“Win32.Winlogons.co” & Other Trojans Infections

B

Bobby D

New member
Hello.

My computer has become plagued with a number of problems and Trojans on my computer. The main results are my internet explorers connecting on minute and then not another, and my IP address apparently being on Open Proxy blocking sites.

Before I get into my issues, I recently was able to remove Smitfraud-C with Smitfraudfix. While I doubt that this caused these issues, I figured it may be useful to know.

When I start up my computer, I receive the following to messages:

-Message #1 (Windows): svchost.exe - Application Error

The instruction at "0x00401000" referenced memory at "0x00401000". The memory could not be "written"

CLick on OK to terminate the program
Click on CANCEL to debug the program


-Message #2 (AVG Antivirus): Resident Shield alert

File name: C:\\WINDOWS\System32\drivers\tcpsr.sys
Threat name: Trojan horse SpamBot.G detected on open.


After these, I usually have issues with internet. Today, I debugged the Windows error message (#1), and I eventually received the following AVG Antivirus message:

-Resident Shield alert

Infection #1
File name: C:\WINDOWS\System32\uovgfv.dll
Threat name: Trojan horse Small.APC detected on open.

Infection #2
File name: C:\WINDOWS\TEMP\2080303185exe
Threat name: Trojan horse Generic12.AIK detected on open.

Infection #3
File name: C:\WINDOWS\TEMP\369088874exe
Threat name: Trojan horse Generic12.AIK detected on open.

Infection #4
File name: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\1N7GANWX\w31tms[1].exe
Threat name: Trojan horse Generic12.AIK detected on open.



When I run SpyBot S&D 1.6.0, the only items are a Trojan called “win32.winlogons.co” with the following to Registry Key entry: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tcpsr

I’ve tried to repair this with Spybot in both regular and safe mode, but it keeps coming back.

The HijackThis log is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:43 AM, on 11/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\services.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [winlogon] C:\Documents and Settings\CJ\svchost.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKUS\S-1-5-18\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1182654790468
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5256/mcfscan.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: uovgfv - uovgfv.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing)

--
End of file - 8922 bytes

I appreciate your help. Let me know what other information you need to help solve my problems

Thank you advance for your help.
 
Hello and Welcome to the forums!

My name is peku006 and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Please continue to respond until I give you the "All Clear"
If you follow these instructions, everything should go smoothly.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible.
Some steps will require you to use Safe Mode and you will not have access to this page.

1- Download and Install SDFix
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

2 - Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

3- Run SDFix
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).

4 - Scan With ComboFix

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

5 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

6 - Status Check
Please reply with

1. the SDFix.Report.txt (C:\SDFix\report.txt)
2. the ComboFix log(C:\ComboFix.txt)
3. a fresh HijackThis log

Thanks peku006
 
peku006-

First, thank you so much for getting back to me so quickly.

I have run all the programs, and everything appears to be operating well (knock on wood). I am now taking steps to get off some Proxy blacklists. Apparently, my computer was being used to send out spam, so if I’m the one bombarding your inbox. :oops:

Anyway, here are my reports. Please let me know if everything looks fine from you end. I ran Spybot S&D, and nothing is showing up and AVG finds nothing.

SD Fix:


SDFix: Version 1.239
Run by CJ on Wed 11/05/2008 at 07:17 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Rootkit Found :
C:\WINDOWS\system32\drivers\ATI3DQXX.sys - Rootkit Pandex/Cutwail - Protect.sys

Name :
FCI
ICF
tcpsr
ATI3DQXX

Path :
C:\WINDOWS\system32\svchost.exe:ext.exe
C:\WINDOWS\system32\svchost.exe:ext.exe
\??\C:\WINDOWS\System32\drivers\tcpsr.sys
System32\Drivers\ati3dqxx.sys

FCI - Deleted
ICF - Deleted
tcpsr - Deleted
ATI3DQXX - Deleted



Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Schedule Service Path

Rebooting

Service ATI3DQXX - Deleted

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\UOVGFV.dll - Deleted
C:\-19432~1 - Deleted
C:\Program Files\GetModule\dicik.gz - Deleted
C:\Program Files\GetModule\kwdik.gz - Deleted
C:\WINDOWS\system32\wpv294.cpx - Deleted
C:\WINDOWS\system32\wpv786.cpx - Deleted
C:\WINDOWS\system32\wpv824.cpx - Deleted
C:\WINDOWS\system32\wpv294.cpx - Deleted
C:\WINDOWS\system32\wpv786.cpx - Deleted
C:\WINDOWS\system32\wpv824.cpx - Deleted
C:\WINDOWS\wiaservv.log - Deleted
C:\WINDOWS\SYSTEM32\TDSSOSVD.dat - Deleted
C:\WINDOWS\system32\drivers\tcpsr.sys - Deleted
C:\WINDOWS\system32\drivers\ATI3DQXX.sys - Deleted



Folder C:\Program Files\GetModule - Removed


Removing Temp Files

ADS Check :


C:\WINDOWS\system32\svchost.exe
: ADS Found!
svchost.exe: deleted 25088 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-05 19:29:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000001b3

