167.206.3.137,167.206.3.136,167.206.3.203
O23 - Service: AspenTouch Service - Aspen Touch Solutions, Inc. - C:\Program Files\Aspen Touch Solutions\Drivers\Touchscreen\UTCServiceApp.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VXNlcg\command.exe
O23 - Service: FoodTec App (FoodTecApp) - Unknown owner - C:\pdirect\bin\foodtecapp (file missing)
O23 - Service: FoodTec AppServer (FoodTecAppServer) - Unknown owner - C:\pdirect\bin\foodtecappserver (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Ltd. - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Oracle Service (OracleServiceXE) - Oracle Corporation - c:\oracle\bin\oracle.exe
O23 - Service: Oracle Listener (OracleXETNSListener) - Unknown owner - c:\oracle\bin\tnslsnr.exe
O23 - Service: PCCharge - Unknown owner - C:\NtResKit\SrvAny.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: Time Service (TimeServ) - Unknown owner - C:\ntreskit\TimeServ (file missing)
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

--
End of file - 5648 bytes
 
KASPERSKY ONLINE SCANNER REPORT
Monday, February 11, 2008 1:59:43 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/02/2008
Kaspersky Anti-Virus database records: 556232
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 65733
Number of viruses found: 34
Number of infected objects: 285
Number of suspicious objects: 2
Duration of the scan process: 02:21:06

Infected Object Name / Virus Name / Last Action
C:\db\pdir\bdump\xe_arc1_2240.trc Object is locked skipped
C:\db\pdir\CTL1.CTL Object is locked skipped
C:\db\pdir\CTL2.CTL Object is locked skipped
C:\db\pdir\INDEX1.DBF Object is locked skipped
C:\db\pdir\LOG1.LOG Object is locked skipped
C:\db\pdir\LOG2.LOG Object is locked skipped
C:\db\pdir\LOG3.LOG Object is locked skipped
C:\db\pdir\SYSAUX.DBF Object is locked skipped
C:\db\pdir\SYSTEM.DBF Object is locked skipped
C:\db\pdir\TEMP.DBF Object is locked skipped
C:\db\pdir\UNDO.DBF Object is locked skipped
C:\db\pdir\USR1.DBF Object is locked skipped
C:\db\pdir\USR2.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\!update.exe Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX101.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX107.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX10E.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX114.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX11B.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX121.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX123.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX126.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX128.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX12E.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX135.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX13B.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX142.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX148.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX14F.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX155.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX15C.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX162.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX169.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX16F.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX176.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX17C.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX183.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX189.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX190.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX196.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX19D.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX1A3.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX1AA.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX1B0.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX1B7.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX1BD.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX1C4.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX1CA.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX1D1.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX1D7.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX1DE.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX1E4.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX1EB.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX1F1.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX1FB.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCX201.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXA3.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXA6.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXA8.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXAC.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXB3.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXB9.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXC0.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXC6.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXCD.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXD3.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXDA.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXE0.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXE7.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXED.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXF4.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\RCXFA.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\2VIJ6X6V\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\8FMB4D8R\4db3e14be68297b54dc897edcc80680f[1].zip/b147.exe Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\8FMB4D8R\4db3e14be68297b54dc897edcc80680f[1].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\8FMB4D8R\8154ff2675af1b6e0677560871425153[1].zip/b138.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\8FMB4D8R\8154ff2675af1b6e0677560871425153[1].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\8FMB4D8R\wtrec.prod.v10006.11dec2007.exe[1].c516a643c558a4d4daa4efafd47eff15 Infected: Trojan-Downloader.Win32.Agent.hcm skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\AHS769M1\ptch[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\E5CJY9GT\26453da423d82a5fc6fae941d05f1151[1].zip/b116.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\E5CJY9GT\26453da423d82a5fc6fae941d05f1151[1].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\E5CJY9GT\718f466754402ac597de014577627f96[1].zip/b104.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\E5CJY9GT\718f466754402ac597de014577627f96[1].zip/b104.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\E5CJY9GT\718f466754402ac597de014577627f96[1].zip/b104.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\E5CJY9GT\718f466754402ac597de014577627f96[1].zip/b104.exe Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\E5CJY9GT\718f466754402ac597de014577627f96[1].zip ZIP: infected - 4 skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\KX05EV4X\ptch[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QFGLY9E9\c1f5cc94a30f082054f3a00e6655462d[1].zip/b103.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\QFGLY9E9\c1f5cc94a30f082054f3a00e6655462d[1].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\S1KFON8J\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UZE981C3\!update-4495[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UZE981C3\installer[1].exe/file1 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UZE981C3\installer[1].exe/file2 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UZE981C3\installer[1].exe/file4 Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UZE981C3\installer[1].exe Inno: infected - 3 skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\UZE981C3\wintouch.prod.v10015.11dec2007.exe[1].4ccc08fb3ce7ead370a0f9da32f020e7 Infected: Trojan-Downloader.Win32.Agent.hcn skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\TMP91.tmp Infected: Trojan-Downloader.Win32.Agent.idv skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\TMP96.tmp Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\TMP99.tmp Infected: Trojan-Downloader.Win32.Agent.hcn skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\TMPA0.tmp Infected: Trojan-Downloader.Win32.Agent.hcm skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\TMPA3.tmp Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\TMPA4.tmp Infected: Trojan-Downloader.Win32.Agent.idv skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\TMPA7.tmp Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\TMPA9.tmp Infected: Trojan-Downloader.Win32.Agent.idv skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\TMPAD.tmp Infected: Trojan-Downloader.Win32.Agent.idv skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\UE.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gr skipped
 
