Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware - Win32:tratbho [trj] And Wn32:agent-psg [drp]


  • Please log in to reply
25 replies to this topic

#1 kuessedauern

kuessedauern

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago
  • Local time:07:48 PM

Posted 20 January 2008 - 04:41 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:33:26 AM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PowerISO\PWRISOVM .EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp .exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://studentmail.augustana.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\geedb.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\urqrqpp.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [7408876d] rundll32.exe "C:\WINDOWS\system32\sbqvhais.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - http://connect.comcast.com/dl/Comcast%20Ac...%20Controls.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198559936672
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\vtfbcuvq.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5343 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 26 January 2008 - 04:09 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum.
My name is Richie and i'll be helping you to fix your problems.

Apologies for the late response,as i'm sure you can appreciate we are extremely busy.

If you've already recieved help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let us know.

If you have not followed the info in the link below prior to posting your log then please do so now:
Preparation Guide for use before posting a HijackThis Log:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If you still require help,please post a new Hijackthis log into this topic in your next reply.

Also post a detailed description of the issues you're experiencing.

*Note*
Post all reports/logs directly into this topic,not as attachments,thanks.
Posted Image
Posted Image

#3 kuessedauern

kuessedauern
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago
  • Local time:07:48 PM

Posted 28 January 2008 - 12:28 PM

My virus service (avast!) had been detection a Win32: TratBHO [Trj] infection about every five minutes, eventually the virus service stopped responding, and would not even start up. After running through the preparation guide and reinstalling avast!, the detections lessened, but now happen every so often. I am not sure if less files are being infected or if less infected files are being detected. It is usually a dll file with random letters in front of it (for example, mnnjnnxm.dll and olqwtwpl.dll) or in the past system files have been infected such as kernel32.dll or winsock.dll or wsock32.dll. everything is running sluggish, and odd problems keep happening. Frequently I will try to run a program or game and my monitor will turn off, as if my display driver malfunctioned. During my last full virus scan, my monitor did the same thing, and after a reboot, my computer had no record of the scan.
Here is a new log
Thank you for your help
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:45 AM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://studentmail.augustana.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - (no file)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - http://connect.comcast.com/dl/Comcast%20Ac...%20Controls.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198559936672
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5318 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 28 January 2008 - 12:36 PM

If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,NOT for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 kuessedauern

kuessedauern
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago
  • Local time:07:48 PM

Posted 28 January 2008 - 04:09 PM

i forgot to turn off my scheduled virus scan, and i think my computer ran one while I was in class. I am not sure, because I think it memory dumped, I came back to a blue screen. I restarted and ran combofix. here is the combofix log.

ComboFix 08-01-28.2 - Owner 2008-01-29 14:46:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.222 [GMT -8:00]
Running from: C:\Documents and Settings\Owner.TOMMY\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\fnts~1
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\awqiassu.ini
C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\bdeeg.ini2
C:\WINDOWS\system32\siahvqbs.ini
C:\WINDOWS\system32\wnstsisu32.exe