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Kazaa Lite Resurrection\\kazaalite.kpp"="C:\\Program Files\\Kazaa Lite Resurrection\\kazaalite.kpp:*:Enabled:kazaalite"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:AOL"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Kazaa Lite Resurrection\\kdat.exe"="C:\\Program Files\\Kazaa Lite Resurrection\\kdat.exe:*:Enabled:K-Dat"
"C:\\Program Files\\Kazaa Lite Resurrection\\kanat.exe"="C:\\Program Files\\Kazaa Lite Resurrection\\kanat.exe:*:Enabled:KaNAT"
"C:\\Program Files\\Kazaa Lite Resurrection\\klrun.exe"="C:\\Program Files\\Kazaa Lite Resurrection\\klrun.exe:*:Enabled:Kazaa Lite Resurrection"
"C:\\Program Files\\Kazaa Lite Resurrection\\kluserconfigwiz.exe"="C:\\Program Files\\Kazaa Lite Resurrection\\kluserconfigwiz.exe:*:Enabled:Kazaa Lite User Configuration Wizard"
"C:\\Program Files\\Kazaa Lite Resurrection\\kazupernodes.exe"="C:\\Program Files\\Kazaa Lite Resurrection\\kazupernodes.exe:*:Enabled:KaZuperNodes"
"C:\\Program Files\\Kazaa Lite Resurrection\\kchecker.exe"="C:\\Program Files\\Kazaa Lite Resurrection\\kchecker.exe:*:Enabled:KChecker"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\patchget.dat"="C:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\patchget.dat:*:Enabled:patchgrabber"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 7 Jul 2008 2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sun 4 Sep 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 26 Sep 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv15.bak"
Mon 26 Sep 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv19.bak"
Wed 4 Apr 2001 28,738 A..HR --- "C:\My Shared Folder\Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2006\MSDE2000\SQLRESLD.DLL"
Tue 4 Nov 2008 857 ...HR --- "C:\Documents and Settings\CJ\Application Data\SecuROM\UserData\securom_v7_01.bak"
Wed 5 Nov 2008 6,004 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE4.tmp"
Wed 5 Nov 2008 6,004 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE5.tmp"
Wed 24 Aug 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Wed 24 Aug 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Wed 24 Aug 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"

Finished!


ComboFix:

ComboFix 08-11-04.02 - CJ 2008-11-05 19:53:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1433 [GMT -5:00]
Running from: c:\documents and settings\CJ\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\wsnpoem
c:\windows\system32\wsnpoem\audio.dll.cla

.
((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 )))))))))))))))))))))))))))))))
.

2008-10-30 03:51 . 2008-11-04 21:29 <DIR> d--h----- C:\$AVG8.VAULT$
2008-10-30 03:44 . 2008-11-05 18:59 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-10-30 03:44 . 2008-10-30 03:44 <DIR> d-------- c:\program files\AVG
2008-10-30 03:44 . 2008-10-30 03:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-10-30 03:44 . 2008-10-30 03:44 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-10-30 03:44 . 2008-10-30 03:44 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-10-30 03:24 . 2008-10-30 03:26 <DIR> d-------- C:\SmitfraudFix
2008-10-30 03:22 . 2008-10-30 03:16 1,663,761 --a------ C:\SmitfraudFix.exe
2008-10-30 03:17 . 2008-10-30 03:24 3,378 --a------ c:\windows\system32\tmp.reg
2008-10-30 03:16 . 2007-09-05 22:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-10-30 03:16 . 2006-04-27 15:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-10-30 03:16 . 2008-09-08 21:38 88,576 --a------ c:\windows\system32\AntiXPVSTFix.exe
2008-10-30 03:16 . 2008-10-01 13:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-10-30 03:16 . 2008-10-10 06:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-10-30 03:16 . 2008-05-18 19:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-10-30 03:16 . 2008-10-10 06:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-10-30 03:16 . 2008-08-18 10:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-10-30 03:16 . 2003-06-05 19:13 53,248 --a------ c:\windows\system32\Process.exe
2008-10-30 03:16 . 2004-07-31 16:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-10-30 03:16 . 2007-10-03 22:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-10-29 09:01 . 2008-10-29 09:01 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-29 08:03 . 2008-10-29 08:23 58 --a------ c:\windows\system32\winwp.bmp
2008-10-26 22:22 . 2008-05-01 09:30 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2008-10-26 18:29 . 2008-10-26 18:29 <DIR> d-------- c:\windows\ERUNT
2008-10-26 18:27 . 2008-11-05 19:49 <DIR> d-------- C:\SDFix
2008-10-23 22:10 . 2004-08-03 23:10 85,376 --a------ c:\windows\system32\drivers\nabtsfec.sys.bak
2008-10-23 22:10 . 2008-10-26 14:08 60,416 --a------ c:\windows\system32\drivers\TDSSmqlt.sys
2008-10-12 10:34 . 2007-08-21 06:00 1,536 --a------ c:\windows\system32\Delete_Me_Dummy_karna.dat
2008-10-12 10:19 . 2008-10-15 22:17 54,156 --ah----- c:\windows\QTFont.qfn
2008-10-12 10:19 . 2008-10-12 10:19 1,409 --a------ c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-06 00:05 14,336 ----a-w c:\windows\system32\svchost.exe
2008-10-30 08:31 14,336 ----a-w c:\windows\system32\dllcache\svchost.exe
2008-10-30 07:47 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-29 14:01 --------- d-----w c:\program files\Lavasoft
2008-10-29 13:59 --------- d-----w c:\documents and settings\CJ\Application Data\Lavasoft
2008-10-27 03:21 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-24 03:10 137,856 ----a-w c:\windows\system32\drivers\NABTSFEC.sys
2008-10-15 16:57 332,800 ----a-w c:\windows\system32\netapi32(2)(2).dll
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k(2)(3).sys
2008-09-15 11:57 1,846,016 ------w c:\windows\system32\dllcache\win32k.sys
2008-08-28 10:04 333,056 ------w c:\windows\system32\dllcache\srv.sys
2008-08-27 08:24 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-08-14 10:00 2,180,352 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2008-08-14 09:58 2,136,064 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:58 2,136,064 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2008-08-14 09:51 138,368 ------w c:\windows\system32\dllcache\afd.sys
2008-08-14 09:22 2,057,728 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2008-08-14 09:22 2,015,744 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-08-14 09:22 2,015,744 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2008-06-24 05:02 39,832 ----a-w c:\documents and settings\CJ\Application Data\GDIPFONTCACHEV1.DAT
2004-01-15 06:34 259,539,966 ----a-w c:\program files\Microsoft Office XP Publisher 2003.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-24 98304]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-09-23 483328]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-11-11 4583424]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-10-30 1234712]
"WD Button Manager"="WDBtnMgr.exe" [2007-11-19 c:\windows\system32\WDBtnMgr.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2005-10-19 25214]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\patchget.dat"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-30 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-30 231704]
R3 Angel;Angel MPEG Device;c:\windows\system32\DRIVERS\Angel.sys [2005-02-25 375936]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2006-09-07 10112]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - f:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\O]
\Shell\AutoRun\command - o:\wd_windows_tools\WDEULA.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Q]
\Shell\AutoRun\command - wd_windows_tools\setup.exe