C:\Documents and Settings\Administrator.DBSERVER\Local Settings\Temp\aknyujff.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Administrator.DBSERVER\Local Settings\Temp\bdfixvgp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Administrator.DBSERVER\Local Settings\Temp\dcyexpnb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Administrator.DBSERVER\Local Settings\Temp\ofthpanv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Administrator.DBSERVER\Local Settings\Temp\qconncfh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Administrator.DBSERVER\Local Settings\Temp\RCXAB.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator.DBSERVER\Local Settings\Temp\rmtdwefo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Administrator.DBSERVER\Local Settings\Temp\Temporary Internet Files\Content.IE5\F1VN0502\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Administrator.DBSERVER\Local Settings\Temp\Temporary Internet Files\Content.IE5\F1VN0502\hctp[2] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Administrator.DBSERVER\Local Settings\Temp\Temporary Internet Files\Content.IE5\F1VN0502\ptch[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Administrator.DBSERVER\Local Settings\Temp\Temporary Internet Files\Content.IE5\HQSPGX3Q\ptch[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Administrator.DBSERVER\Local Settings\Temp\xuupvvxp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Administrator.DBSERVER\Local Settings\Temp\yhuqebrb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Administrator.DBSERVER.000\Local Settings\Temp\RCX180.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator.DBSERVER.000\Local Settings\Temp\RCX184.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator.DBSERVER.000\Local Settings\Temp\RCX188.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator.DBSERVER.000\Local Settings\Temp\RCX18C.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator.DBSERVER.000\Local Settings\Temp\RCX190.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator.DBSERVER.001\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.DBSERVER.001\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator.DBSERVER.001\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator.DBSERVER.001\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.DBSERVER.001\Local Settings\History\History.IE5\MSHist012008021020080211\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.DBSERVER.001\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.DBSERVER.001\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.DBSERVER.001\Local Settings\Temp\hsperfdata_Administrator\312 Object is locked skipped
C:\Documents and Settings\Administrator.DBSERVER.001\Local Settings\Temp\RCX18B.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\Administrator.DBSERVER.001\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.DBSERVER.001\Local Settings\Temp\~DF9AA6.tmp Object is locked skipped
C:\Documents and Settings\Administrator.DBSERVER.001\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.DBSERVER.001\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator.DBSERVER.001\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip/MTE3MTk6ODoxNg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LogMeInRemoteUser\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LogMeInRemoteUser\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LogMeInRemoteUser\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LogMeInRemoteUser\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temp\!update.exe Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\Documents and Settings\User\Local Settings\Temp\ismtpa9.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.Agent.adm skipped
C:\Documents and Settings\User\Local Settings\Temp\ismtpa9.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.adm skipped
C:\Documents and Settings\User\Local Settings\Temp\ismtpa9.exe NSIS: infected - 2 skipped
C:\Documents and Settings\User\Local Settings\Temp\RCX10E.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\User\Local Settings\Temp\RCX114.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\User\Local Settings\Temp\RCX16A.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\User\Local Settings\Temp\RCX9.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\User\Local Settings\Temp\RCX9A.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\User\Local Settings\Temp\RCX9F.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\User\Local Settings\Temp\RCXA.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\User\Local Settings\Temp\RCXA2.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\User\Local Settings\Temp\RCXAA.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\User\Local Settings\Temp\RCXAF.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\User\Local Settings\Temp\RCXB.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\User\Local Settings\Temp\RCXD.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\User\Local Settings\Temp\TMP108.tmp Infected: not-a-virus:AdWare.Win32.Agent.adm skipped
C:\Documents and Settings\User\Local Settings\Temp\TMP10B.tmp Infected: Trojan-Downloader.Win32.Adload.pr skipped
C:\Documents and Settings\User\Local Settings\Temp\TMP111.tmp Infected: Trojan-Downloader.Win32.Agent.idv skipped
C:\Documents and Settings\User\Local Settings\Temp\TMP4.tmp Infected: Trojan-Downloader.Win32.PurityScan.fn skipped
C:\Documents and Settings\User\Local Settings\Temp\TMPA.tmp Infected: Trojan-Downloader.Win32.Agent.idv skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\8RX5HLTT\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\8RX5HLTT\ptch[2] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\QLVC5C36\CA5TOPS9 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\RHNLS83H\!update-4495[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\RMCR31GT\a8f5a020e4b833865a1034489887c8b9[1].zip/b122.exe Infected: Trojan-Downloader.Win32.Agent.hvj skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\RMCR31GT\a8f5a020e4b833865a1034489887c8b9[1].zip ZIP: infected - 1 skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\T0SVQ6AV\ptch[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\TZUAD5B5\17PHolmes[1].cmt Infected: Trojan-Downloader.Win32.Agent.idv skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\TZUAD5B5\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\DRIVERS\Radmin_2.1\RADMIN21.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\DRIVERS\Radmin_2.1\RADMIN21.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\DRIVERS\Radmin_2.1\RADMIN21.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\DRIVERS\Radmin_2.1\RADMIN21.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\DRIVERS\Radmin_2.1\RADMIN21.EXE Gentee: infected - 4 skipped
C:\DRIVERS\RemoteAdmin\RADMIN21.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\DRIVERS\RemoteAdmin\RADMIN21.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\DRIVERS\RemoteAdmin\RADMIN21.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\DRIVERS\RemoteAdmin\RADMIN21.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\DRIVERS\RemoteAdmin\RADMIN21.EXE Gentee: infected - 4 skipped
C:\ntreskit\PsExec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\ntreskit\PsShutdown.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\oracle\database\hc_xe.dat Object is locked skipped
C:\oracle\NETWORK\log\listener.log Object is locked skipped
C:\pdirect_5.3.95\full\reskit_tar.gz/packed/NtResKit/PsExec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\pdirect_5.3.95\full\reskit_tar.gz/packed/NtResKit/PsShutdown.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\pdirect_5.3.95\full\reskit_tar.gz/packed Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\pdirect_5.3.95\full\reskit_tar.gz GZIP: infected - 3 skipped
C:\pdirect_5.3.95\java\reskit_tar.gz/packed/NtResKit/PsExec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\pdirect_5.3.95\java\reskit_tar.gz/packed/NtResKit/PsShutdown.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\pdirect_5.3.95\java\reskit_tar.gz/packed Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\pdirect_5.3.95\java\reskit_tar.gz GZIP: infected - 3 skipped
C:\pdirect_5.3.95\normal\reskit_tar.gz/packed/NtResKit/PsExec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\pdirect_5.3.95\normal\reskit_tar.gz/packed/NtResKit/PsShutdown.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\pdirect_5.3.95\normal\reskit_tar.gz/packed Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\pdirect_5.3.95\normal\reskit_tar.gz GZIP: infected - 3 skipped
C:\pdirect_5.3.95\small\reskit_tar.gz/packed/NtResKit/PsExec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\pdirect_5.3.95\small\reskit_tar.gz/packed/NtResKit/PsShutdown.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\pdirect_5.3.95\small\reskit_tar.gz/packed Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\pdirect_5.3.95\small\reskit_tar.gz GZIP: infected - 3 skipped
C:\pdirect_6.0.38\full\reskit_tar.gz/packed/NtResKit/PsExec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\pdirect_6.0.38\full\reskit_tar.gz/packed/NtResKit/PsShutdown.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\pdirect_6.0.38\full\reskit_tar.gz/packed Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\pdirect_6.0.38\full\reskit_tar.gz GZIP: infected - 3 skipped
C:\Program Files\Active-Charge\CrReader.PCC Object is locked skipped
C:\Program Files\Active-Charge\ISDNCFG.PCC Object is locked skipped
C:\Program Files\Common Files\qwur\qwura.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\Program Files\Common Files\qwur\qwurl.exe Infected: Trojan-Downloader.Win32.TSUpdate.r skipped
C:\Program Files\Common Files\qwur\qwurm .exe Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\Program Files\Common Files\qwur\qwurm.exe Infected: Virus.Win32.Trats.d skipped
C:\Program Files\Common Files\qwur\qwurp.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Program Files\Dot1XCfg\Dot1XCfg .exe Infected: Trojan-Downloader.Win32.Adload.pr skipped
C:\Program Files\Dot1XCfg\Dot1XCfg.exe Infected: Virus.Win32.Trats.d skipped
C:\Program Files\LogMeIn\x86\update\4-00-680.bak\x86\LogMeInSystray.exe Infected: Virus.Win32.Trats.d skipped
C:\Program Files\Radmin\radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Program Files\Radmin\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe Infected: Virus.Win32.Trats.d skipped
C:\Program Files\Temporary\kernInst.exe Infected: Trojan.Win32.Agent.edq skipped
C:\release\pdirect\reskit_tar.gz/packed/NtResKit/PsExec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\release\pdirect\reskit_tar.gz/packed/NtResKit/PsShutdown.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\release\pdirect\reskit_tar.gz/packed Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\release\pdirect\reskit_tar.gz GZIP: infected - 3 skipped
C:\release\pdirect_6.0.45\normal\reskit_tar.gz/packed/NtResKit/PsExec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\release\pdirect_6.0.45\normal\reskit_tar.gz/packed/NtResKit/PsShutdown.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\release\pdirect_6.0.45\normal\reskit_tar.gz/packed Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\release\pdirect_6.0.45\normal\reskit_tar.gz GZIP: infected - 3 skipped
C:\release\pdirect_6.5.0\normal\reskit_tar.gz/packed/NtResKit/PsExec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\release\pdirect_6.5.0\normal\reskit_tar.gz/packed/NtResKit/PsShutdown.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\release\pdirect_6.5.0\normal\reskit_tar.gz/packed Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\release\pdirect_6.5.0\normal\reskit_tar.gz GZIP: infected - 3 skipped
C:\release\pdirect_6.5.10\java\reskit_tar.gz/packed/NtResKit/PsExec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\release\pdirect_6.5.10\java\reskit_tar.gz/packed/NtResKit/PsShutdown.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\release\pdirect_6.5.10\java\reskit_tar.gz/packed Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\release\pdirect_6.5.10\java\reskit_tar.gz GZIP: infected - 3 skipped
C:\release\pdirect_6.5.11\normal\reskit_tar.gz/packed/NtResKit/PsExec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\release\pdirect_6.5.11\normal\reskit_tar.gz/packed/NtResKit/PsShutdown.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\release\pdirect_6.5.11\normal\reskit_tar.gz/packed Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\release\pdirect_6.5.11\normal\reskit_tar.gz GZIP: infected - 3 skipped
C:\release\pdirect_6.5.5\normal\reskit_tar.gz/packed/NtResKit/PsExec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\release\pdirect_6.5.5\normal\reskit_tar.gz/packed/NtResKit/PsShutdown.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\release\pdirect_6.5.5\normal\reskit_tar.gz/packed Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\release\pdirect_6.5.5\normal\reskit_tar.gz GZIP: infected - 3 skipped
C:\run\appserver\log.txt Object is locked skipped
C:\stage\release\pdirect_6.5.26\normal_tar.gz/packed/normal/reskit_tar.gz/reskit_tar/NtResKit/PsExec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\stage\release\pdirect_6.5.26\normal_tar.gz/packed/normal/reskit_tar.gz/reskit_tar/NtResKit/PsShutdown.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\stage\release\pdirect_6.5.26\normal_tar.gz/packed/normal/reskit_tar.gz/reskit_tar Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\stage\release\pdirect_6.5.26\normal_tar.gz/packed/normal/reskit_tar.gz Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\stage\release\pdirect_6.5.26\normal_tar.gz/packed Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\stage\release\pdirect_6.5.26\normal_tar.gz GZIP: infected - 5 skipped
C:\stage\release\pdirect_6.6.15\normal_tar.gz/packed/normal/reskit_tar.gz/reskit_tar/NtResKit/PsExec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\stage\release\pdirect_6.6.15\normal_tar.gz/packed/normal/reskit_tar.gz/reskit_tar/NtResKit/PsShutdown.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\stage\release\pdirect_6.6.15\normal_tar.gz/packed/normal/reskit_tar.gz/reskit_tar Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\stage\release\pdirect_6.6.15\normal_tar.gz/packed/normal/reskit_tar.gz Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\stage\release\pdirect_6.6.15\normal_tar.gz/packed Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\stage\release\pdirect_6.6.15\normal_tar.gz GZIP: infected - 5 skipped
C:\stage\release\pdirect_6.6.22\normal_tar.gz/packed/normal/reskit_tar.gz/reskit_tar/NtResKit/PsExec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\stage\release\pdirect_6.6.22\normal_tar.gz/packed/normal/reskit_tar.gz/reskit_tar/NtResKit/PsShutdown.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\stage\release\pdirect_6.6.22\normal_tar.gz/packed/normal/reskit_tar.gz/reskit_tar Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\stage\release\pdirect_6.6.22\normal_tar.gz/packed/normal/reskit_tar.gz Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\stage\release\pdirect_6.6.22\normal_tar.gz/packed Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\stage\release\pdirect_6.6.22\normal_tar.gz GZIP: infected - 5 skipped
 