----- BITS: Possible infected sites -----

hxxp://80.93.59.108
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-29 11:03 . 2008-01-29 11:04 <DIR> d-------- C:\ERDNT
2008-01-29 01:38 . 2004-08-03 21:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-29 01:05 . 2008-01-29 01:32 <DIR> d-------- C:\Backup
2008-01-28 23:34 . 2008-01-29 00:53 <DIR> d-------- C:\Documents and Settings\Owner.TOMMY\.housecall6.6
2008-01-28 23:32 . 2008-01-28 23:32 <DIR> d-------- C:\WINDOWS\Sun
2008-01-28 23:27 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-25 23:06 . 2008-01-25 23:06 <DIR> d-------- C:\Program Files\EA Games
2008-01-25 22:30 . 2008-01-25 22:39 139,264 --a------ C:\WINDOWS\War3Unin.exe
2008-01-25 22:30 . 2008-01-25 22:41 75,631 --a------ C:\WINDOWS\War3Unin.dat
2008-01-25 22:30 . 2008-01-25 22:39 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-01-25 22:27 . 2008-01-25 22:41 <DIR> d-------- C:\Program Files\Warcraft III
2008-01-25 20:21 . 2008-01-25 20:21 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-01-24 19:34 . 2008-01-24 21:49 <DIR> d-------- C:\Documents and Settings\Owner.TOMMY\Application Data\Canon
2008-01-24 18:58 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-24 18:58 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-24 18:50 . 2008-01-24 18:50 <DIR> d-------- C:\Documents and Settings\Owner.TOMMY\Application Data\ScanSoft
2008-01-24 18:50 . 2008-01-24 18:50 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SSScanWizard
2008-01-24 18:50 . 2008-01-24 18:50 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SSScanAppDataDir
2008-01-24 18:50 . 2008-01-24 18:50 532 --a------ C:\WINDOWS\MAXLINK.INI
2008-01-24 17:10 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-01-23 05:40 . 2008-01-29 14:34 <DIR> d-------- C:\Program Files\Steam
2008-01-23 04:20 . 2008-01-23 04:20 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-01-22 04:17 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-22 04:17 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-22 04:17 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-22 04:17 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-22 04:17 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-22 04:17 . 2007-12-04 06:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-22 04:16 . 2007-12-04 05:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-22 04:16 . 2004-01-09 01:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-20 04:25 . 2008-01-20 04:25 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-20 04:25 . 2008-01-20 04:26 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-01-20 04:24 . 2008-01-22 04:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-20 03:43 . 2008-01-20 03:43 <DIR> d-------- C:\Deckard
2008-01-20 03:30 . 2008-01-20 03:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-17 01:02 . 2008-01-17 01:02 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-17 00:28 . 2008-01-28 18:05 <DIR> d-------- C:\VundoFix Backups
2008-01-14 01:00 . 2008-01-14 01:00 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-13 22:53 . 2008-01-13 22:53 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-13 22:53 . 2003-03-18 13:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-13 14:03 . 2008-01-13 14:16 <DIR> d-------- C:\Program Files\Sierra
2008-01-06 22:49 . 2008-01-06 23:10 <DIR> d-------- C:\Documents and Settings\Owner.TOMMY\Application Data\U3
2008-01-06 15:15 . 2008-01-06 15:15 66 --a------ C:\WINDOWS\wininit.ini
2008-01-06 01:25 . 2007-11-20 11:09 104,320 --a------ C:\WINDOWS\system32\drivers\Rtnicxp.sys
2008-01-06 01:18 . 2008-01-06 01:18 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\InstallShield
2008-01-03 12:23 . 2007-07-09 05:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-03 12:23 . 2006-08-14 02:34 332,928 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-01-03 12:22 . 2007-06-13 02:23 1,033,216 -----c--- C:\WINDOWS\system32\dllcache\explorer.exe
2008-01-03 12:22 . 2007-05-17 03:28 549,376 -----c--- C:\WINDOWS\system32\dllcache\oleaut32.dll
2008-01-03 12:21 . 2007-04-25 06:21 144,896 -----c--- C:\WINDOWS\system32\dllcache\schannel.dll
2007-12-30 14:32 . 2006-06-21 21:06 1,435,648 -----c--- C:\WINDOWS\system32\dllcache\query.dll
2007-12-30 14:32 . 2006-06-21 21:06 69,120 -----c--- C:\WINDOWS\system32\dllcache\ciodm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 09:25 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-01-29 07:27 --------- d-----w C:\Program Files\Java
2008-01-27 11:21 --------- d-----w C:\Program Files\Max Payne
2008-01-26 05:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-26 05:07 --------- d-----w C:\Program Files\Microsoft Games
2008-01-26 04:03 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2008-01-26 04:03 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2008-01-26 04:03 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2008-01-25 02:50 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2008-01-22 11:52 --------- d-----w C:\Program Files\Soulseek
2008-01-20 12:13 --------- d-----w C:\Program Files\iTunes
2008-01-20 11:37 --------- d-----w C:\Program Files\PowerISO
2008-01-14 06:34 --------- d-----w C:\Program Files\DivX
2008-01-13 09:56 --------- d-----w C:\Documents and Settings\Owner.TOMMY\Application Data\uTorrent
2008-01-08 01:13 --------- d-----w C:\Program Files\Trillian
2008-01-06 09:17 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-02 22:59 --------- d-----w C:\Program Files\MagicISO
2007-12-27 22:08 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Age of Empires 3
2007-12-27 03:13 --------- d-----w C:\Program Files\ATI Technologies
2007-12-27 03:01 --------- d-----w C:\Program Files\PeerGuardian2
2007-12-26 06:33 --------- d-----w C:\Program Files\uTorrent
2007-12-25 20:32 --------- d-----w C:\Program Files\Netflix
2007-12-25 18:51 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2007-12-25 18:47 --------- d-----w C:\Program Files\MSBuild
2007-12-25 18:47 --------- d-----w C:\Program Files\Microsoft Works
2007-12-25 18:11 --------- d-----w C:\Documents and Settings\Owner.TOMMY\Application Data\AdobeUM
2007-12-25 05:33 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-25 01:17 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-14 19:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-05 22:17 593,920 ----a-w C:\WINDOWS\system32\ati2sgag.exe
2007-12-05 03:04 269,312 ----a-w C:\WINDOWS\system32\SETD6.tmp
2007-12-05 02:56 147,456 ----a-w C:\WINDOWS\system32\SETE2.tmp
2007-12-05 02:55 43,520 ----a-w C:\WINDOWS\system32\SETE4.tmp
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\SETE0.tmp
2007-12-05 02:53 495,616 ----a-w C:\WINDOWS\system32\SETDE.tmp
2007-12-05 02:44 3,175,584 ----a-w C:\WINDOWS\system32\SETDA.tmp
2007-12-05 02:33 1,640,192 ----a-w C:\WINDOWS\system32\SETDC.tmp
2007-12-05 02:19 385,024 ----a-w C:\WINDOWS\system32\SETE6.tmp
2007-12-05 02:14 180,224 ----a-w C:\WINDOWS\system32\SETE8.tmp
2007-12-05 02:11 499,712 ----a-w C:\WINDOWS\system32\SETD8.tmp
2007-12-02 11:19 --------- d-----w C:\Documents and Settings\Steve\Application Data\InterVideo
2007-11-29 02:28 --------- d-----w C:\Program Files\QuickTime
2007-11-29 02:28 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2007-11-29 02:10 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-01-16 21:26 774,144 ----a-w C:\Program Files\RngInterstitial.dll
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.
<pre>
----a-w		   267,048 2008-01-20 11:08:47  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			31,016 2008-01-20 11:08:47  C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
----a-w		   200,704 2008-01-20 11:08:47  C:\Program Files\PowerISO\PWRISOVM .EXE
----a-w			15,360 2008-01-14 09:00:03  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-01-29 07:51 1266936]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

