Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Trojan:virtumonde Virus


  • Please log in to reply
15 replies to this topic

#1 hooligan_69

hooligan_69

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 02 May 2008 - 03:03 PM

Hi
I seem to be having problems with my new computer that I suffered with on my laptop. The last time the technician was able to assist me last time. A few days ago my computer just slowed right down then mozilla went funny (wouldn't load pages) and then internet explorer windows kept popping offering me dubious products. I ran the anti-virus program in safe mode and thought I had got rid of it but it seems to have come back. Can you help? Please find a copy of my DSS log.
Many thanks
Deckard's System Scanner v20071014.68
Run by Patrick on 2008-05-02 20:51:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 1022 MiB (1024 MiB recommended).


-- HijackThis (run as Patrick.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:51:58, on 02/05/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Users\Patrick\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Patrick.exe
C:\Windows\system32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\RunServices: [Microsoft Updates] gun2.19.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Reminder_MUI] C:\Applications\oem\Reminder\Reminder_MUI.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 5923 bytes

-- Files created between 2008-04-02 and 2008-05-02 -----------------------------

2008-05-02 20:16:25 0 d-------- C:\inetpub
2008-04-29 16:29:19 0 d-------- C:\Program Files\MSXML 4.0
2008-04-28 20:04:31 0 --a------ C:\ntuser.dat
2008-04-28 18:07:04 80128 -ra------ C:\Windows\system32\drivers\savonaccesscontrol.sys <Not Verified; Sophos plc; Sophos Anti-Virus for Windows XP, 2000, 2003>
2008-04-28 18:06:50 0 d-------- C:\Program Files\Sophos
2008-04-28 18:03:06 24064 -ra------ C:\Windows\system32\drivers\savonaccessfilter.sys <Not Verified; Sophos plc; Sophos Anti-Virus for Windows XP, 2000, 2003>
2008-04-28 17:22:50 0 d-------- C:\Program Files\Enigma Software Group
2008-04-28 17:13:01 0 d-------- C:\Program Files\Trend Micro
2008-04-26 01:02:28 0 d-------- C:\Program Files\VSTplugins
2008-04-26 00:50:33 0 d-------- C:\Windows\system32\URTTEMP
2008-04-26 00:46:48 0 d-------- C:\Program Files\Sony Setup
2008-04-25 18:00:05 0 d-------- C:\Program Files\Java
2008-04-25 17:59:10 0 d-------- C:\Program Files\Common Files\Java
2008-04-25 17:58:49 0 d-------- C:\Program Files\LimeWire
2008-04-25 17:58:08 40448 --a------ C:\Windows\system32\geBRjhET.dll
2008-04-25 17:58:01 39936 --a------ C:\Windows\system32\awtUoolL.dll
2008-04-23 16:26:21 0 d-------- C:\Program Files\Common Files\xing shared
2008-04-23 16:17:41 0 d-------- C:\Program Files\SopCast
2008-04-23 16:10:01 0 d-------- C:\Program Files\CCleaner
2008-04-18 00:19:18 0 d-------- C:\Program Files\Ubisoft
2008-04-15 19:19:40 0 d-------- C:\PerfLogs
2008-04-14 17:31:09 0 d-------- C:\Extras
2008-04-14 17:31:09 0 d-------- C:\Autorun
2008-04-14 02:12:26 164352 --a------ C:\Windows\system32\unrar.dll
2008-04-14 02:12:23 217088 --a------ C:\Windows\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-04-14 02:12:23 755027 --a------ C:\Windows\system32\xvidcore.dll
2008-04-14 02:12:22 159839 --a------ C:\Windows\system32\xvidvfw.dll
2008-04-14 02:12:22 7680 --a------ C:\Windows\system32\ff_vfw.dll
2008-04-14 02:12:20 0 d-------- C:\Program Files\K-Lite Codec Pack
2008-04-14 02:06:33 0 d-------- C:\Program Files\Common Files\PX Storage Engine
2008-04-14 02:06:26 0 d-------- C:\Program Files\DivX
2008-04-13 13:17:24 0 d-------- C:\Program Files\Firaxis Games
2008-04-13 01:35:42 0 d-------- C:\Program Files\DAEMON Tools Lite
2008-04-12 21:18:37 0 d-------- C:\Program Files\PPStream
2008-04-12 21:07:02 0 d-------- C:\Windows\PCHEALTH
2008-04-12 21:01:08 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-12 21:00:47 0 d-------- C:\Program Files\Windows Live
2008-04-12 17:37:48 0 d-------- C:\Program Files\DreamCatcher
2008-04-12 16:20:14 0 d-------- C:\Program Files\Alwil Software
2008-04-12 16:14:07 717296 --a------ C:\Windows\system32\drivers\sptd.sys
2008-04-12 16:09:52 0 d-------- C:\Program Files\WinAce
2008-04-12 15:53:07 0 d-------- C:\Program Files\uTorrent
2008-04-12 15:24:40 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-12 15:19:22 0 d-------- C:\Program Files\Real
2008-04-12 15:19:21 0 d-------- C:\Program Files\Common Files\Real
2008-04-12 15:13:54 0 d-------- C:\Program Files\Spyware Doctor
2008-04-12 15:11:38 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-12 15:04:43 0 d-------- C:\Program Files\Norton Security Scan
2008-04-12 15:04:04 0 d-------- C:\Program Files\Google
2008-04-12 14:52:04 0 d-------- C:\Program Files\THQ
2008-04-12 01:23:45 43520 --a------ C:\Windows\system32\CmdLineExt03.dll
2008-04-12 01:20:17 0 d-------- C:\Program Files\Ground Control II
2008-04-11 22:14:00 18061 --a------ C:\Windows\War3Unin.dat
2008-04-11 22:13:59 2829 --a------ C:\Windows\War3Unin.pif
2008-04-11 22:13:59 126976 --a------ C:\Windows\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-04-11 22:11:28 0 d-------- C:\Program Files\Warcraft III
2008-04-11 22:04:59 4790 --a------ C:\Users\Patrick\ffdshow.reg
2008-04-11 20:56:46 0 d--hs---- C:\Windows\Installer
2008-04-11 20:56:35 0 dr------- C:\Users\Patrick\Searches
2008-04-11 20:56:25 0 dr------- C:\Users\Patrick\Contacts
2008-04-11 20:56:10 0 d--hs---- C:\Users\Patrick\Templates
2008-04-11 20:56:10 0 d--hs---- C:\Users\Patrick\Start Menu
2008-04-11 20:56:10 0 d--hs---- C:\Users\Patrick\SendTo
2008-04-11 20:56:10 0 d--hs---- C:\Users\Patrick\Recent
2008-04-11 20:56:10 0 d--hs---- C:\Users\Patrick\PrintHood
2008-04-11 20:56:10 0 d--hs---- C:\Users\Patrick\NetHood
2008-04-11 20:56:10 0 d--hs---- C:\Users\Patrick\My Documents
2008-04-11 20:56:10 0 d--hs---- C:\Users\Patrick\Local Settings
2008-04-11 20:56:10 0 d--hs---- C:\Users\Patrick\Cookies
2008-04-11 20:56:10 0 d--hs---- C:\Users\Patrick\Application Data
2008-04-11 20:56:09 0 dr------- C:\Users\Patrick\Videos
2008-04-11 20:56:09 0 dr------- C:\Users\Patrick\Saved Games
2008-04-11 20:56:09 0 dr------- C:\Users\Patrick\Pictures
2008-04-11 20:56:09 2097152 --ahs---- C:\Users\Patrick\NTUSER.DAT
2008-04-11 20:56:09 0 dr------- C:\Users\Patrick\Music
2008-04-11 20:56:09 0 dr------- C:\Users\Patrick\Links
2008-04-11 20:56:09 0 dr------- C:\Users\Patrick\Favorites
2008-04-11 20:56:09 0 dr------- C:\Users\Patrick\Downloads
2008-04-11 20:56:09 0 dr------- C:\Users\Patrick\Documents
2008-04-11 20:56:09 0 dr------- C:\Users\Patrick\Desktop
2008-04-11 20:56:09 0 d--h----- C:\Users\Patrick\AppData
2008-04-11 20:46:15 0 d-------- C:\Windows\SoftwareDistribution
2008-04-11 20:42:59 0 d--hs---- C:\System Volume Information