C:\stage\release\pdirect_6.6.25\normal_tar.gz/packed/normal/reskit_tar.gz/reskit_tar/NtResKit/PsExec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\stage\release\pdirect_6.6.25\normal_tar.gz/packed/normal/reskit_tar.gz/reskit_tar/NtResKit/PsShutdown.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\stage\release\pdirect_6.6.25\normal_tar.gz/packed/normal/reskit_tar.gz/reskit_tar Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\stage\release\pdirect_6.6.25\normal_tar.gz/packed/normal/reskit_tar.gz Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\stage\release\pdirect_6.6.25\normal_tar.gz/packed Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\stage\release\pdirect_6.6.25\normal_tar.gz GZIP: infected - 5 skipped
C:\tmp\NtResKit\PsExec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.153 skipped
C:\tmp\NtResKit\PsShutdown.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.232 skipped
C:\WINDOWS\b103.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\WINDOWS\b104.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\WINDOWS\b104.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\WINDOWS\b104.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\WINDOWS\b104.exe NSIS: infected - 3 skipped
C:\WINDOWS\b116.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\WINDOWS\b122.exe Infected: Trojan-Downloader.Win32.Agent.hvj skipped
C:\WINDOWS\b138.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\WINDOWS\b147.exe Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\mrofinu72.exe Infected: Virus.Win32.Trats.d skipped
C:\WINDOWS\mrofinu72.exe.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\838082878387868.exe Infected: Trojan-Downloader.Win32.VB.chy skipped
C:\WINDOWS\system32\awtst.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\awtst.exe Infected: Virus.Win32.Trats.d skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dqrfueed.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\dxxmqjkk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\ghnzkc.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gv skipped
C:\WINDOWS\system32\ghpqxelp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\iyagnmbc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\L50B4.tmp/data0002 Infected: Trojan.Win32.Scapur.k skipped
C:\WINDOWS\system32\L50B4.tmp NSIS: infected - 1 skipped
C:\WINDOWS\system32\laeaecld.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\mjoakxep.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\nvokgtmw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\owlrgevr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\pjbynbhv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\psvjuhuv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\RCX10.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINDOWS\system32\RCX191.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINDOWS\system32\RCX94.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINDOWS\system32\RCXA.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINDOWS\system32\RCXA3.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINDOWS\system32\RCXA8.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINDOWS\system32\RCXB0.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINDOWS\system32\RCXC.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINDOWS\system32\RCXD.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINDOWS\system32\RCXE.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINDOWS\system32\RCXF.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINDOWS\system32\rdmclomq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\WINDOWS\system32\tfxtecpx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wcgiupcg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\xmrhxygt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\ynrqeuao.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\yswrwdpr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\Temp\JET67.tmp Object is locked skipped
C:\WINDOWS\Temp\RMSA6.tmp Object is locked skipped
C:\WINDOWS\Temp\RMSA7.tmp Object is locked skipped
C:\WINDOWS\Temp\~DF20CC.tmp Object is locked skipped
C:\WINDOWS\VXNlcg\asappsrv.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\VXNlcg\command.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\Аdobe\arpa .exe Infected: Trojan-Downloader.Win32.PurityScan.fn skipped
C:\WINDOWS\Аdobe\arpa.exe Infected: Virus.Win32.Trats.d skipped

Scan process completed.
 
Hi Capital12

Rename HijackThis.exe to Capital12.exe and post back a fresh HijackThis log, please :)
 
Thank you for the response Shaba, Here is the logfile as requested.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:15 AM, on 2/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Aspen Touch Solutions\Drivers\Touchscreen\UTCServiceApp.exe
C:\WINDOWS\VXNlcg\command.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
c:\oracle\bin\oracle.exe
c:\oracle\bin\tnslsnr.exe
C:\NtResKit\SrvAny.exe
C:\Program Files\Active-Charge\Active-Charge.exe
C:\WINDOWS\system32\r_server.exe
C:\ntreskit\TimeServ.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\WINDOWS\system32\838082878387868.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray .exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\pdirect\bin\foodtecappserver.exe
C:\pdirect\bin\foodtecapp.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\Capital12.exe

F3 - REG:win.ini: load=C:\WINDOWS\system32\awtst.exe
O1 - Hosts: 205.1.1.1 DBSERVER
O1 - Hosts: 205.1.1.2 TERM_A
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {173EEACC-5B22-5FFF-0461-2800BFB98F9B} - C:\WINDOWS\system32\ghnzkc.dll
O2 - BHO: {05836987-1891-939b-b0f4-2940ec018432} - {234810ce-0492-4f0b-b939-198178963850} - C:\WINDOWS\system32\dbxlyhli.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {CD971A0D-1B0E-4053-A1DC-0651A5B2E648} - C:\WINDOWS\system32\awtst.dll
O2 - BHO: (no name) - {EB8286AA-49F7-4534-B9BA-25F4020E28A8} - (no file)
O4 - HKCU\..\Run: [5c9d790d] rundll32.exe "C:\WINDOWS\system32\ujshkodu.dll",b
O4 - HKUS\S-1-5-21-2821431653-2996998366-2724477760-1007\..\RunOnce: [configmsi] cmd /c "rmdir /q C:\config.msi" (User 'LogMeInRemoteUser')
O4 - HKUS\S-1-5-21-2821431653-2996998366-2724477760-1007\..\RunOnce: [supportdir] cmd /c "rmdir /q /s "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{BF90215F-2D7B-4C84-8A24-A03BC41B95DD}"" (User 'LogMeInRemoteUser')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A752C58-F30D-4CC8-ABCE-5DDA2856F45C}: NameServer = 205.1.1.100,167.206.3.137,167.206.3.136,167.206.3.203
O23 - Service: AspenTouch Service - Aspen Touch Solutions, Inc. - C:\Program Files\Aspen Touch Solutions\Drivers\Touchscreen\UTCServiceApp.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VXNlcg\command.exe
O23 - Service: FoodTec App (FoodTecApp) - Unknown owner - C:\pdirect\bin\foodtecapp (file missing)
O23 - Service: FoodTec AppServer (FoodTecAppServer) - Unknown owner - C:\pdirect\bin\foodtecappserver (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Ltd. - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Oracle Service (OracleServiceXE) - Oracle Corporation - c:\oracle\bin\oracle.exe
O23 - Service: Oracle Listener (OracleXETNSListener) - Unknown owner - c:\oracle\bin\tnslsnr.exe
O23 - Service: PCCharge - Unknown owner - C:\NtResKit\SrvAny.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: Time Service (TimeServ) - Unknown owner - C:\ntreskit\TimeServ (file missing)
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

--
End of file - 5744 bytes
 
Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
 
Hi Shaba, After reboot, i get a windows error popup saying "cannot find c:\windows\system32\awtst.exe. i click ok.... then get the same thing saying for desktop. is this something to be concerned about?

Here are the logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:32:24 AM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Aspen Touch Solutions\Drivers\Touchscreen\UTCServiceApp.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
c:\oracle\bin\oracle.exe
c:\oracle\bin\tnslsnr.exe
C:\NtResKit\SrvAny.exe
C:\Program Files\Active-Charge\Active-Charge.exe
C:\WINDOWS\system32\r_server.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Capital12.exe

O1 - Hosts: 205.1.1.1 DBSERVER
O1 - Hosts: 205.1.1.2 TERM_A
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [FBF8FAFFFBFFFE060] 838082878387868.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A752C58-F30D-4CC8-ABCE-5DDA2856F45C}: NameServer = 205.1.1.100,167.206.3.137,167.206.3.136,167.206.3.203
O23 - Service: AspenTouch Service - Aspen Touch Solutions, Inc. - C:\Program Files\Aspen Touch Solutions\Drivers\Touchscreen\UTCServiceApp.exe
O23 - Service: FoodTec App (FoodTecApp) - Unknown owner - C:\pdirect\bin\foodtecapp (file missing)
O23 - Service: FoodTec AppServer (FoodTecAppServer) - Unknown owner - C:\pdirect\bin\foodtecappserver (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Ltd. - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Oracle Service (OracleServiceXE) - Oracle Corporation - c:\oracle\bin\oracle.exe
O23 - Service: Oracle Listener (OracleXETNSListener) - Unknown owner - c:\oracle\bin\tnslsnr.exe
O23 - Service: PCCharge - Unknown owner - C:\NtResKit\SrvAny.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: Time Service (TimeServ) - Unknown owner - C:\ntreskit\TimeServ (file missing)
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