*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\CJ\Application Data\Mozilla\Firefox\Profiles\ut1z4ylu.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - c:\program files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-05 19:54:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-05 19:56:02
ComboFix-quarantined-files.txt 2008-11-06 00:55:56

Pre-Run: 77,668,249,600 bytes free
Post-Run: 78,244,257,792 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

158 --- E O F --- 2008-10-31 04:30:34


HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:51 PM, on 11/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1182654790468
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5256/mcfscan.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7838 bytes


Thanks so much for the help. You made me a very happy person. All the best.

Bobby
 
Hi Bobby

One or more of the identified infections is a rootkit.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the rootkit has been identified and can be killed, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this rootkit, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let me know what you have decided to do in your next post.

Thanks peku006
 
Hello!

Do you still need help

It has been three days since my last post.

Do you still need help with this?
Do you need more time?
Are you having problems following my instructions?

Note: If after 48hrs you have not replied to this thread then it will have to be CLOSED!
 
Hi Peku006-

Sorry for the delayed response. Things in my personal and work life have been very hectic the past three days. Plus, the internet service I had access to was blocking forums. So, I’m sorry.

As for my computer, I think I see what you need. I supposedly had some viruses stored in the AVG vault. I accidentally released them, and then had something unholy unleashed on my computer. Long story short – it tried to take over my computer, changing all my internet explorer settings, and erasing my System Restore history and then started the only restore point to when it took over. So, I see what you mean by reformatting.

Saying that, I wanted to see if there was ANY way to work through this. If it doesn’t work, then I need to make sure I have all the necessary backups for my programs. While I can easily store my files on external hard drive(s), I am just concerned that I erase programs I don’t have the disks for. Plus, I’m still trying to find my OS backup.

Anyway, I went through same steps for the previous Trojan takeover. After my little blurb, you’ll find the 1) SDFix log, 2) ComboFix log, and 3) Hijackthis Log. Let me know your thoughts. Would something like UnHackMe (http://safecomputing.umn.edu/guides/scan_unhackme.html) help? Thanks for all your help. I’d have pulled out my hair for now if not for you. Have a good one…


Sdfix Log

SDFix: Version 1.239
Run by CJ on Sun 11/09/2008 at 09:53 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Resetting SecurityProviders Value

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\ddcCSLCu.dll - Deleted
C:\Documents and Settings\CJ\Application Data\SpeedRunner\config.cfg - Deleted
C:\DOCUME~1\CJ\LOCALS~1\Temp\removalfile.bat - Deleted
C:\WINDOWS\system32\msansspc.dll - Deleted



Folder C:\Documents and Settings\CJ\Application Data\Gool - Removed
Folder C:\Documents and Settings\CJ\Application Data\SpeedRunner - Removed
Folder C:\Program Files\Mjcore - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-09 10:05:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\patchget.dat"="C:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\patchget.dat:*:Enabled:patchgrabber"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 7 Jul 2008 2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sun 4 Sep 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 26 Sep 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv15.bak"
Mon 26 Sep 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv19.bak"
Wed 4 Apr 2001 28,738 A..HR --- "C:\My Shared Folder\Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2006\MSDE2000\SQLRESLD.DLL"
Sat 8 Nov 2008 857 ...HR --- "C:\Documents and Settings\CJ\Application Data\SecuROM\UserData\securom_v7_01.bak"
Sun 9 Nov 2008 6,004 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE4.tmp"
Sun 9 Nov 2008 6,004 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE5.tmp"
Wed 24 Aug 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Wed 24 Aug 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Wed 24 Aug 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"

Finished!