-- Find3M Report ---------------------------------------------------------------

2008-04-27 21:15:37 0 d-------- C:\Users\Patrick\AppData\Roaming\LimeWire
2008-04-27 20:00:28 0 d-------- C:\Users\Patrick\AppData\Roaming\uTorrent
2008-04-27 20:00:27 0 d-------- C:\Users\Patrick\AppData\Roaming\DAEMON Tools
2008-04-27 20:00:23 0 d-------- C:\Program Files\Common Files
2008-04-26 01:02:23 0 d-------- C:\Users\Patrick\AppData\Roaming\DivX
2008-04-26 01:02:21 0 d-------- C:\Users\Patrick\AppData\Roaming\Publish Providers
2008-04-26 00:58:53 0 d-------- C:\Users\Patrick\AppData\Roaming\Sony
2008-04-18 00:19:24 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-17 14:00:53 0 d-------- C:\Users\Patrick\AppData\Roaming\Adobe
2008-04-15 19:28:40 174 --ahs---- C:\Program Files\desktop.ini
2008-04-15 19:21:01 0 d-------- C:\Program Files\Windows Calendar
2008-04-15 19:21:00 0 d-------- C:\Program Files\Windows Sidebar
2008-04-15 19:21:00 0 d-------- C:\Program Files\Windows Mail
2008-04-15 19:21:00 0 d-------- C:\Program Files\Movie Maker
2008-04-15 19:20:59 0 d-------- C:\Program Files\Windows Photo Gallery
2008-04-15 19:20:59 0 d-------- C:\Program Files\Windows Journal
2008-04-15 19:20:59 0 d-------- C:\Program Files\Windows Collaboration
2008-04-15 19:20:56 0 d-------- C:\Program Files\Windows Defender
2008-04-14 01:41:51 0 d-------- C:\Users\Patrick\AppData\Roaming\Media Player Classic
2008-04-13 21:31:08 0 d-------- C:\Users\Patrick\AppData\Roaming\My Games
2008-04-12 21:20:39 0 d-------- C:\Users\Patrick\AppData\Roaming\ppstream
2008-04-12 15:24:41 0 d-------- C:\Users\Patrick\AppData\Roaming\Real
2008-04-12 15:15:15 0 d-------- C:\Users\Patrick\AppData\Roaming\Google
2008-04-12 15:13:54 0 d-------- C:\Users\Patrick\AppData\Roaming\PC Tools
2008-04-12 15:11:57 0 d-------- C:\Users\Patrick\AppData\Roaming\Macromedia
2008-04-12 15:07:01 0 d-------- C:\Users\Patrick\AppData\Roaming\Talkback
2008-04-12 15:06:53 0 d-------- C:\Users\Patrick\AppData\Roaming\Mozilla
2008-04-12 03:04:08 0 d-------- C:\Users\Patrick\AppData\Roaming\CyberLink
2008-04-11 21:02:05 0 d-------- C:\Users\Patrick\AppData\Roaming\AdobeUM
2008-04-11 20:56:28 0 d-------- C:\Users\Patrick\AppData\Roaming\Identities
2008-03-31 22:25:48 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-03-31 22:25:48 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-03-31 22:25:46 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-03-31 22:25:46 831488 --a------ C:\Windows\system32\divx_xx0a.dll
2008-03-31 22:25:46 682496 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-03-21 21:30:08 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2008-03-21 21:28:54 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 21:28:54 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 21:28:20 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 08:38]
"RtHDVCpl"="RtHDVCpl.exe" [10/04/2007 10:01 C:\Windows\RtHDVCpl.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [29/03/2008 18:37]
"Skytel"="Skytel.exe" [04/04/2007 11:22 C:\Windows\SkyTel.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [12/09/2007 05:28]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [12/09/2007 05:28]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [12/09/2007 05:28]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [01/02/2008 12:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [19/01/2008 08:33]
"Reminder_MUI"="C:\Applications\oem\Reminder\Reminder_MUI.exe" [20/07/2007 10:15]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [19/01/2008 08:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft Updates"=gun2.19.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [5/12/2005 10:22:28 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
iissvcs w3svc was
apphost apphostsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-05-02 20:53:41 ------------