--
End of file - 4407 bytes
 
ComboFix 08-02-14.2 - Administrator 2008-02-16 1:20:39.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.514 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator.DBSERVER.001\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\User\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\User\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\User\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\Common Files\qwur
C:\Program Files\Common Files\qwur\qwura.exe
C:\Program Files\Common Files\qwur\qwura.lck
C:\Program Files\Common Files\qwur\qwurd\class-barrel
C:\Program Files\Common Files\qwur\qwurd\qwurc.dll
C:\Program Files\Common Files\qwur\qwurd\vocabulary
C:\Program Files\Common Files\qwur\qwurh
C:\Program Files\Common Files\qwur\qwurl.exe
C:\Program Files\Common Files\qwur\qwurl.lck
C:\Program Files\Common Files\qwur\qwurm .exe
C:\Program Files\Common Files\qwur\qwurm.exe
C:\Program Files\Common Files\qwur\qwurm.lck
C:\Program Files\Common Files\qwur\qwurp.exe
C:\Program Files\Common Files\scurit~1
C:\Program Files\Common Files\scurit~1\?xplorer.exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b116.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\b149.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\dobe~1
C:\WINDOWS\dobe~1\?dobe\
C:\WINDOWS\dobe~1\arpa .exe
C:\WINDOWS\dobe~1\arpa.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\qwur
C:\WINDOWS\qwur\qwur.dat
C:\WINDOWS\qwur\wu
C:\WINDOWS\smante~1
C:\WINDOWS\system32\838082878387868.exe
C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\awtst.exe
C:\WINDOWS\system32\cbmngayi.ini
C:\WINDOWS\system32\ckwobidw.ini
C:\WINDOWS\system32\dbxlyhli.dll
C:\WINDOWS\system32\dlceaeal.ini
C:\WINDOWS\system32\dqrfueed.dll
C:\WINDOWS\system32\dxxmqjkk.dll
C:\WINDOWS\system32\galdkvtf.dll
C:\WINDOWS\system32\ghnzkc.dll
C:\WINDOWS\system32\ghpqxelp.dll
C:\WINDOWS\system32\gqppsjva.dll
C:\WINDOWS\system32\iyagnmbc.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mjoakxep.dll
C:\WINDOWS\system32\mpthvbht.dll
C:\WINDOWS\system32\nhcsbtmx.ini
C:\WINDOWS\system32\nvokgtmw.dll
C:\WINDOWS\system32\owlrgevr.dll
C:\WINDOWS\system32\oxpkywqv.dll
C:\WINDOWS\system32\pexkaojm.ini
C:\WINDOWS\system32\phsmryvw.dll
C:\WINDOWS\system32\pjbynbhv.dll
C:\WINDOWS\system32\plexqphg.ini
C:\WINDOWS\system32\qidxkwiw.dll
C:\WINDOWS\system32\RCX10.tmp
C:\WINDOWS\system32\RCX94.tmp
C:\WINDOWS\system32\RCXA.tmp
C:\WINDOWS\system32\RCXA3.tmp
C:\WINDOWS\system32\RCXA8.tmp
C:\WINDOWS\system32\RCXB0.tmp
C:\WINDOWS\system32\RCXC.tmp
C:\WINDOWS\system32\RCXD.tmp
C:\WINDOWS\system32\RCXE.tmp
C:\WINDOWS\system32\RCXF.tmp
C:\WINDOWS\system32\rdmclomq.dll
C:\WINDOWS\system32\rvegrlwo.ini
C:\WINDOWS\system32\tfxtecpx.dll
C:\WINDOWS\system32\tgyxhrmx.ini
C:\WINDOWS\system32\thbvhtpm.ini
C:\WINDOWS\system32\tstwa.ini
C:\WINDOWS\system32\tstwa.ini2
C:\WINDOWS\system32\udokhsju.ini
C:\WINDOWS\system32\uidxwdua.dll
C:\WINDOWS\system32\ujshkodu.dll
C:\WINDOWS\system32\vdugoagu.dll
C:\WINDOWS\system32\vuhujvsp.ini
C:\WINDOWS\system32\wcgiupcg.dll
C:\WINDOWS\system32\wdibowkc.dll
C:\WINDOWS\system32\wvyrmshp.ini
C:\WINDOWS\system32\xmrhxygt.dll
C:\WINDOWS\system32\xmtbschn.dll
C:\WINDOWS\system32\xoosmxvy.dll
C:\WINDOWS\system32\xpcetxft.ini
C:\WINDOWS\system32\ymbols~1
C:\WINDOWS\system32\ynrqeuao.dll
C:\WINDOWS\system32\yswrwdpr.dll
C:\WINDOWS\VXNlcg\
C:\WINDOWS\VXNlcg\\asappsrv.dll
C:\WINDOWS\VXNlcg\\command.exe
C:\WINDOWS\VXNlcg\\prh5w0.vbs
C:\WINDOWS\VXNlcg\command.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService








((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

2008-02-16 00:26 . 2008-02-16 00:26 388,608 --a------ C:\WINDOWS\system32\kmd .exe
2008-02-14 23:05 . 2008-02-16 00:14 6,112 --a------ C:\WINDOWS\BM5fae4a91.xml
2008-02-14 23:05 . 2008-02-16 00:33 21 --a------ C:\WINDOWS\pskt.ini
2008-02-13 22:54 . 2008-02-13 22:54 340,992 --a------ C:\WINDOWS\system32\RCX11F.tmp
2008-02-10 19:41 . 2006-02-02 10:07 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.001\Application Data\ThinkVantage
2008-02-10 19:41 . 2006-01-18 12:34 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.001\Application Data\Symantec
2008-02-10 19:41 . 2006-01-18 12:30 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.001\Application Data\IBM
2008-02-10 10:30 . 2008-02-10 10:30 340,992 --a------ C:\WINDOWS\system32\RCX191.tmp
2008-02-10 09:09 . 2006-02-02 10:07 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.000\Application Data\ThinkVantage
2008-02-10 09:09 . 2006-01-18 12:34 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.000\Application Data\Symantec
2008-02-10 09:09 . 2006-01-18 12:30 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.000\Application Data\IBM
2008-02-09 22:54 . 2008-02-09 22:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-09 22:34 . 2008-02-09 22:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-09 22:34 . 2008-02-09 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-06 21:34 . 2006-02-02 10:07 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER\Application Data\ThinkVantage
2008-02-06 21:34 . 2006-01-18 12:34 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER\Application Data\Symantec
2008-02-06 21:34 . 2006-01-18 12:30 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER\Application Data\IBM
2008-02-05 23:52 . 2004-08-04 08:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-05 22:49 . 2008-02-13 22:53 1,416 --a------ C:\WINDOWS\wininit.ini
2008-02-05 21:49 . 2008-02-16 00:37 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-05 21:49 . 2008-02-05 22:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-05 16:23 . 2008-02-05 16:23 90,688 --a------ C:\WINDOWS\system32\laeaecld.dll
2008-02-05 16:20 . 2008-02-05 16:20 90,688 --a------ C:\WINDOWS\system32\psvjuhuv.dll
2008-02-05 04:54 . 2008-02-05 04:54 <DIR> d-------- C:\WINDOWS\system32\949193989498979
2008-02-03 16:12 . 2008-02-16 00:37 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-02-03 16:08 . 2008-02-05 23:57 378,880 --a------ C:\WINDOWS\mrofinu72.exe.tmp
2008-02-03 16:08 . 2008-02-03 16:08 270,698 --a------ C:\WINDOWS\system32\L6814.tmp
2008-02-03 16:08 . 2008-02-03 16:08 181,965 --a------ C:\WINDOWS\system32\L50B4.tmp
2008-01-29 21:58 . 2006-02-02 10:07 <DIR> d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\ThinkVantage
2008-01-29 21:58 . 2006-01-18 12:34 <DIR> d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\Symantec
2008-01-29 21:58 . 2006-01-18 12:30 <DIR> d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\IBM
2008-01-29 21:43 . 2008-02-16 00:07 <DIR> d-------- C:\Program Files\LogMeIn
2008-01-29 21:43 . 2007-11-15 18:46 87,352 --a------ C:\WINDOWS\system32\LMIinit.dll.000.bak
2008-01-29 21:43 . 2007-11-15 18:46 87,352 --a------ C:\WINDOWS\system32\LMIinit.dll
2008-01-29 21:43 . 2007-11-15 18:46 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll.000.bak
2008-01-29 21:43 . 2007-11-15 18:46 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2008-01-29 21:43 . 2007-08-03 15:09 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2008-01-29 21:43 . 2007-11-15 18:46 21,496 --a------ C:\WINDOWS\system32\LMIport.dll
2008-01-29 21:43 . 2008-01-29 21:43 1,024 --a------ C:\.rnd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 06:14 --------- d-----w C:\Program Files\Active-Charge
2007-10-05 18:48 0 ----a-w C:\Documents and Settings\Administrator\GoToAssist_phone__317_en.exe
2006-07-26 03:13 50,036 ----a-r C:\WINDOWS\inf\DS2490.sys
2003-06-19 16:05 286,773 ----a-w C:\Program Files\msvcrt.dll
2003-06-19 16:05 1,015,859 ----a-w C:\Program Files\mfc42.dll
1998-05-15 05:00 73,184 ----a-w C:\Program Files\Common Files\dao2535.tlb
1998-04-27 05:00 570,128 ----a-w C:\Program Files\Common Files\Dao350.dll
.
Code: 
<pre>
----a-w            61,440 2008-02-16 05:23:54  C:\Program Files\Dot1XCfg\Dot1XCfg .exe
----a-w            63,048 2008-02-16 05:26:48  C:\Program Files\LogMeIn\x86\LogMeInSystray .exe
----a-w         2,097,488 2008-02-06 05:03:54  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w           388,608 2008-02-16 05:26:51  C:\WINDOWS\system32\kmd .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 17:34 49152 C:\WINDOWS\system32\ico.exe]
"FBF8FAFFFBFFFE060"="838082878387868.exe" []