ComboFix Log

ComboFix 08-11-07.01 - CJ 2008-11-09 10:31:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1403 [GMT -5:00]
Running from: c:\documents and settings\CJ\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\CJ\Application Data\gadcom
c:\documents and settings\CJ\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\cbXNGaWN.dll
c:\windows\system32\ddcBQkHA.dll
c:\windows\system32\dfctxymo.dll
c:\windows\system32\elkefmaq.ini
c:\windows\system32\kgoywu.dll
c:\windows\system32\NWaGNXbc.ini
c:\windows\system32\NWaGNXbc.ini2
c:\windows\system32\qamfekle.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-10-09 to 2008-11-09 )))))))))))))))))))))))))))))))
.

2008-11-09 09:28 . 2008-11-09 09:28 <DIR> d-------- c:\program files\Webtools
2008-10-30 03:51 . 2008-11-08 11:56 <DIR> d--h----- C:\$AVG8.VAULT$
2008-10-30 03:44 . 2008-11-09 08:38 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-10-30 03:44 . 2008-10-30 03:44 <DIR> d-------- c:\program files\AVG
2008-10-30 03:44 . 2008-10-30 03:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-10-30 03:44 . 2008-10-30 03:44 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-10-30 03:44 . 2008-10-30 03:44 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-10-30 03:24 . 2008-10-30 03:26 <DIR> d-------- C:\SmitfraudFix
2008-10-30 03:22 . 2008-10-30 03:16 1,663,761 --a------ C:\SmitfraudFix.exe
2008-10-30 03:17 . 2008-10-30 03:24 3,378 --a------ c:\windows\system32\tmp.reg
2008-10-30 03:16 . 2007-09-05 22:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-10-30 03:16 . 2006-04-27 15:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-10-30 03:16 . 2008-09-08 21:38 88,576 --a------ c:\windows\system32\AntiXPVSTFix.exe
2008-10-30 03:16 . 2008-10-01 13:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-10-30 03:16 . 2008-10-10 06:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-10-30 03:16 . 2008-05-18 19:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-10-30 03:16 . 2008-10-10 06:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-10-30 03:16 . 2008-08-18 10:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-10-30 03:16 . 2003-06-05 19:13 53,248 --a------ c:\windows\system32\Process.exe
2008-10-30 03:16 . 2004-07-31 16:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-10-30 03:16 . 2007-10-03 22:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-10-29 09:01 . 2008-10-29 09:01 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-29 08:03 . 2008-10-29 08:23 58 --a------ c:\windows\system32\winwp.bmp
2008-10-26 22:22 . 2008-05-01 09:30 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2008-10-26 18:29 . 2008-10-26 18:29 <DIR> d-------- c:\windows\ERUNT
2008-10-26 18:27 . 2008-11-09 10:25 <DIR> d-------- C:\SDFix
2008-10-23 22:10 . 2004-08-03 23:10 85,376 --a------ c:\windows\system32\drivers\nabtsfec.sys.bak
2008-10-23 22:10 . 2008-10-26 14:08 60,416 --a------ c:\windows\system32\drivers\TDSSmqlt.sys
2008-10-12 10:34 . 2007-08-21 06:00 1,536 --a------ c:\windows\system32\Delete_Me_Dummy_karna.dat
2008-10-12 10:19 . 2008-10-15 22:17 54,156 --ah----- c:\windows\QTFont.qfn
2008-10-12 10:19 . 2008-10-12 10:19 1,409 --a------ c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-30 07:47 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-29 14:01 --------- d-----w c:\program files\Lavasoft
2008-10-29 13:59 --------- d-----w c:\documents and settings\CJ\Application Data\Lavasoft
2008-10-27 03:21 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-24 03:10 137,856 ----a-w c:\windows\system32\drivers\NABTSFEC.sys
2008-06-24 05:02 39,832 ----a-w c:\documents and settings\CJ\Application Data\GDIPFONTCACHEV1.DAT
2004-01-15 06:34 259,539,966 ----a-w c:\program files\Microsoft Office XP Publisher 2003.zip
.