BC AdBot (Login to Remove)

 


#2 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:55 AM

Posted 02 May 2008 - 03:15 PM

Hello! And welcome!

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".

It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Avast! or Sophos.

==============

Next, Please download Malwarebytes' Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Double-click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • If you have trouble with the update process, please download the latest updates here.
  • Double-click the mbam-rules.exe file on your desktop and let it update the application.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (see extra note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Please copy and paste the entire report in your next reply. :thumbsup:
Extra note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#3 hooligan_69

hooligan_69
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 02 May 2008 - 05:47 PM

As instructed, I've copy and pasted the log file below

Many thanks
Malwarebytes' Anti-Malware 1.11
Database version: 709

Scan type: Quick Scan
Objects scanned: 29949
Time elapsed: 5 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f50b3f5e-856e-4757-9bb1-b35d46ca7719} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\awtUoolL.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\geBRjhET.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#4 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:55 AM

Posted 03 May 2008 - 01:07 AM

Good!

Could you please re-run Deckard's system scanner and post the results.
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#5 hooligan_69

hooligan_69
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 03 May 2008 - 10:03 AM

Deckard's System Scanner v20071014.68
Run by Patrick on 2008-05-03 10:39:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 1022 MiB (1024 MiB recommended).


-- HijackThis (run as Patrick.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:06, on 03/05/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Patrick\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Patrick.exe
C:\Windows\system32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\RunServices: [Microsoft Updates] gun2.19.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Reminder_MUI] C:\Applications\oem\Reminder\Reminder_MUI.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 5215 bytes