R0 nvp2p;NVIDIA PCI to PCI Bridge Filter;C:\WINDOWS\system32\DRIVERS\nvp2p.sys [2003-12-23 19:37]
S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 13:53]
S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);C:\WINDOWS\system32\DRIVERS\SMCWGU.sys [2005-12-15 19:41]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-29 05:54:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 14:50:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-29 14:51:09
ComboFix-quarantined-files.txt 2008-01-29 22:50:55
.
2008-01-29 09:51:06 --- E O F ---


Here is the Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:21 PM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://studentmail.augustana.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - http://connect.comcast.com/dl/Comcast%20Ac...%20Controls.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198559936672
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5278 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 28 January 2008 - 04:20 PM

Copy and paste ALL the following text in the code box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.
RenV::
----a-w		   267,048 2008-01-20 11:08:47  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			31,016 2008-01-20 11:08:47  C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
----a-w		   200,704 2008-01-20 11:08:47  C:\Program Files\PowerISO\PWRISOVM .EXE
----a-w			15,360 2008-01-14 09:00:03  C:\WINDOWS\system32\ctfmon .exe
Now drag then drop the CFScript file into ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image
Posted Image

#7 kuessedauern

kuessedauern
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago
  • Local time:07:48 PM

Posted 28 January 2008 - 04:29 PM

I ran it with the code (I double checked that I copied and saved it all correctly) and combofix started then a dos window flashed twice and nothing else happened. It did not reboot or produce a log.