((((((((((((((((((((((((((((( snapshot@2008-11-05_19.55.40.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-11-06 00:11:01 39,096,320 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-11-09 14:45:42 39,096,320 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\ntuser.dat
- 2008-11-06 00:11:01 155,648 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-11-09 14:45:42 155,648 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2008-07-19 02:10:48 94,920 ----a-w c:\windows\system32\cdm.dll
+ 2008-10-16 19:09:44 92,696 ----a-w c:\windows\system32\cdm.dll
- 2008-07-19 02:10:48 94,920 ----a-w c:\windows\system32\dllcache\cdm.dll
+ 2008-10-16 19:09:44 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
- 2008-07-19 02:09:44 563,912 ----a-w c:\windows\system32\dllcache\wuapi.dll
+ 2008-10-16 19:12:20 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
- 2008-07-19 02:10:42 53,448 ----a-w c:\windows\system32\dllcache\wuauclt.exe
+ 2008-10-16 19:09:44 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
- 2008-07-19 02:09:42 1,811,656 ----a-w c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 19:13:40 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
- 2008-07-19 02:09:46 325,832 ----a-w c:\windows\system32\dllcache\wucltui.dll
+ 2008-10-16 19:12:22 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
- 2008-07-19 02:10:20 36,552 ----a-w c:\windows\system32\dllcache\wups.dll
+ 2008-10-16 19:08:58 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
- 2008-07-19 02:09:44 205,000 ----a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 19:13:40 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
- 2008-07-19 02:07:34 270,880 ----a-w c:\windows\system32\mucltui.dll
+ 2008-10-16 19:06:48 268,648 ----a-w c:\windows\system32\mucltui.dll
- 2008-07-19 02:07:32 210,976 ----a-w c:\windows\system32\muweb.dll
+ 2008-10-16 19:06:48 208,744 ----a-w c:\windows\system32\muweb.dll
+ 2008-10-16 19:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 19:09:44 43,544 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
- 2008-07-19 02:09:44 563,912 ----a-w c:\windows\system32\wuapi.dll
+ 2008-10-16 19:12:20 561,688 ----a-w c:\windows\system32\wuapi.dll
- 2008-07-19 02:10:42 53,448 ----a-w c:\windows\system32\wuauclt.exe
+ 2008-10-16 19:09:44 51,224 ----a-w c:\windows\system32\wuauclt.exe
- 2008-07-19 02:09:42 1,811,656 ----a-w c:\windows\system32\wuaueng.dll
+ 2008-10-16 19:13:40 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
- 2008-07-19 02:09:46 325,832 ----a-w c:\windows\system32\wucltui.dll
+ 2008-10-16 19:12:22 323,608 ----a-w c:\windows\system32\wucltui.dll
- 2008-07-19 02:10:20 36,552 ----a-w c:\windows\system32\wups.dll
+ 2008-10-16 19:08:58 34,328 ----a-w c:\windows\system32\wups.dll
- 2008-07-19 02:10:40 45,768 ----a-w c:\windows\system32\wups2.dll
+ 2008-10-16 19:09:44 43,544 ----a-w c:\windows\system32\wups2.dll
- 2008-07-19 02:09:44 205,000 ----a-w c:\windows\system32\wuweb.dll
+ 2008-10-16 19:13:40 202,776 ----a-w c:\windows\system32\wuweb.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-24 98304]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-09-23 483328]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-11-11 4583424]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-10-30 1234712]
"WD Button Manager"="WDBtnMgr.exe" [2007-11-19 c:\windows\system32\WDBtnMgr.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2005-10-19 25214]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll kgoywu.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\patchget.dat"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-30 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-30 231704]
R3 Angel;Angel MPEG Device;c:\windows\system32\DRIVERS\Angel.sys [2005-02-25 375936]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2006-09-07 10112]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - f:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Q]
\Shell\AutoRun\command - wd_windows_tools\setup.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{f4a5b2ac-58d7-4f5e-9db6-b027d1cf0fc4} - c:\windows\system32\kgoywu.dll
BHO-{FC70B162-1C32-477B-B502-9CD562D81DD3} - c:\windows\system32\cbXNGaWN.dll
HKLM-Run-8c2c3db6 - c:\windows\system32\qamfekle.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Default_Search_URL = hxxp://ie.search.msn.com
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
O8 -: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-09 10:36:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\0b478cc3-3af7-4bde-a732-4d7e91d252f4.tmp 0 bytes
c:\windows\TEMP\34e89813-2dac-4a20-ae74-070ee9f4afd8.tmp

scan completed successfully
hidden files: 2

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Java\jre1.6.0_03\bin\jucheck.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-11-09 10:43:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-09 15:43:09
ComboFix2.txt 2008-11-06 00:56:03

Pre-Run: 75,998,560,256 bytes free
Post-Run: 76,010,844,160 bytes free

212 --- E O F --- 2008-10-31 04:30:34


HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:19 AM, on 11/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1182654790468
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5256/mcfscan.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll kgoywu.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7440 bytes
 
Hi Bobby D
Sorry for the delayed response
Click to expand...
Ok no problem.
Would something like UnHackMe help?
Click to expand...
No ,because you computer is already infected

1 - Run CFScript

Open Notepad and copy/paste the text in the box into the window:

Code: 
File::
c:\windows\system32\winwp.bm
c:\windows\system32\drivers\TDSSmqlt.sys
c:\windows\system32\Delete_Me_Dummy_karna.dat

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    CFScriptB-4.gif

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

2 - Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform full scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • The log can also be found here:

    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. the Malwarebytes' Anti-Malware Log
3. a fresh HijackThis log

Thanks peku006
 
Hey peku006

Before I get into the posting the logs, I wanted to let you know that after everything had scanned and I ran the logs, I then reactivated AVG. Not long after I did this, I received the following AVG alert:

Filename: C:\System Volume Information\restore{3DBD88D 2-9FFC-498B-A689-A4771362F918}\RP113\A0028200.EXE
Threat Name: Virus identified Win32/Virut.AE
Detected on open.


When I tried to heal it, I received the following message:
Healing not successful.

I have not received this notice since. Should I try running Anti-Malware again, but this time in safe mode? Just let me know, and thanks so much for the help.