-- Files created between 2008-04-03 and 2008-05-03 -----------------------------

2008-05-02 23:38:43 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-02 20:16:25 0 d-------- C:\inetpub
2008-04-29 16:29:19 0 d-------- C:\Program Files\MSXML 4.0
2008-04-28 20:04:31 0 --a------ C:\ntuser.dat
2008-04-28 18:07:04 80128 -ra------ C:\Windows\system32\drivers\savonaccesscontrol.sys <Not Verified; Sophos plc; Sophos Anti-Virus for Windows XP, 2000, 2003>
2008-04-28 18:06:50 0 d-------- C:\Program Files\Sophos
2008-04-28 18:03:06 24064 -ra------ C:\Windows\system32\drivers\savonaccessfilter.sys <Not Verified; Sophos plc; Sophos Anti-Virus for Windows XP, 2000, 2003>
2008-04-28 17:22:50 0 d-------- C:\Program Files\Enigma Software Group
2008-04-28 17:13:01 0 d-------- C:\Program Files\Trend Micro
2008-04-26 01:02:28 0 d-------- C:\Program Files\VSTplugins
2008-04-26 00:50:33 0 d-------- C:\Windows\system32\URTTEMP
2008-04-26 00:46:48 0 d-------- C:\Program Files\Sony Setup
2008-04-25 18:00:05 0 d-------- C:\Program Files\Java
2008-04-25 17:59:10 0 d-------- C:\Program Files\Common Files\Java
2008-04-25 17:58:49 0 d-------- C:\Program Files\LimeWire
2008-04-23 16:26:21 0 d-------- C:\Program Files\Common Files\xing shared
2008-04-23 16:17:41 0 d-------- C:\Program Files\SopCast
2008-04-23 16:10:01 0 d-------- C:\Program Files\CCleaner
2008-04-18 00:19:18 0 d-------- C:\Program Files\Ubisoft
2008-04-15 19:19:40 0 d-------- C:\PerfLogs
2008-04-14 17:31:09 0 d-------- C:\Extras
2008-04-14 17:31:09 0 d-------- C:\Autorun
2008-04-14 02:12:26 164352 --a------ C:\Windows\system32\unrar.dll
2008-04-14 02:12:23 217088 --a------ C:\Windows\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-04-14 02:12:23 755027 --a------ C:\Windows\system32\xvidcore.dll
2008-04-14 02:12:22 159839 --a------ C:\Windows\system32\xvidvfw.dll
2008-04-14 02:12:22 7680 --a------ C:\Windows\system32\ff_vfw.dll
2008-04-14 02:12:20 0 d-------- C:\Program Files\K-Lite Codec Pack
2008-04-14 02:06:33 0 d-------- C:\Program Files\Common Files\PX Storage Engine
2008-04-14 02:06:26 0 d-------- C:\Program Files\DivX
2008-04-13 13:17:24 0 d-------- C:\Program Files\Firaxis Games
2008-04-13 01:35:42 0 d-------- C:\Program Files\DAEMON Tools Lite
2008-04-12 21:18:37 0 d-------- C:\Program Files\PPStream
2008-04-12 21:07:02 0 d-------- C:\Windows\PCHEALTH
2008-04-12 21:01:08 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-12 21:00:47 0 d-------- C:\Program Files\Windows Live
2008-04-12 17:37:48 0 d-------- C:\Program Files\DreamCatcher
2008-04-12 16:20:14 0 d-------- C:\Program Files\Alwil Software
2008-04-12 16:14:07 717296 --a------ C:\Windows\system32\drivers\sptd.sys
2008-04-12 16:09:52 0 d-------- C:\Program Files\WinAce
2008-04-12 15:53:07 0 d-------- C:\Program Files\uTorrent
2008-04-12 15:24:40 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-12 15:19:22 0 d-------- C:\Program Files\Real
2008-04-12 15:19:21 0 d-------- C:\Program Files\Common Files\Real
2008-04-12 15:13:54 0 d-------- C:\Program Files\Spyware Doctor
2008-04-12 15:11:38 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-12 15:04:43 0 d-------- C:\Program Files\Norton Security Scan
2008-04-12 15:04:04 0 d-------- C:\Program Files\Google
2008-04-12 14:52:04 0 d-------- C:\Program Files\THQ
2008-04-12 01:23:45 43520 --a------ C:\Windows\system32\CmdLineExt03.dll
2008-04-12 01:20:17 0 d-------- C:\Program Files\Ground Control II
2008-04-11 22:14:00 18061 --a------ C:\Windows\War3Unin.dat
2008-04-11 22:13:59 2829 --a------ C:\Windows\War3Unin.pif
2008-04-11 22:13:59 126976 --a------ C:\Windows\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-04-11 22:11:28 0 d-------- C:\Program Files\Warcraft III
2008-04-11 22:04:59 4790 --a------ C:\Users\Patrick\ffdshow.reg
2008-04-11 20:56:46 0 d--hs---- C:\Windows\Installer
2008-04-11 20:56:35 0 dr------- C:\Users\Patrick\Searches
2008-04-11 20:56:25 0 dr------- C:\Users\Patrick\Contacts
2008-04-11 20:56:10 0 d--hs---- C:\Users\Patrick\Templates
2008-04-11 20:56:10 0 d--hs---- C:\Users\Patrick\Start Menu
2008-04-11 20:56:10 0 d--hs---- C:\Users\Patrick\SendTo
2008-04-11 20:56:10 0 d--hs---- C:\Users\Patrick\Recent
2008-04-11 20:56:10 0 d--hs---- C:\Users\Patrick\PrintHood
2008-04-11 20:56:10 0 d--hs---- C:\Users\Patrick\NetHood
2008-04-11 20:56:10 0 d--hs---- C:\Users\Patrick\My Documents
2008-04-11 20:56:10 0 d--hs---- C:\Users\Patrick\Local Settings
2008-04-11 20:56:10 0 d--hs---- C:\Users\Patrick\Cookies
2008-04-11 20:56:10 0 d--hs---- C:\Users\Patrick\Application Data
2008-04-11 20:56:09 0 dr------- C:\Users\Patrick\Videos
2008-04-11 20:56:09 0 dr------- C:\Users\Patrick\Saved Games
2008-04-11 20:56:09 0 dr------- C:\Users\Patrick\Pictures
2008-04-11 20:56:09 2097152 --ahs---- C:\Users\Patrick\NTUSER.DAT
2008-04-11 20:56:09 0 dr------- C:\Users\Patrick\Music
2008-04-11 20:56:09 0 dr------- C:\Users\Patrick\Links
2008-04-11 20:56:09 0 dr------- C:\Users\Patrick\Favorites
2008-04-11 20:56:09 0 dr------- C:\Users\Patrick\Downloads
2008-04-11 20:56:09 0 dr------- C:\Users\Patrick\Documents
2008-04-11 20:56:09 0 dr------- C:\Users\Patrick\Desktop
2008-04-11 20:56:09 0 d--h----- C:\Users\Patrick\AppData
2008-04-11 20:46:15 0 d-------- C:\Windows\SoftwareDistribution
2008-04-11 20:42:59 0 d--hs---- C:\System Volume Information