C:\Documents and Settings\User\Start Menu\Programs\Startup\
Pizza Director.lnk - C:\ntreskit\SC.EXE [2006-04-07 11:23:23 54032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
--a------ 2005-10-05 20:26 487424 C:\Program Files\ThinkVantage\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-06-08 13:59 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-06-08 14:02 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
--a------ 2005-09-08 04:01 102400 C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
--a------ 2005-04-13 17:34 49152 C:\WINDOWS\system32\ico.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDService.exe]
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2005-06-08 14:03 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a------ 2005-05-06 18:06 716800 C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2005-05-20 12:11 925696 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\suScheduler]
--a------ 2005-08-01 20:32 40960 C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe

R2 AspenTouch Service;AspenTouch Service;C:\Program Files\Aspen Touch Solutions\Drivers\Touchscreen\UTCServiceApp.exe [2004-10-19 13:05]
R2 FoodTecAppServer;FoodTec AppServer;C:\pdirect\bin\foodtecappserver []
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
R2 OracleServiceXE;Oracle Service;c:\oracle\bin\oracle.exe XE []
R2 OracleXETNSListener;Oracle Listener;c:\oracle\bin\tnslsnr.exe [2006-02-01 23:49]
R2 PCCharge;PCCharge;C:\NtResKit\SrvAny.exe [2006-04-07 11:23]
R2 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" [2005-06-21 15:16]
R2 TimeServ;Time Service;C:\ntreskit\TimeServ []
R3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 16:55]
R3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2003-02-11 16:25]
R3 TPM12;NSC Integrated Trusted Platform Module 1.2;C:\WINDOWS\system32\DRIVERS\nsctpm12.sys [2005-04-21 18:28]
R3 utcrs232;Aspen Resistive RS232 Touch Controller;C:\WINDOWS\system32\DRIVERS\UtcRs232.sys [2004-07-20 08:03]
S2 FoodTecApp;FoodTec App;C:\pdirect\bin\foodtecapp []
S3 MagEpNt;MagEpNt;C:\WINDOWS\system32\drivers\MagEpNt.sys [1997-06-12 10:53]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-15 09:04:00 C:\WINDOWS\Tasks\nightly.job"
- c:\pdirect\bin\nightly.cmd
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 01:22:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-16 1:23:20
ComboFix-quarantined-files.txt 2008-02-16 06:22:51
 
Hi

No, that is only a infection leftover.

Have you installed this?

O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
 
Hi

Thanks for the info.

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
RenV::
----a-w            63,048 2008-02-16 05:26:48  C:\Program Files\LogMeIn\x86\LogMeInSystray .exe
----a-w         2,097,488 2008-02-06 05:03:54  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w           388,608 2008-02-16 05:26:51  C:\WINDOWS\system32\kmd .exe

File::
C:\WINDOWS\system32\RCX11F.tmp
C:\WINDOWS\system32\RCX191.tmp
C:\WINDOWS\system32\laeaecld.dll
C:\WINDOWS\system32\psvjuhuv.dll
C:\WINDOWS\system32\L6814.tmp
C:\WINDOWS\system32\L50B4.tmp

Folder::
C:\Program Files\Dot1XCfg
C:\WINDOWS\system32\949193989498979

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FBF8FAFFFBFFFE060"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
Not Sure if i did it correctly but here are the 2 logs:

ComboFix 08-02-14.2 - Administrator 2008-02-16 1:20:39.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.514 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator.DBSERVER.001\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\User\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\User\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\User\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\Common Files\qwur
C:\Program Files\Common Files\qwur\qwura.exe
C:\Program Files\Common Files\qwur\qwura.lck
C:\Program Files\Common Files\qwur\qwurd\class-barrel
C:\Program Files\Common Files\qwur\qwurd\qwurc.dll
C:\Program Files\Common Files\qwur\qwurd\vocabulary
C:\Program Files\Common Files\qwur\qwurh
C:\Program Files\Common Files\qwur\qwurl.exe
C:\Program Files\Common Files\qwur\qwurl.lck
C:\Program Files\Common Files\qwur\qwurm .exe
C:\Program Files\Common Files\qwur\qwurm.exe
C:\Program Files\Common Files\qwur\qwurm.lck
C:\Program Files\Common Files\qwur\qwurp.exe
C:\Program Files\Common Files\scurit~1
C:\Program Files\Common Files\scurit~1\?xplorer.exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b116.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\b149.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\dobe~1
C:\WINDOWS\dobe~1\?dobe\
C:\WINDOWS\dobe~1\arpa .exe
C:\WINDOWS\dobe~1\arpa.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\qwur
C:\WINDOWS\qwur\qwur.dat
C:\WINDOWS\qwur\wu
C:\WINDOWS\smante~1
C:\WINDOWS\system32\838082878387868.exe
C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\awtst.exe
C:\WINDOWS\system32\cbmngayi.ini
C:\WINDOWS\system32\ckwobidw.ini
C:\WINDOWS\system32\dbxlyhli.dll
C:\WINDOWS\system32\dlceaeal.ini
C:\WINDOWS\system32\dqrfueed.dll
C:\WINDOWS\system32\dxxmqjkk.dll
C:\WINDOWS\system32\galdkvtf.dll
C:\WINDOWS\system32\ghnzkc.dll
C:\WINDOWS\system32\ghpqxelp.dll
C:\WINDOWS\system32\gqppsjva.dll
C:\WINDOWS\system32\iyagnmbc.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mjoakxep.dll
C:\WINDOWS\system32\mpthvbht.dll
C:\WINDOWS\system32\nhcsbtmx.ini
C:\WINDOWS\system32\nvokgtmw.dll
C:\WINDOWS\system32\owlrgevr.dll
C:\WINDOWS\system32\oxpkywqv.dll
C:\WINDOWS\system32\pexkaojm.ini
C:\WINDOWS\system32\phsmryvw.dll
C:\WINDOWS\system32\pjbynbhv.dll
C:\WINDOWS\system32\plexqphg.ini
C:\WINDOWS\system32\qidxkwiw.dll
C:\WINDOWS\system32\RCX10.tmp
C:\WINDOWS\system32\RCX94.tmp
C:\WINDOWS\system32\RCXA.tmp
C:\WINDOWS\system32\RCXA3.tmp
C:\WINDOWS\system32\RCXA8.tmp
C:\WINDOWS\system32\RCXB0.tmp
C:\WINDOWS\system32\RCXC.tmp
C:\WINDOWS\system32\RCXD.tmp
C:\WINDOWS\system32\RCXE.tmp
C:\WINDOWS\system32\RCXF.tmp
C:\WINDOWS\system32\rdmclomq.dll
C:\WINDOWS\system32\rvegrlwo.ini
C:\WINDOWS\system32\tfxtecpx.dll
C:\WINDOWS\system32\tgyxhrmx.ini
C:\WINDOWS\system32\thbvhtpm.ini
C:\WINDOWS\system32\tstwa.ini
C:\WINDOWS\system32\tstwa.ini2
C:\WINDOWS\system32\udokhsju.ini
C:\WINDOWS\system32\uidxwdua.dll
C:\WINDOWS\system32\ujshkodu.dll
C:\WINDOWS\system32\vdugoagu.dll
C:\WINDOWS\system32\vuhujvsp.ini
C:\WINDOWS\system32\wcgiupcg.dll
C:\WINDOWS\system32\wdibowkc.dll
C:\WINDOWS\system32\wvyrmshp.ini
C:\WINDOWS\system32\xmrhxygt.dll
C:\WINDOWS\system32\xmtbschn.dll
C:\WINDOWS\system32\xoosmxvy.dll
C:\WINDOWS\system32\xpcetxft.ini
C:\WINDOWS\system32\ymbols~1
C:\WINDOWS\system32\ynrqeuao.dll
C:\WINDOWS\system32\yswrwdpr.dll
C:\WINDOWS\VXNlcg\
C:\WINDOWS\VXNlcg\\asappsrv.dll
C:\WINDOWS\VXNlcg\\command.exe
C:\WINDOWS\VXNlcg\\prh5w0.vbs
C:\WINDOWS\VXNlcg\command.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService








((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

2008-02-16 00:26 . 2008-02-16 00:26 388,608 --a------ C:\WINDOWS\system32\kmd .exe
2008-02-14 23:05 . 2008-02-16 00:14 6,112 --a------ C:\WINDOWS\BM5fae4a91.xml
2008-02-14 23:05 . 2008-02-16 00:33 21 --a------ C:\WINDOWS\pskt.ini
2008-02-13 22:54 . 2008-02-13 22:54 340,992 --a------ C:\WINDOWS\system32\RCX11F.tmp
2008-02-10 19:41 . 2006-02-02 10:07 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.001\Application Data\ThinkVantage
2008-02-10 19:41 . 2006-01-18 12:34 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.001\Application Data\Symantec
2008-02-10 19:41 . 2006-01-18 12:30 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.001\Application Data\IBM
2008-02-10 10:30 . 2008-02-10 10:30 340,992 --a------ C:\WINDOWS\system32\RCX191.tmp
2008-02-10 09:09 . 2006-02-02 10:07 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.000\Application Data\ThinkVantage
2008-02-10 09:09 . 2006-01-18 12:34 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.000\Application Data\Symantec
2008-02-10 09:09 . 2006-01-18 12:30 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.000\Application Data\IBM
2008-02-09 22:54 . 2008-02-09 22:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-09 22:34 . 2008-02-09 22:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-09 22:34 . 2008-02-09 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-06 21:34 . 2006-02-02 10:07 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER\Application Data\ThinkVantage
2008-02-06 21:34 . 2006-01-18 12:34 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER\Application Data\Symantec
2008-02-06 21:34 . 2006-01-18 12:30 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER\Application Data\IBM
2008-02-05 23:52 . 2004-08-04 08:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-05 22:49 . 2008-02-13 22:53 1,416 --a------ C:\WINDOWS\wininit.ini
2008-02-05 21:49 . 2008-02-16 00:37 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-05 21:49 . 2008-02-05 22:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-05 16:23 . 2008-02-05 16:23 90,688 --a------ C:\WINDOWS\system32\laeaecld.dll
2008-02-05 16:20 . 2008-02-05 16:20 90,688 --a------ C:\WINDOWS\system32\psvjuhuv.dll
2008-02-05 04:54 . 2008-02-05 04:54 <DIR> d-------- C:\WINDOWS\system32\949193989498979
2008-02-03 16:12 . 2008-02-16 00:37 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-02-03 16:08 . 2008-02-05 23:57 378,880 --a------ C:\WINDOWS\mrofinu72.exe.tmp
2008-02-03 16:08 . 2008-02-03 16:08 270,698 --a------ C:\WINDOWS\system32\L6814.tmp
2008-02-03 16:08 . 2008-02-03 16:08 181,965 --a------ C:\WINDOWS\system32\L50B4.tmp
2008-01-29 21:58 . 2006-02-02 10:07 <DIR> d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\ThinkVantage
2008-01-29 21:58 . 2006-01-18 12:34 <DIR> d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\Symantec
2008-01-29 21:58 . 2006-01-18 12:30 <DIR> d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\IBM
2008-01-29 21:43 . 2008-02-16 00:07 <DIR> d-------- C:\Program Files\LogMeIn
2008-01-29 21:43 . 2007-11-15 18:46 87,352 --a------ C:\WINDOWS\system32\LMIinit.dll.000.bak
2008-01-29 21:43 . 2007-11-15 18:46 87,352 --a------ C:\WINDOWS\system32\LMIinit.dll
2008-01-29 21:43 . 2007-11-15 18:46 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll.000.bak
2008-01-29 21:43 . 2007-11-15 18:46 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2008-01-29 21:43 . 2007-08-03 15:09 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2008-01-29 21:43 . 2007-11-15 18:46 21,496 --a------ C:\WINDOWS\system32\LMIport.dll
2008-01-29 21:43 . 2008-01-29 21:43 1,024 --a------ C:\.rnd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 06:14 --------- d-----w C:\Program Files\Active-Charge
2007-10-05 18:48 0 ----a-w C:\Documents and Settings\Administrator\GoToAssist_phone__317_en.exe
2006-07-26 03:13 50,036 ----a-r C:\WINDOWS\inf\DS2490.sys
2003-06-19 16:05 286,773 ----a-w C:\Program Files\msvcrt.dll
2003-06-19 16:05 1,015,859 ----a-w C:\Program Files\mfc42.dll
1998-05-15 05:00 73,184 ----a-w C:\Program Files\Common Files\dao2535.tlb
1998-04-27 05:00 570,128 ----a-w C:\Program Files\Common Files\Dao350.dll
.
Code: 
<pre>
----a-w            61,440 2008-02-16 05:23:54  C:\Program Files\Dot1XCfg\Dot1XCfg .exe
----a-w            63,048 2008-02-16 05:26:48  C:\Program Files\LogMeIn\x86\LogMeInSystray .exe
----a-w         2,097,488 2008-02-06 05:03:54  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w           388,608 2008-02-16 05:26:51  C:\WINDOWS\system32\kmd .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 17:34 49152 C:\WINDOWS\system32\ico.exe]
"FBF8FAFFFBFFFE060"="838082878387868.exe" []

C:\Documents and Settings\User\Start Menu\Programs\Startup\
Pizza Director.lnk - C:\ntreskit\SC.EXE [2006-04-07 11:23:23 54032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
--a------ 2005-10-05 20:26 487424 C:\Program Files\ThinkVantage\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-06-08 13:59 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-06-08 14:02 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
--a------ 2005-09-08 04:01 102400 C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
--a------ 2005-04-13 17:34 49152 C:\WINDOWS\system32\ico.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDService.exe]
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2005-06-08 14:03 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a------ 2005-05-06 18:06 716800 C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2005-05-20 12:11 925696 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\suScheduler]
--a------ 2005-08-01 20:32 40960 C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe

R2 AspenTouch Service;AspenTouch Service;C:\Program Files\Aspen Touch Solutions\Drivers\Touchscreen\UTCServiceApp.exe [2004-10-19 13:05]
R2 FoodTecAppServer;FoodTec AppServer;C:\pdirect\bin\foodtecappserver []
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
R2 OracleServiceXE;Oracle Service;c:\oracle\bin\oracle.exe XE []
R2 OracleXETNSListener;Oracle Listener;c:\oracle\bin\tnslsnr.exe [2006-02-01 23:49]
R2 PCCharge;PCCharge;C:\NtResKit\SrvAny.exe [2006-04-07 11:23]
R2 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" [2005-06-21 15:16]
R2 TimeServ;Time Service;C:\ntreskit\TimeServ []
R3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 16:55]
R3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2003-02-11 16:25]
R3 TPM12;NSC Integrated Trusted Platform Module 1.2;C:\WINDOWS\system32\DRIVERS\nsctpm12.sys [2005-04-21 18:28]
R3 utcrs232;Aspen Resistive RS232 Touch Controller;C:\WINDOWS\system32\DRIVERS\UtcRs232.sys [2004-07-20 08:03]
S2 FoodTecApp;FoodTec App;C:\pdirect\bin\foodtecapp []
S3 MagEpNt;MagEpNt;C:\WINDOWS\system32\drivers\MagEpNt.sys [1997-06-12 10:53]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-15 09:04:00 C:\WINDOWS\Tasks\nightly.job"
- c:\pdirect\bin\nightly.cmd
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 01:22:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-16 1:23:20
ComboFix-quarantined-files.txt 2008-02-16 06:22:51
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:31, on 2008-02-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Aspen Touch Solutions\Drivers\Touchscreen\UTCServiceApp.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
c:\oracle\bin\oracle.exe
c:\oracle\bin\tnslsnr.exe
C:\NtResKit\SrvAny.exe
C:\Program Files\Active-Charge\Active-Charge.exe
C:\WINDOWS\system32\r_server.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\Capital12.exe

O1 - Hosts: 205.1.1.1 DBSERVER
O1 - Hosts: 205.1.1.2 TERM_A
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [FBF8FAFFFBFFFE060] 838082878387868.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A752C58-F30D-4CC8-ABCE-5DDA2856F45C}: NameServer = 205.1.1.100,167.206.3.137,167.206.3.136,167.206.3.203
O23 - Service: AspenTouch Service - Aspen Touch Solutions, Inc. - C:\Program Files\Aspen Touch Solutions\Drivers\Touchscreen\UTCServiceApp.exe
O23 - Service: FoodTec App (FoodTecApp) - Unknown owner - C:\pdirect\bin\foodtecapp (file missing)
O23 - Service: FoodTec AppServer (FoodTecAppServer) - Unknown owner - C:\pdirect\bin\foodtecappserver (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Ltd. - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Oracle Service (OracleServiceXE) - Oracle Corporation - c:\oracle\bin\oracle.exe
O23 - Service: Oracle Listener (OracleXETNSListener) - Unknown owner - c:\oracle\bin\tnslsnr.exe
O23 - Service: PCCharge - Unknown owner - C:\NtResKit\SrvAny.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: Time Service (TimeServ) - Unknown owner - C:\ntreskit\TimeServ (file missing)
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

--
End of file - 4329 bytes
 
Hi

Unfortunately you didn't.

You are not supposed to doubleclick combofix.exe in order to run it.

You are supposed to create cfscript as instructed above and drag & drop it into combofix.

Please follow my previous instructions word by word
and you should have no problems doing it right :)
 
Ok Shaba, I apologize. i think i did it right this time. Here are the logs as requested: I am still receiving that windows error msg after bootup that i stated before. A million thanks. The computer is running better now.


ComboFix 08-02-14.2 - Administrator 2008-02-17 21:28:53.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.440 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator.DBSERVER.001\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.