Bobby

ComboFix

ComboFix 08-11-10.01 - CJ 2008-11-11 20:08:22.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1565 [GMT -5:00]
Running from: c:\documents and settings\CJ\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\CJ\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\Delete_Me_Dummy_karna.dat
c:\windows\system32\drivers\TDSSmqlt.sys
c:\windows\system32\winwp.bm
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Delete_Me_Dummy_karna.dat
c:\windows\system32\drivers\TDSSmqlt.sys

.
((((((((((((((((((((((((( Files Created from 2008-10-12 to 2008-11-12 )))))))))))))))))))))))))))))))
.

2008-11-09 09:28 . 2008-11-09 09:28 <DIR> d-------- c:\program files\Webtools
2008-10-30 03:51 . 2008-11-08 11:56 <DIR> d--h----- C:\$AVG8.VAULT$
2008-10-30 03:44 . 2008-11-11 19:58 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-10-30 03:44 . 2008-10-30 03:44 <DIR> d-------- c:\program files\AVG
2008-10-30 03:44 . 2008-10-30 03:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-10-30 03:44 . 2008-10-30 03:44 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-10-30 03:44 . 2008-10-30 03:44 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-10-30 03:24 . 2008-10-30 03:26 <DIR> d-------- C:\SmitfraudFix
2008-10-30 03:22 . 2008-10-30 03:16 1,663,761 --a------ C:\SmitfraudFix.exe
2008-10-30 03:17 . 2008-10-30 03:24 3,378 --a------ c:\windows\system32\tmp.reg
2008-10-30 03:16 . 2007-09-05 22:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-10-30 03:16 . 2006-04-27 15:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-10-30 03:16 . 2008-09-08 21:38 88,576 --a------ c:\windows\system32\AntiXPVSTFix.exe
2008-10-30 03:16 . 2008-10-01 13:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-10-30 03:16 . 2008-10-10 06:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-10-30 03:16 . 2008-05-18 19:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-10-30 03:16 . 2008-10-10 06:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-10-30 03:16 . 2008-08-18 10:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-10-30 03:16 . 2003-06-05 19:13 53,248 --a------ c:\windows\system32\Process.exe
2008-10-30 03:16 . 2004-07-31 16:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-10-30 03:16 . 2007-10-03 22:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-10-29 09:01 . 2008-10-29 09:01 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-29 08:03 . 2008-10-29 08:23 58 --a------ c:\windows\system32\winwp.bmp
2008-10-26 22:22 . 2008-05-01 09:30 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2008-10-26 18:29 . 2008-10-26 18:29 <DIR> d-------- c:\windows\ERUNT
2008-10-26 18:27 . 2008-11-09 10:25 <DIR> d-------- C:\SDFix
2008-10-23 22:10 . 2004-08-03 23:10 85,376 --a------ c:\windows\system32\drivers\nabtsfec.sys.bak
2008-10-12 10:19 . 2008-10-15 22:17 54,156 --ah----- c:\windows\QTFont.qfn
2008-10-12 10:19 . 2008-10-12 10:19 1,409 --a------ c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-09 23:28 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-06 00:05 14,336 ----a-w c:\windows\system32\svchost.exe
2008-10-30 08:31 14,336 ----a-w c:\windows\system32\dllcache\svchost.exe
2008-10-29 14:01 --------- d-----w c:\program files\Lavasoft
2008-10-29 13:59 --------- d-----w c:\documents and settings\CJ\Application Data\Lavasoft
2008-10-27 03:21 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-24 03:10 137,856 ----a-w c:\windows\system32\drivers\NABTSFEC.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:57 332,800 ----a-w c:\windows\system32\netapi32(2)(2).dll
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k(2)(3).sys
2008-09-15 11:57 1,846,016 ------w c:\windows\system32\dllcache\win32k.sys
2008-08-28 10:04 333,056 ------w c:\windows\system32\dllcache\srv.sys
2008-08-27 08:24 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-08-14 10:00 2,180,352 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2008-08-14 09:58 2,136,064 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:58 2,136,064 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2008-08-14 09:51 138,368 ------w c:\windows\system32\dllcache\afd.sys
2008-08-14 09:22 2,057,728 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2008-08-14 09:22 2,015,744 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-08-14 09:22 2,015,744 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2008-06-24 05:02 39,832 ----a-w c:\documents and settings\CJ\Application Data\GDIPFONTCACHEV1.DAT
2004-01-15 06:34 259,539,966 ----a-w c:\program files\Microsoft Office XP Publisher 2003.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-24 98304]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-09-23 483328]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-11-11 4583424]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-10-30 1234712]
"WD Button Manager"="WDBtnMgr.exe" [2007-11-19 c:\windows\system32\WDBtnMgr.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2005-10-19 25214]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\patchget.dat"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-30 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-30 231704]
R3 Angel;Angel MPEG Device;c:\windows\system32\DRIVERS\Angel.sys [2005-02-25 375936]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2006-09-07 10112]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - f:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Q]
\Shell\AutoRun\command - wd_windows_tools\setup.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-11 20:09:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-11 20:13:54
ComboFix-quarantined-files.txt 2008-11-12 01:13:52
ComboFix2.txt 2008-11-09 15:43:16
ComboFix3.txt 2008-11-06 00:56:03