-- Find3M Report ---------------------------------------------------------------

2008-05-02 23:38:50 0 d-------- C:\Users\Patrick\AppData\Roaming\Malwarebytes
2008-04-27 21:15:37 0 d-------- C:\Users\Patrick\AppData\Roaming\LimeWire
2008-04-27 20:00:28 0 d-------- C:\Users\Patrick\AppData\Roaming\uTorrent
2008-04-27 20:00:27 0 d-------- C:\Users\Patrick\AppData\Roaming\DAEMON Tools
2008-04-27 20:00:23 0 d-------- C:\Program Files\Common Files
2008-04-26 01:02:23 0 d-------- C:\Users\Patrick\AppData\Roaming\DivX
2008-04-26 01:02:21 0 d-------- C:\Users\Patrick\AppData\Roaming\Publish Providers
2008-04-26 00:58:53 0 d-------- C:\Users\Patrick\AppData\Roaming\Sony
2008-04-18 00:19:24 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-17 14:00:53 0 d-------- C:\Users\Patrick\AppData\Roaming\Adobe
2008-04-15 19:28:40 174 --ahs---- C:\Program Files\desktop.ini
2008-04-15 19:21:01 0 d-------- C:\Program Files\Windows Calendar
2008-04-15 19:21:00 0 d-------- C:\Program Files\Windows Sidebar
2008-04-15 19:21:00 0 d-------- C:\Program Files\Windows Mail
2008-04-15 19:21:00 0 d-------- C:\Program Files\Movie Maker
2008-04-15 19:20:59 0 d-------- C:\Program Files\Windows Photo Gallery
2008-04-15 19:20:59 0 d-------- C:\Program Files\Windows Journal
2008-04-15 19:20:59 0 d-------- C:\Program Files\Windows Collaboration
2008-04-15 19:20:56 0 d-------- C:\Program Files\Windows Defender
2008-04-14 01:41:51 0 d-------- C:\Users\Patrick\AppData\Roaming\Media Player Classic
2008-04-13 21:31:08 0 d-------- C:\Users\Patrick\AppData\Roaming\My Games
2008-04-12 21:20:39 0 d-------- C:\Users\Patrick\AppData\Roaming\ppstream
2008-04-12 15:24:41 0 d-------- C:\Users\Patrick\AppData\Roaming\Real
2008-04-12 15:15:15 0 d-------- C:\Users\Patrick\AppData\Roaming\Google
2008-04-12 15:13:54 0 d-------- C:\Users\Patrick\AppData\Roaming\PC Tools
2008-04-12 15:11:57 0 d-------- C:\Users\Patrick\AppData\Roaming\Macromedia
2008-04-12 15:07:01 0 d-------- C:\Users\Patrick\AppData\Roaming\Talkback
2008-04-12 15:06:53 0 d-------- C:\Users\Patrick\AppData\Roaming\Mozilla
2008-04-12 03:04:08 0 d-------- C:\Users\Patrick\AppData\Roaming\CyberLink
2008-04-11 21:02:05 0 d-------- C:\Users\Patrick\AppData\Roaming\AdobeUM
2008-04-11 20:56:28 0 d-------- C:\Users\Patrick\AppData\Roaming\Identities
2008-03-31 22:25:48 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-03-31 22:25:48 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-03-31 22:25:46 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-03-31 22:25:46 831488 --a------ C:\Windows\system32\divx_xx0a.dll
2008-03-31 22:25:46 682496 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-03-21 21:30:08 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2008-03-21 21:28:54 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 21:28:54 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 21:28:20 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 08:38]
"RtHDVCpl"="RtHDVCpl.exe" [10/04/2007 10:01 C:\Windows\RtHDVCpl.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]
"Skytel"="Skytel.exe" [04/04/2007 11:22 C:\Windows\SkyTel.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [12/09/2007 05:28]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [12/09/2007 05:28]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [12/09/2007 05:28]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [01/02/2008 12:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [19/01/2008 08:33]
"Reminder_MUI"="C:\Applications\oem\Reminder\Reminder_MUI.exe" [20/07/2007 10:15]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [19/01/2008 08:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft Updates"=gun2.19.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [5/12/2005 10:22:28 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
iissvcs w3svc was
apphost apphostsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-05-03 10:41:38 ------------

#6 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:55 AM

Posted 03 May 2008 - 12:22 PM

Please download FileFind from Atribune.
Unzip the file and save it to your desktop.

To run FileFind, please do the following:
  • Click on FileFind.exe
  • In the box labeled "Directory"
    o Enter Drive C:\
  • In the box labeled "File"
    o Enter the file gun2.19.exe
  • Now click on the "Search" button
  • Once the utility has found the files click on "Export"
  • A Notepad will open up. Please copy the entire contents of the Notepad and paste them here.
  • NOTE: The notepad is saved on your C:\ drive as "Export.txt"
Post back a new HijackThis log along with the Export.txt

============

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Turn off the real time scanner of any existing antivirus program while performing the online scan
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Let me know the results.
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#7 hooligan_69

hooligan_69
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 03 May 2008 - 02:30 PM

I got this response from filefind
0 Files found in 15430 Directories
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:55:56, on 03/05/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Users\Patrick\Desktop\FileFind\FileFind.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\RunServices: [Microsoft Updates] gun2.19.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Reminder_MUI] C:\Applications\oem\Reminder\Reminder_MUI.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 5547 bytes
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, May 03, 2008 8:12:51 PM
Operating System: Microsoft Windows Vista Home Edition, Service Pack 1 (Build 6001)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/05/2008
Kaspersky Anti-Virus database records: 659580
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
E:\
F:\
G:\
H:\
I:\
S:\

Scan Statistics:
Total number of scanned objects: 89529
Number of viruses found: 1
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:59:58