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 28 January 2008 - 04:31 PM

Ok,lets try this instead:
Download RenV.exe to your desktop,double click to run it:
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe
When its finished it will produce a Log.
Please post the contents of that Log into your next reply.
Posted Image
Posted Image

#9 kuessedauern

kuessedauern
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago
  • Local time:07:48 PM

Posted 28 January 2008 - 04:35 PM

Ran on Tue 01/29/2008 - 15:32:20.67



----a-w		   267,048 2008-01-20 11:08:47  C:\Program Files\iTunes\iTunesHelper .exe

----a-w			31,016 2008-01-20 11:08:47  C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe

----a-w		   200,704 2008-01-20 11:08:47  C:\Program Files\PowerISO\PWRISOVM .EXE

----a-w			15,360 2008-01-14 09:00:03  C:\WINDOWS\system32\ctfmon .exe



 Entries:				4  (4)

 Directories:			0  Files:			 4

 Bytes:			514,128  Blocks:		1,005


#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 28 January 2008 - 04:39 PM

Posted Image
Refering to the picture above, drag Log.txt into RenV.exe
When finished, it shall produce a new log for you.
Post that log in your next reply please.
Posted Image
Posted Image

#11 kuessedauern

kuessedauern
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago
  • Local time:07:48 PM

Posted 28 January 2008 - 04:58 PM

Ran on Tue 01/29/2008 - 15:55:56.50



 Entries:				0  (0)

 Directories:			0  Files:			 0

 Bytes:				  0  Blocks:			0


#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 28 January 2008 - 05:00 PM

That got it,you're doing great :thumbsup:

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will start the program and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.It does not provide an option to clean/disinfect,i need to see the scan results.
Now click on the Save as Text button.
Save the file to your desktop.
Copy and paste the contents of that file into your next reply.

If the above link doesn't work,try this:
http://www.kaspersky.com/kos/english/kavwebscan.html
Posted Image
Posted Image

#13 kuessedauern

kuessedauern
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago
  • Local time:07:48 PM

Posted 28 January 2008 - 08:32 PM

A very large amount of the objects/files were locked
so the log is too long to post, should I send it as an attachment, or post it in parts?
The is the beginning of the log, before it lists all the objects that were locked, and as a result skipped.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, January 29, 2008 7:18:44 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/01/2008
Kaspersky Anti-Virus database records: 499561
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 110606
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 02:41:31

#14 kuessedauern

kuessedauern
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago
  • Local time:07:48 PM

Posted 28 January 2008 - 08:49 PM

Several months back my computer crashed while updating (sorry I did not mention it earlier, this computer has crashed more often than not, and I tend to not even remember most of them.) This is why I mention it though, because I remember trying to run it in safe mode and that caused it to fail to startup, and it would not start windows again. My brother reinstalled windows, and I had thought he formatted the hard drive, but I think he just did a repair installation, or reinstalled windows over it. I am not sure.

But many of these files look to be the ones that were "lost" during that crash. Somewhere since a couple months back I recovered what I needed from backups so I do not need to recover any of them them, but I would like them off my computer if that is possible.

Edited by kuessedauern, 28 January 2008 - 09:06 PM.


#15 kuessedauern

kuessedauern
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago
  • Local time:07:48 PM

Posted 28 January 2008 - 10:03 PM

This is towards the very end of the log and contains the 3 infected files that are not locked, Otherwise it is a ridiculously long list of files that were relocated to C:\found.001 or C:\found.000 or are now in my My Documents folder due to the previous half recovery.


C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\iTunes\trz8.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\Microsoft Office\Office12\trz9.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Program Files\PowerISO\trzA.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{2D7FF277-875A-4636-9115-EF1F57EF1A30}\RP24\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{F69DB521-6613-425B-9E61-B24EE9999FE0}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_538.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users