Pre-Run: 75,679,641,600 bytes free
Post-Run: 75,731,386,368 bytes free

160 --- E O F --- 2008-10-31 04:30:34


Malwarebytes' Anti-Malware Log

Malwarebytes' Anti-Malware 1.30
Database version: 1385
Windows 5.1.2600 Service Pack 2

11/11/2008 11:52:50 PM
mbam-log-2008-11-11 (23-52-50).txt

Scan type: Full Scan (C:\|O:\|)
Objects scanned: 567241
Time elapsed: 3 hour(s), 32 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 222

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\cbXNGaWN.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ddcBQkHA.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dfctxymo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kgoywu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\qamfekle.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP101\A0018726.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP101\A0018735.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP101\A0018736.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP101\A0019735.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP101\A0019736.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP101\A0020735.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP101\A0020736.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP101\A0020742.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP101\A0020744.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP101\A0020746.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP101\A0020747.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP102\A0020773.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP102\A0020774.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP102\A0020840.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP102\A0020845.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP102\A0020846.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP102\A0020848.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP102\A0020849.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP102\A0020850.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP102\A0020844.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP102\A0021014.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP102\A0021015.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP103\A0021430.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP105\A0023809.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP105\A0023810.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP105\A0023811.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP105\A0023854.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP105\A0023856.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP105\A0023859.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP105\A0023860.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP105\A0023855.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP108\A0025542.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP112\A0028193.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP113\A0028195.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP113\A0028212.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP113\A0028219.exe (Virus.Virut) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP113\A0028221.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP113\A0028223.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP113\A0028226.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP113\A0028227.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP113\A0028228.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP113\A0028229.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP113\A0028312.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP113\A0029312.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP113\A0029331.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP115\A0031592.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP115\A0031593.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP115\A0031601.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP116\A0031722.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP116\A0031745.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP116\A0031758.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP116\A0032077.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP116\A0032758.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP116\A0032760.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP116\A0032847.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP116\A0032849.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP117\A0036541.exe (Virus.Virut) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP117\A0036544.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP117\A0037186.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP117\A0037188.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP117\A0037189.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP117\A0037190.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP117\A0037191.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP117\A0037192.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP117\A0037322.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP117\A0037323.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP117\A0037734.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP117\A0037736.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP117\A0037737.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP117\A0037750.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP117\A0037738.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP117\A0037805.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP117\A0037806.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP117\A0037811.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP117\A0037824.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP117\A0037839.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP117\A0038029.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP117\A0038036.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP117\A0038043.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP121\A0040494.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP121\A0040495.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP121\A0040520.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP121\A0040533.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP121\A0040542.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP121\A0040554.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP121\A0040564.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP121\A0040567.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP121\A0040603.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP121\A0040610.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP121\A0040598.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0040619.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0040620.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0041329.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0041512.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0041555.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0041573.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0041579.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0041583.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0041584.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0041767.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0041777.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0041781.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0041782.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0041783.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0041784.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0041778.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0042492.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0042493.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0042494.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0042495.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0042496.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0042497.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0042574.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0042575.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0042707.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0042709.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0042710.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0042711.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0042712.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0042713.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0042770.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0042771.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0042783.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0042786.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0042793.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0042797.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0042798.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0043792.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0043793.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0043796.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0043828.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0044042.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0044045.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0044046.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0044053.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0044071.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0044055.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0044060.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0044063.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0044064.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0044073.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0044074.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0044076.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0044081.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0044083.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0044084.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP122\A0044085.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP123\A0044111.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP123\A0044094.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP123\A0044100.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP123\A0044101.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP123\A0044109.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP123\A0044110.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP123\A0044115.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP124\A0044126.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP124\A0044127.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP124\A0044128.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP124\A0044130.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP124\A0046160.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP125\A0046490.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP125\A0046411.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP125\A0046412.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP125\A0046433.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP125\A0046456.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP125\A0046486.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP125\A0046487.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP125\A0046488.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP125\A0046489.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP125\A0046491.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP125\A0046497.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP125\A0046511.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP125\A0048522.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP126\A0048540.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP126\A0049540.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP126\A0049541.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP126\A0050540.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP126\A0050589.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:19 PM, on 11/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1182654790468
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5256/mcfscan.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7396 bytes
 
Hi Bobby D

Filename: C:\System Volume Information\restore{3DBD88D 2-9FFC-498B-A689-A4771362F918}\RP113\A0028200.EXE
Threat Name: Virus identified Win32/Virut.AE
Detected on open.
When I tried to heal it, I received the following message:
Healing not successful.
Click to expand...
it is in the C:\System Volume Information\restore, it means that it is one of your restore points.........we will clean that litle bit later

How antivirus software and System Restore work together

1 - Clean temp files

  • Download and Run ATF Cleaner
    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

    Under Main choose:

    • Windows Temp
      Current User Temp
      All Users Temp
      Temporary Internet Files
      Prefetch
      Java Cache
      *The other boxes are optional*
      Then click the Empty Selected button.
    if you use Firefox:

    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
    if you use Opera:

    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program

2 - Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with


1. the Kaspersky online scanner report
2. a fresh HijackThis log
How is the computer running now?