Infected Object Name / Virus Name / Last Action
C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.ilg Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\00d1a3cc1e325dded65df06a1439782a_1480f343-1a48-4174-b19e-97d0f0f1136b Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\6de9cb26d2b98c01ec4e9e8b34824aa2_1480f343-1a48-4174-b19e-97d0f0f1136b Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\76944fb33636aeddb9590521c2e8815a_1480f343-1a48-4174-b19e-97d0f0f1136b Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\d6d986f09a1ee04e24c949879fdb506c_1480f343-1a48-4174-b19e-97d0f0f1136b Object is locked skipped
C:\ProgramData\Sophos\Sophos Anti-Virus\Config\bootstrap.xml Object is locked skipped
C:\ProgramData\Sophos\Sophos Anti-Virus\Config\factory.xml Object is locked skipped
C:\ProgramData\Sophos\Sophos Anti-Virus\Config\interchk.chk Object is locked skipped
C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml Object is locked skipped
C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml Object is locked skipped
C:\ProgramData\Sophos\Sophos Anti-Virus\Config\storebootstrap.xml Object is locked skipped
C:\ProgramData\Sophos\Sophos Anti-Virus\logs\SAV.txt Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Windows\UsrClass.dat{1379956d-0800-11dd-b39c-001c252bc72e}.TM.blf Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Windows\UsrClass.dat{1379956d-0800-11dd-b39c-001c252bc72e}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Windows\UsrClass.dat{1379956d-0800-11dd-b39c-001c252bc72e}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Messenger\patrick_jardine@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Messenger\patrick_jardine@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Messenger\patrick_jardine@hotmail.com\SharingMetadata\Working\database_1414_E165_14E1_49F6\dfsr.db Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Messenger\patrick_jardine@hotmail.com\SharingMetadata\Working\database_1414_E165_14E1_49F6\fsr.log Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Messenger\patrick_jardine@hotmail.com\SharingMetadata\Working\database_1414_E165_14E1_49F6\tmp.edb Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Windows Defender\FileTracker\{C488C9A8-51EB-455A-BDDC-1F1B27ED5BEB} Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Windows Live Contacts\patrick_jardine@hotmail.com\real\members.stg Object is locked skipped
C:\Users\Patrick\AppData\Local\Microsoft\Windows Sidebar\Settings.ini Object is locked skipped
C:\Users\Patrick\AppData\Local\Mozilla\Firefox\Profiles\j8ntcaxy.default\Cache\_CACHE_001_ Object is locked skipped
C:\Users\Patrick\AppData\Local\Mozilla\Firefox\Profiles\j8ntcaxy.default\Cache\_CACHE_002_ Object is locked skipped
C:\Users\Patrick\AppData\Local\Mozilla\Firefox\Profiles\j8ntcaxy.default\Cache\_CACHE_003_ Object is locked skipped
C:\Users\Patrick\AppData\Local\Mozilla\Firefox\Profiles\j8ntcaxy.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Users\Patrick\AppData\Local\Mozilla\Firefox\Profiles\j8ntcaxy.default\XUL.mfl Object is locked skipped
C:\Users\Patrick\AppData\Local\Temp\~DF9E8E.tmp Object is locked skipped
C:\Users\Patrick\AppData\Local\Temp\~DF9E99.tmp Object is locked skipped
C:\Users\Patrick\AppData\Roaming\microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Patrick\AppData\Roaming\microsoft\Windows\Cookies\Low\index.dat Object is locked skipped
C:\Users\Patrick\AppData\Roaming\Mozilla\Firefox\Profiles\j8ntcaxy.default\cert8.db Object is locked skipped
C:\Users\Patrick\AppData\Roaming\Mozilla\Firefox\Profiles\j8ntcaxy.default\formhistory.dat Object is locked skipped
C:\Users\Patrick\AppData\Roaming\Mozilla\Firefox\Profiles\j8ntcaxy.default\history.dat Object is locked skipped
C:\Users\Patrick\AppData\Roaming\Mozilla\Firefox\Profiles\j8ntcaxy.default\key3.db Object is locked skipped
C:\Users\Patrick\AppData\Roaming\Mozilla\Firefox\Profiles\j8ntcaxy.default\parent.lock Object is locked skipped
C:\Users\Patrick\AppData\Roaming\Mozilla\Firefox\Profiles\j8ntcaxy.default\search.sqlite Object is locked skipped
C:\Users\Patrick\AppData\Roaming\Mozilla\Firefox\Profiles\j8ntcaxy.default\urlclassifier2.sqlite Object is locked skipped
C:\Users\Patrick\Documents\Downloads\LimeWire PROFESSIONAL 4.17.5 - LATEST Edition [Your ULTIMATE File Sharing Program].rar/LimeWire PROFESSIONAL 4.17.5 - LATEST Edition [Your ULTIMATE File Sharing Program]/LimeWireWin.exe/data0000.cab/is153017.exe Infected: Packed.Win32.Monder.gen skipped
C:\Users\Patrick\Documents\Downloads\LimeWire PROFESSIONAL 4.17.5 - LATEST Edition [Your ULTIMATE File Sharing Program].rar/LimeWire PROFESSIONAL 4.17.5 - LATEST Edition [Your ULTIMATE File Sharing Program]/LimeWireWin.exe/data0000.cab Infected: Packed.Win32.Monder.gen skipped
C:\Users\Patrick\Documents\Downloads\LimeWire PROFESSIONAL 4.17.5 - LATEST Edition [Your ULTIMATE File Sharing Program].rar/LimeWire PROFESSIONAL 4.17.5 - LATEST Edition [Your ULTIMATE File Sharing Program]/LimeWireWin.exe Infected: Packed.Win32.Monder.gen skipped
C:\Users\Patrick\Documents\Downloads\LimeWire PROFESSIONAL 4.17.5 - LATEST Edition [Your ULTIMATE File Sharing Program].rar RAR: infected - 3 skipped
C:\Users\Patrick\NTUSER.DAT Object is locked skipped
C:\Users\Patrick\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Patrick\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Patrick\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Users\Patrick\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Patrick\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\iis7.log Object is locked skipped
C:\Windows\Logs\CBS\CBS.log Object is locked skipped
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped
C:\Windows\Panther\UnattendGC\diagerr.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\diagwrn.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\setupact.log Object is locked skipped
C:\Windows\Panther\UnattendGC\setuperr.log Object is locked skipped