2008-02-14 23:05 . 2008-02-16 00:14 6,112 --a------ C:\WINDOWS\BM5fae4a91.xml
2008-02-14 23:05 . 2008-02-16 00:33 21 --a------ C:\WINDOWS\pskt.ini
2008-02-13 22:54 . 2008-02-13 22:54 340,992 --a------ C:\WINDOWS\system32\RCX11F.tmp
2008-02-10 19:41 . 2006-02-02 10:07 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.001\Application Data\ThinkVantage
2008-02-10 19:41 . 2006-01-18 12:34 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.001\Application Data\Symantec
2008-02-10 19:41 . 2006-01-18 12:30 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.001\Application Data\IBM
2008-02-10 10:30 . 2008-02-10 10:30 340,992 --a------ C:\WINDOWS\system32\RCX191.tmp
2008-02-10 09:09 . 2006-02-02 10:07 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.000\Application Data\ThinkVantage
2008-02-10 09:09 . 2006-01-18 12:34 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.000\Application Data\Symantec
2008-02-10 09:09 . 2006-01-18 12:30 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.000\Application Data\IBM
2008-02-09 22:54 . 2008-02-09 22:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-09 22:34 . 2008-02-09 22:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-09 22:34 . 2008-02-09 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-06 21:34 . 2006-02-02 10:07 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER\Application Data\ThinkVantage
2008-02-06 21:34 . 2006-01-18 12:34 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER\Application Data\Symantec
2008-02-06 21:34 . 2006-01-18 12:30 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER\Application Data\IBM
2008-02-05 23:52 . 2004-08-04 08:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-05 22:49 . 2008-02-13 22:53 1,416 --a------ C:\WINDOWS\wininit.ini
2008-02-05 21:49 . 2008-02-16 14:12 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-05 21:49 . 2008-02-05 22:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-05 16:23 . 2008-02-05 16:23 90,688 --a------ C:\WINDOWS\system32\laeaecld.dll
2008-02-05 16:20 . 2008-02-05 16:20 90,688 --a------ C:\WINDOWS\system32\psvjuhuv.dll
2008-02-05 04:54 . 2008-02-05 04:54 <DIR> d-------- C:\WINDOWS\system32\949193989498979
2008-02-03 16:12 . 2008-02-16 00:37 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-02-03 16:08 . 2008-02-05 23:57 378,880 --a------ C:\WINDOWS\mrofinu72.exe.tmp
2008-02-03 16:08 . 2008-02-03 16:08 270,698 --a------ C:\WINDOWS\system32\L6814.tmp
2008-02-03 16:08 . 2008-02-03 16:08 181,965 --a------ C:\WINDOWS\system32\L50B4.tmp
2008-01-29 21:58 . 2006-02-02 10:07 <DIR> d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\ThinkVantage
2008-01-29 21:58 . 2006-01-18 12:34 <DIR> d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\Symantec
2008-01-29 21:58 . 2006-01-18 12:30 <DIR> d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\IBM
2008-01-29 21:43 . 2008-02-17 21:28 <DIR> d-------- C:\Program Files\LogMeIn
2008-01-29 21:43 . 2007-11-15 18:46 87,352 --a------ C:\WINDOWS\system32\LMIinit.dll.000.bak
2008-01-29 21:43 . 2007-11-15 18:46 87,352 --a------ C:\WINDOWS\system32\LMIinit.dll
2008-01-29 21:43 . 2007-11-15 18:46 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll.000.bak
2008-01-29 21:43 . 2007-11-15 18:46 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2008-01-29 21:43 . 2007-08-03 15:09 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2008-01-29 21:43 . 2007-11-15 18:46 21,496 --a------ C:\WINDOWS\system32\LMIport.dll
2008-01-29 21:43 . 2008-01-29 21:43 1,024 --a------ C:\.rnd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 02:16 --------- d-----w C:\Program Files\Active-Charge
2007-10-05 18:48 0 ----a-w C:\Documents and Settings\Administrator\GoToAssist_phone__317_en.exe
2006-07-26 03:13 50,036 ----a-r C:\WINDOWS\inf\DS2490.sys
2003-06-19 16:05 286,773 ----a-w C:\Program Files\msvcrt.dll
2003-06-19 16:05 1,015,859 ----a-w C:\Program Files\mfc42.dll
1998-05-15 05:00 73,184 ----a-w C:\Program Files\Common Files\dao2535.tlb
1998-04-27 05:00 570,128 ----a-w C:\Program Files\Common Files\Dao350.dll
.
Code: 
<pre>
----a-w            61,440 2008-02-16 05:23:54  C:\Program Files\Dot1XCfg\Dot1XCfg .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 17:34 49152 C:\WINDOWS\system32\ico.exe]
"FBF8FAFFFBFFFE060"="838082878387868.exe" []

C:\Documents and Settings\User\Start Menu\Programs\Startup\
Pizza Director.lnk - C:\ntreskit\SC.EXE [2006-04-07 11:23:23 54032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
--a------ 2005-10-05 20:26 487424 C:\Program Files\ThinkVantage\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-06-08 13:59 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-06-08 14:02 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
--a------ 2005-09-08 04:01 102400 C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
--a------ 2005-04-13 17:34 49152 C:\WINDOWS\system32\ico.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDService.exe]
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2005-06-08 14:03 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a------ 2005-05-06 18:06 716800 C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2005-05-20 12:11 925696 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\suScheduler]
--a------ 2005-08-01 20:32 40960 C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe

R2 AspenTouch Service;AspenTouch Service;C:\Program Files\Aspen Touch Solutions\Drivers\Touchscreen\UTCServiceApp.exe [2004-10-19 13:05]
R2 FoodTecAppServer;FoodTec AppServer;C:\pdirect\bin\foodtecappserver []
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
R2 OracleServiceXE;Oracle Service;c:\oracle\bin\oracle.exe XE []
R2 OracleXETNSListener;Oracle Listener;c:\oracle\bin\tnslsnr.exe [2006-02-01 23:49]
R2 PCCharge;PCCharge;C:\NtResKit\SrvAny.exe [2006-04-07 11:23]
R2 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" [2005-06-21 15:16]
R2 TimeServ;Time Service;C:\ntreskit\TimeServ []
R3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 16:55]
R3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2003-02-11 16:25]
R3 TPM12;NSC Integrated Trusted Platform Module 1.2;C:\WINDOWS\system32\DRIVERS\nsctpm12.sys [2005-04-21 18:28]
R3 utcrs232;Aspen Resistive RS232 Touch Controller;C:\WINDOWS\system32\DRIVERS\UtcRs232.sys [2004-07-20 08:03]
S2 FoodTecApp;FoodTec App;C:\pdirect\bin\foodtecapp []
S3 MagEpNt;MagEpNt;C:\WINDOWS\system32\drivers\MagEpNt.sys [1997-06-12 10:53]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-17 09:01:18 C:\WINDOWS\Tasks\nightly.job"
- c:\pdirect\bin\nightly.cmd
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 21:30:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-17 21:31:31
ComboFix-quarantined-files.txt 2008-02-18 02:31:03
ComboFix2.txt 2008-02-16 06:23:20
 
Also, Does this look suspicious at all to you?
O4 - HKLM\..\Run: [FBF8FAFFFBFFFE060] 838082878387868.exe


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:40 PM, on 2/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Aspen Touch Solutions\Drivers\Touchscreen\UTCServiceApp.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
c:\oracle\bin\oracle.exe
c:\oracle\bin\tnslsnr.exe
C:\NtResKit\SrvAny.exe
C:\Program Files\Active-Charge\Active-Charge.exe
C:\WINDOWS\system32\r_server.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Capital12.exe

O1 - Hosts: 205.1.1.1 DBSERVER
O1 - Hosts: 205.1.1.2 TERM_A
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [FBF8FAFFFBFFFE060] 838082878387868.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A752C58-F30D-4CC8-ABCE-5DDA2856F45C}: NameServer = 205.1.1.100,167.206.3.137,167.206.3.136,167.206.3.203
O23 - Service: AspenTouch Service - Aspen Touch Solutions, Inc. - C:\Program Files\Aspen Touch Solutions\Drivers\Touchscreen\UTCServiceApp.exe
O23 - Service: FoodTec App (FoodTecApp) - Unknown owner - C:\pdirect\bin\foodtecapp (file missing)
O23 - Service: FoodTec AppServer (FoodTecAppServer) - Unknown owner - C:\pdirect\bin\foodtecappserver (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Ltd. - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Oracle Service (OracleServiceXE) - Oracle Corporation - c:\oracle\bin\oracle.exe
O23 - Service: Oracle Listener (OracleXETNSListener) - Unknown owner - c:\oracle\bin\tnslsnr.exe
O23 - Service: PCCharge - Unknown owner - C:\NtResKit\SrvAny.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: Time Service (TimeServ) - Unknown owner - C:\ntreskit\TimeServ (file missing)
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

--
End of file - 4366 bytes
 
Hi

Yes, that is infection leftover.

Still not right.

But we try something else.

Open HijackThis, click do a system scan only and checkmark this:

O4 - HKLM\..\Run: [FBF8FAFFFBFFFE060] 838082878387868.exe

Close all windows including browser and press fix checked.

Reboot.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [xcode]
    C:\WINDOWS\system32\RCX11F.tmp
    C:\WINDOWS\system32\RCX191.tmp
    C:\WINDOWS\system32\laeaecld.dll
    C:\WINDOWS\system32\psvjuhuv.dll
    C:\WINDOWS\system32\L6814.tmp
    C:\WINDOWS\system32\L50B4.tmp
    C:\Program Files\Dot1XCfg
    C:\WINDOWS\system32\949193989498979
    [/xcode]
  • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Re-run combofix.