Thanks peku006
 
Hey peku006

Things are performing well. I wouldn’t know there was anything wrong if each time I ran a program, it found something else. Oh well.

So, here are the logs:

Kaspersky

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, November 13, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, November 13, 2008 18:50:55
Records in database: 1383528
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\
N:\
O:\

Scan statistics:
Files scanned: 522603
Threat name: 7
Infected objects: 12
Suspicious objects: 5
Duration of the scan: 04:35:55


File name / Threat name / Threats count
C:\Documents and Settings\CJ\Application Data\Sun\Java\Deployment\cache\6.0\31\3c91455f-3785c818 Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Documents and Settings\CJ\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-5ba361c8 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\CJ\Application Data\Sun\Java\Deployment\cache\6.0\54\7c9afc76-658022e8 Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Documents and Settings\CJ\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\CJ\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\CJ\Local Settings\Application Data\Identities\{B32D48CA-91FC-4570-8853-6AD2EA99D834}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\CJ\Local Settings\Application Data\Identities\{B32D48CA-91FC-4570-8853-6AD2EA99D834}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bayfraud.ib 2
C:\Documents and Settings\CJ\Local Settings\Application Data\Identities\{B32D48CA-91FC-4570-8853-6AD2EA99D834}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\CJ\Local Settings\Application Data\Identities\{B32D48CA-91FC-4570-8853-6AD2EA99D834}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Bayfraud.ib 1
C:\Documents and Settings\CJ\Local Settings\Application Data\Microsoft\Outlook\archive.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\CJ\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan.VBS.StartPage.bk 2
C:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

The selected area was scanned.


HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:33 PM, on 11/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1182654790468
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5256/mcfscan.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7421 bytes


Thanks!

Bobby
 
Hi Bobby
Code: 
I wouldn’t know there was anything wrong if each time I ran a program,
which program ?

Logs, looks good but let's run one online scan to be sure

first......

Empty these folders:
C:\Documents and Settings\CJ\Application Data\Sun\Java\Deployment\cache\6.0
C:\Documents and Settings\CJ\Local Settings\Application Data\Identities\{B32D48CA-91FC-4570-8853-6AD2EA99D834}\Microsoft\Outlook Express\Deleted Items
C:\Documents and Settings\CJ\Local Settings\Application Data\Microsoft\Outlook\archive

  1. Please go to F-Secure website to perform an online scan. Click on Start scanning at the bottom of the page.
  2. You may be prompted to install an ActiveX before you are able to accept the License Agreement. If prompted, please install it. After installing, the Accept button will be available.
  3. Click on Accept to accept the License Agreement.
  4. Click on Custom Scan.
    • Under Virus Scan Options, select the Scan whole system option.
    • Under Other Scan Options, select these options:
      • Scan all files
      • Scan whole system for rootkits
      • Scan whole system for spyware
      • Scan inside archives
      • Use advanced heuristics
  5. Click Start.
  6. It will start installing the scanner and virus definitions. Once the installation is done, it will start scanning automatically. This takes a while. Please be patient.
  7. Click on I want decide item by item.
  8. Under Actions, select None for all infections found.
  9. Click Next.
  10. Click on Show Report.
  11. Please copy and paste this report in your next reply.
  12. Click Finish.

Thanks peku006
 
Hello!

Do you still need help

It has been three days since my last post.

Do you still need help with this?
Do you need more time?
Are you having problems following my instructions?

Note: If after 48hrs you have not replied to this thread then it will have to be CLOSED!
 
Hi Peku006-

I need just a little more time. Over the weekend, I think a banner ad on a website tried to install another Trojan on my computer. I used system restore, but there may be some residual. I'm busy dealing with some personal items, and will post logs up for you to see. I think the invasion came from ads on Mediafire.com.

Sorry for this. I don't want to be a burden anymore. Thanks for your help and patience. I'll try to have something for you tomorrow.

Once again, thanks for all the help.

Bobby
 
Hi peku006-

I'm sorry for the delay in response. I will run a scan of my cpu tomorrow. I've been busy moving.

Thanks.

Bobby
 
Hello!

Do you still need help

It has been six days since my last post.

Do you still need help with this?
Do you need more time?
Are you having problems following my instructions?

Note: If after 48hrs you have not replied to this thread then it will have to be CLOSED!
 
Hey peku006-

Things appear to be working well, but I continue getting AVG warnings about items in C:\System Volume Information\restore. It looks like I still have somthing stuck in System Restore like in a previous post.

Let me know your thoughts. Here is a HijackThis scan I just ran. Thanks - Bobby.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:51:13 AM, on 12/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {664088B0-6AF3-4514-AF9D-A0DC3A3DF24A} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1182654790468
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5256/mcfscan.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7532 bytes
 
Hi Bobby D
The scans are fine and it looks like your machine is clean :)
I continue getting AVG warnings about items in C:\System Volume Information\restore
Click to expand...
Don't Worry.........
This will clear your System Volume Information restore points and remove all the infected files that were quarantined.........

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
  • CF_Cleanup.png
  • When shown the disclaimer, Select "2"

Next we remove all used tools.

Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy 1.6
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install SpyWare Blaster 4.0
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.


Happy safe surfing! :bigthumb:
 
You must log in or register to reply here.
Back
Top