C:\Windows\security\database\secedit.sdb Object is locked skipped
C:\Windows\SoftwareDistribution\EventCache\{AC984627-ED70-42EB-B143-090F99F1B1DF}.bin Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\drivers\sptd.sys Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\restore\MachineGuid.txt Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagerr.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagwrn.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\setupact.log Object is locked skipped
C:\Windows\System32\sysprep\Panther\setuperr.log Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\0296C47314AB746EC35476488248FCD9.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\040270F850D5C3C91057DDDA2DA294D8.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\0A9DBC92D554324656F61F9862679F27.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\0D2F0E92A0408E7EC817B6CE065232EC.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\0DF617D6737A7561E732F853792261C3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\1E2E58C73053C7775EB226DB5E739137.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\26C097A9392F8C541AD42E89B7909073.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2A811E5CCC22CC9D7AE2B04EF0402688.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2AA23BB86A5EBD8BC2D820944E55B233.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2B8B1A8B0ACD3EE28B421D3918DC1F29.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2CE523184A801AA7361A7039E2D6B41D.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2D57A7682ACD19214C258D31A06D008F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\3460B7617E0429A960E481B197F238A3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\376786241A5443E41378D25CF812FCC1.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\3DC0BABDCA20E5E319117C21BD4BD795.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\494C62FAA08CD5217399BAA555FF491B.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\4A01E0F376B5833EBA98F0D1D5F60CD1.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\4B471F64BAF831EC7945C820FD5A16E5.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\4CB32C0A77CD4D9B0C9618F73F786C32.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\5774C77265BE4C55B5C6C9718979E015.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\5966D45C7B25EACA46E87DD8E5703964.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\5B5D21CF62E70BACF9D085E6AA6CE143.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\69554D930FCA40B0304B9A43A8036F2D.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\72F867EF62976CE9F70993FF3E68A4EB.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\75054C3771DF289038069A9BB1C1FB6E.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\7851AF96EA828F912853F32DB0D96138.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\7F417E1A6D819A9B2FEB55DA6858EA0A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\87AA2A001CE3E89926688B93E4DC2992.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\8C718B5AFD373885B68D2836088CAF9A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\903E49C444C46FEF5F2C3A189C9CEF71.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\96ABB1671705F680578FE240427CBD4F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9A72EE7775E8021F75961342B8AFD1B4.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9AD3182A2F39A3E091E15109132EC6CC.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9CD33F0956942860B50AA1B9330DEFAF.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9E06E4FE97F0CBB8D659894823F805D7.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\A80FF2DC09487ECD60AFB147B262BDD7.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\AA6E0E396C238977CA909EFD82299737.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\AA742824DCADA846BA4B665D686DD5D6.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\BBF206490BAA431B592F9A13534F43F6.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\BE81B2C0741907C1FC1C42B6223E59AD.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\D1A1B12A7DA3F9675C01397A26DBF4B3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\D4C4BA54B6A8FA6211E60E2ADFF7426A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\DE391013DA56ABA39FFF40A9ABDF052F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\DF80FD3849FFF74B4BF43E2EA8ADEC8A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\DFB9AD54AC2D3B8122567AAD3BF3EB7F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E04DE4CDFEC284A342159BB920976701.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E737DE61441445E1FDFCA45EF5E7D987.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E9D8A460B2C986DD5FF19F299F4A27EC.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\EC45C70F2A3D9DED718E71631C38E2FE.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\EC8ABEC6883A6EF5EBC331544623E2EB.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\F01326692CC5736EBAC31B9FC2381CF2.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\F81E6BEBC3067C406E6C491608474198.mof Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\winevt\Logs\Antivirus.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Server%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DateTimeControlPanel%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-PLA%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticResolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Forwarding%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WDI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ParentalControls%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Metrics.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wired-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6001.18000_none_d12e90ac35ffb753\dnary.xsd Object is locked skipped
S:\Boot\BCD Object is locked skipped
S:\Boot\BCD.LOG Object is locked skipped