Post:

- a fresh HijackThis log
- combofix report
- otmoveit2 log
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:14 PM, on 2/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Aspen Touch Solutions\Drivers\Touchscreen\UTCServiceApp.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
c:\oracle\bin\oracle.exe
c:\oracle\bin\tnslsnr.exe
C:\NtResKit\SrvAny.exe
C:\Program Files\Active-Charge\Active-Charge.exe
C:\WINDOWS\system32\r_server.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\Capital12.exe

O1 - Hosts: 205.1.1.1 DBSERVER
O1 - Hosts: 205.1.1.2 TERM_A
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A752C58-F30D-4CC8-ABCE-5DDA2856F45C}: NameServer = 205.1.1.100,167.206.3.137,167.206.3.136,167.206.3.203
O23 - Service: AspenTouch Service - Aspen Touch Solutions, Inc. - C:\Program Files\Aspen Touch Solutions\Drivers\Touchscreen\UTCServiceApp.exe
O23 - Service: FoodTec App (FoodTecApp) - Unknown owner - C:\pdirect\bin\foodtecapp (file missing)
O23 - Service: FoodTec AppServer (FoodTecAppServer) - Unknown owner - C:\pdirect\bin\foodtecappserver (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Ltd. - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Oracle Service (OracleServiceXE) - Oracle Corporation - c:\oracle\bin\oracle.exe
O23 - Service: Oracle Listener (OracleXETNSListener) - Unknown owner - c:\oracle\bin\tnslsnr.exe
O23 - Service: PCCharge - Unknown owner - C:\NtResKit\SrvAny.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: Time Service (TimeServ) - Unknown owner - C:\ntreskit\TimeServ (file missing)
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

--
End of file - 4364 bytes
 
File/Folder xcode] not found.
C:\WINDOWS\system32\RCX11F.tmp moved successfully.
C:\WINDOWS\system32\RCX191.tmp moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\laeaecld.dll
C:\WINDOWS\system32\laeaecld.dll NOT unregistered.
C:\WINDOWS\system32\laeaecld.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\psvjuhuv.dll
C:\WINDOWS\system32\psvjuhuv.dll NOT unregistered.
C:\WINDOWS\system32\psvjuhuv.dll moved successfully.
C:\WINDOWS\system32\L6814.tmp moved successfully.
C:\WINDOWS\system32\L50B4.tmp moved successfully.
C:\Program Files\Dot1XCfg moved successfully.
C:\WINDOWS\system32\949193989498979 moved successfully.
File/Folder [/xcode] not found.

OTMoveIt2 v1.0.20 log created on 02182008_212216

ComboFix 08-02-14.2 - Administrator 2008-02-18 21:24:35.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.523 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator.DBSERVER.001\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
.

2008-02-18 21:22 . 2008-02-18 21:22 <DIR> d-------- C:\_OTMoveIt
2008-02-14 23:05 . 2008-02-16 00:14 6,112 --a------ C:\WINDOWS\BM5fae4a91.xml
2008-02-14 23:05 . 2008-02-16 00:33 21 --a------ C:\WINDOWS\pskt.ini
2008-02-10 19:41 . 2006-02-02 10:07 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.001\Application Data\ThinkVantage
2008-02-10 19:41 . 2006-01-18 12:34 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.001\Application Data\Symantec
2008-02-10 19:41 . 2006-01-18 12:30 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.001\Application Data\IBM
2008-02-10 09:09 . 2006-02-02 10:07 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.000\Application Data\ThinkVantage
2008-02-10 09:09 . 2006-01-18 12:34 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.000\Application Data\Symantec
2008-02-10 09:09 . 2006-01-18 12:30 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER.000\Application Data\IBM
2008-02-09 22:54 . 2008-02-09 22:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-09 22:34 . 2008-02-09 22:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-09 22:34 . 2008-02-09 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-06 21:34 . 2006-02-02 10:07 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER\Application Data\ThinkVantage
2008-02-06 21:34 . 2006-01-18 12:34 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER\Application Data\Symantec
2008-02-06 21:34 . 2006-01-18 12:30 <DIR> d-------- C:\Documents and Settings\Administrator.DBSERVER\Application Data\IBM
2008-02-05 23:52 . 2004-08-04 08:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-05 22:49 . 2008-02-13 22:53 1,416 --a------ C:\WINDOWS\wininit.ini
2008-02-05 21:49 . 2008-02-16 14:12 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-05 21:49 . 2008-02-05 22:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-03 16:08 . 2008-02-05 23:57 378,880 --a------ C:\WINDOWS\mrofinu72.exe.tmp
2008-01-29 21:58 . 2006-02-02 10:07 <DIR> d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\ThinkVantage
2008-01-29 21:58 . 2006-01-18 12:34 <DIR> d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\Symantec
2008-01-29 21:58 . 2006-01-18 12:30 <DIR> d-------- C:\Documents and Settings\LogMeInRemoteUser\Application Data\IBM
2008-01-29 21:43 . 2008-02-18 21:08 <DIR> d-------- C:\Program Files\LogMeIn
2008-01-29 21:43 . 2007-11-15 18:46 87,352 --a------ C:\WINDOWS\system32\LMIinit.dll.000.bak
2008-01-29 21:43 . 2007-11-15 18:46 87,352 --a------ C:\WINDOWS\system32\LMIinit.dll
2008-01-29 21:43 . 2007-11-15 18:46 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll.000.bak
2008-01-29 21:43 . 2007-11-15 18:46 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2008-01-29 21:43 . 2007-08-03 15:09 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2008-01-29 21:43 . 2007-11-15 18:46 21,496 --a------ C:\WINDOWS\system32\LMIport.dll
2008-01-29 21:43 . 2008-01-29 21:43 1,024 --a------ C:\.rnd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-19 02:10 --------- d-----w C:\Program Files\Active-Charge
2007-10-05 18:48 0 ----a-w C:\Documents and Settings\Administrator\GoToAssist_phone__317_en.exe
2006-07-26 03:13 50,036 ----a-r C:\WINDOWS\inf\DS2490.sys
2003-06-19 16:05 286,773 ----a-w C:\Program Files\msvcrt.dll
2003-06-19 16:05 1,015,859 ----a-w C:\Program Files\mfc42.dll
1998-05-15 05:00 73,184 ----a-w C:\Program Files\Common Files\dao2535.tlb
1998-04-27 05:00 570,128 ----a-w C:\Program Files\Common Files\Dao350.dll
.
Code: 
<pre>
----a-w            61,440 2008-02-16 05:23:54  C:\_OTMoveIt\MovedFiles\[u]0[/u]2182008_212216\Program Files\Dot1XCfg\Dot1XCfg .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 17:34 49152 C:\WINDOWS\system32\ico.exe]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
Pizza Director.lnk - C:\ntreskit\SC.EXE [2006-04-07 11:23:23 54032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
--a------ 2005-10-05 20:26 487424 C:\Program Files\ThinkVantage\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-06-08 13:59 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-06-08 14:02 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
--a------ 2005-09-08 04:01 102400 C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
--a------ 2005-04-13 17:34 49152 C:\WINDOWS\system32\ico.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDService.exe]
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2005-06-08 14:03 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a------ 2005-05-06 18:06 716800 C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2005-05-20 12:11 925696 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\suScheduler]
--a------ 2005-08-01 20:32 40960 C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe

R2 AspenTouch Service;AspenTouch Service;C:\Program Files\Aspen Touch Solutions\Drivers\Touchscreen\UTCServiceApp.exe [2004-10-19 13:05]
R2 FoodTecAppServer;FoodTec AppServer;C:\pdirect\bin\foodtecappserver []
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
R2 OracleServiceXE;Oracle Service;c:\oracle\bin\oracle.exe XE []
R2 OracleXETNSListener;Oracle Listener;c:\oracle\bin\tnslsnr.exe [2006-02-01 23:49]
R2 PCCharge;PCCharge;C:\NtResKit\SrvAny.exe [2006-04-07 11:23]
R2 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" [2005-06-21 15:16]
R2 TimeServ;Time Service;C:\ntreskit\TimeServ []
R3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 16:55]
R3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2003-02-11 16:25]
R3 TPM12;NSC Integrated Trusted Platform Module 1.2;C:\WINDOWS\system32\DRIVERS\nsctpm12.sys [2005-04-21 18:28]
R3 utcrs232;Aspen Resistive RS232 Touch Controller;C:\WINDOWS\system32\DRIVERS\UtcRs232.sys [2004-07-20 08:03]
S2 FoodTecApp;FoodTec App;C:\pdirect\bin\foodtecapp []
S3 MagEpNt;MagEpNt;C:\WINDOWS\system32\drivers\MagEpNt.sys [1997-06-12 10:53]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-18 09:00:35 C:\WINDOWS\Tasks\nightly.job"
- c:\pdirect\bin\nightly.cmd
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 21:26:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-18 21:27:08
ComboFix-quarantined-files.txt 2008-02-19 02:26:47
ComboFix2.txt 2008-02-18 02:31:32
ComboFix3.txt 2008-02-16 06:23:20
 
You must log in or register to reply here.
Back
Top