Scan process completed.

#8 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:55 AM

Posted 05 May 2008 - 07:47 AM

Please visit this webpage for download links, and instructions for running this tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware, and will only take a few moments of your time.


After ensuring the Recovery Console is installed on your system...


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to disable realtime protection: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleaning the system:

C:\CF_RC.txt
C:\ComboFix.txt
New HijackThis log.

[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#9 hooligan_69

hooligan_69
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 05 May 2008 - 11:27 AM

These are the only logs that were generated after running combofix

ComboFix 08-05-01.3 - Patrick 2008-05-05 17:06:20.1 - NTFSx86
Microsoft Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.474 [GMT 1:00]
Running from: C:\Users\Patrick\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\drivers\npf.sys
C:\Windows\system32\packet.dll
C:\Windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-04-05 to 2008-05-05 )))))))))))))))))))))))))))))))
.

2008-05-03 18:51 . 2008-05-03 18:51 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-05-03 10:39 . 2008-05-03 10:39 <DIR> d-------- C:\Deckard
2008-05-02 23:38 . 2008-05-02 23:38 <DIR> d-------- C:\Users\Patrick\AppData\Roaming\Malwarebytes
2008-05-02 23:38 . 2008-05-02 23:38 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-05-02 23:38 . 2008-05-02 23:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-02 20:16 . 2008-05-02 20:16 <DIR> d-------- C:\inetpub
2008-04-29 16:29 . 2008-04-29 16:29 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-28 20:04 . 2008-04-29 01:46 0 --ah----- C:\ntuser.dat.LOG2
2008-04-28 20:04 . 2008-04-29 01:46 0 --ah----- C:\ntuser.dat.LOG1
2008-04-28 20:04 . 2008-04-28 20:04 0 --a------ C:\ntuser.dat
2008-04-28 18:07 . 2005-08-25 15:04 80,128 -ra------ C:\Windows\System32\drivers\savonaccesscontrol.sys
2008-04-28 18:06 . 2008-04-28 18:06 <DIR> d-------- C:\ProgramData\Sophos
2008-04-28 18:06 . 2008-04-28 20:44 <DIR> d-------- C:\Program Files\Sophos
2008-04-28 18:03 . 2005-08-25 15:04 24,064 -ra------ C:\Windows\System32\drivers\savonaccessfilter.sys
2008-04-28 17:22 . 2008-04-28 17:22 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-28 17:13 . 2008-04-28 17:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-28 17:12 . 2008-04-28 17:12 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-04-27 12:36 . 2008-04-27 12:36 107 --a------ C:\Windows\ppscodec.ini
2008-04-26 01:02 . 2008-04-26 01:02 <DIR> d-------- C:\Users\Patrick\AppData\Roaming\Publish Providers
2008-04-26 01:02 . 2008-04-26 01:02 <DIR> d-------- C:\Program Files\VSTplugins
2008-04-26 00:58 . 2008-04-26 00:58 <DIR> d-------- C:\Users\Patrick\AppData\Roaming\Sony
2008-04-26 00:50 . 2008-04-26 00:50 <DIR> d-------- C:\Windows\System32\URTTEMP
2008-04-26 00:46 . 2008-04-26 00:46 <DIR> d-------- C:\Program Files\Sony Setup
2008-04-25 18:02 . 2008-05-04 16:37 <DIR> d-------- C:\Users\Patrick\AppData\Roaming\LimeWire
2008-04-25 18:00 . 2008-04-27 12:20 <DIR> d-------- C:\Program Files\Java
2008-04-25 17:59 . 2008-04-25 17:59 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-25 17:58 . 2008-04-25 18:01 <DIR> d-------- C:\Program Files\LimeWire
2008-04-23 16:26 . 2008-04-23 16:26 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-23 16:17 . 2008-04-23 16:17 <DIR> d-------- C:\Program Files\SopCast
2008-04-23 16:10 . 2008-04-23 16:10 <DIR> d-------- C:\Program Files\CCleaner
2008-04-18 14:14 . 2007-09-12 05:28 1,073,152 --a------ C:\Windows\System32\nvcpluir.dll
2008-04-18 00:19 . 2008-04-18 00:19 <DIR> d-------- C:\Program Files\Ubisoft
2008-04-15 19:19 . 2008-04-15 19:19 <DIR> d-------- C:\PerfLogs
2008-04-15 18:29 . 2008-01-19 08:35 4,875,776 --a------ C:\Windows\System32\NlsData0009.dll
2008-04-15 18:28 . 2008-01-19 08:35 9,847,296 --a------ C:\Windows\System32\NlsData000a.dll
2008-04-15 18:27 . 2008-01-19 08:34 6,103,040 --a------ C:\Windows\System32\chtbrkr.dll
2008-04-15 18:26 . 2008-01-19 07:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
2008-04-15 18:25 . 2008-01-19 08:33 599,552 --a------ C:\Windows\System32\vsp1cln.exe
2008-04-15 18:25 . 2008-01-05 12:31 145,455 --a------ C:\Windows\System32\perfmon.msc
2008-04-15 18:25 . 2008-01-05 12:31 3 --a------ C:\Windows\System32\drivers\MsftWdf_Kernel_01007_Inbox_Critical.Wdf
2008-04-15 18:24 . 2008-01-19 08:36 704,512 --a------ C:\Windows\System32\SmiEngine.dll
2008-04-15 18:24 . 2008-01-19 08:36 357,888 --a------ C:\Windows\System32\wbemcomn.dll
2008-04-15 18:24 . 2008-01-19 08:34 305,152 --a------ C:\Windows\System32\msdelta.dll
2008-04-15 18:24 . 2008-01-19 08:34 258,560 --a------ C:\Windows\System32\dpx.dll
2008-04-15 18:24 . 2008-01-19 08:34 246,784 --a------ C:\Windows\System32\drvstore.dll
2008-04-15 18:24 . 2008-01-19 08:36 218,624 --a------ C:\Windows\System32\wdscore.dll
2008-04-15 18:24 . 2008-01-19 08:36 139,264 --a------ C:\Windows\System32\SmiInstaller.dll
2008-04-15 18:24 . 2008-01-19 08:33 130,560 --a------ C:\Windows\System32\PkgMgr.exe
2008-04-15 18:24 . 2008-01-19 08:35 35,328 --a------ C:\Windows\System32\mspatcha.dll
2008-04-14 17:31 . 2008-04-14 17:31 <DIR> d-------- C:\Extras
2008-04-14 17:31 . 2008-04-14 17:31 <DIR> d-------- C:\Autorun
2008-04-14 02:12 . 2008-04-14 02:12 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-04-14 02:12 . 2008-01-10 13:15 755,027 --a------ C:\Windows\System32\xvidcore.dll
2008-04-14 02:12 . 2006-09-24 16:11 389,120 --a------ C:\Windows\System32\lameACM.acm
2008-04-14 02:12 . 2004-01-25 17:18 217,088 --a------ C:\Windows\System32\yv12vfw.dll
2008-04-14 02:12 . 2007-09-04 17:56 164,352 --a------ C:\Windows\System32\unrar.dll
2008-04-14 02:12 . 2008-01-10 13:16 159,839 --a------ C:\Windows\System32\xvidvfw.dll
2008-04-14 02:12 . 2007-09-21 01:52 118,784 --a------ C:\Windows\System32\ac3acm.acm
2008-04-14 02:12 . 2008-03-04 12:33 7,680 --a------ C:\Windows\System32\ff_vfw.dll
2008-04-14 02:12 . 2007-07-10 17:10 547 --a------ C:\Windows\System32\ff_vfw.dll.manifest
2008-04-14 02:12 . 2007-10-03 16:03 414 --a------ C:\Windows\System32\lame_acm.xml
2008-04-14 02:07 . 2008-04-26 01:02 <DIR> d-------- C:\Users\Patrick\AppData\Roaming\DivX
2008-04-14 02:06 . 2008-04-14 02:06 <DIR> d-------- C:\Program Files\DivX
2008-04-14 02:06 . 2008-04-14 02:06 <DIR> d-------- C:\Program Files\Common Files\PX Storage Engine
2008-04-14 01:41 . 2008-04-14 01:41 <DIR> d-------- C:\Users\Patrick\AppData\Roaming\Media Player Classic
2008-04-13 13:37 . 2008-04-13 21:31 <DIR> d-------- C:\Users\Patrick\AppData\Roaming\My Games
2008-04-13 13:17 . 2008-04-13 13:17 <DIR> d-------- C:\Program Files\Firaxis Games
2008-04-13 01:35 . 2008-04-13 13:30 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-04-13 01:31 . 2008-04-27 20:00 <DIR> d-------- C:\Users\Patrick\AppData\Roaming\DAEMON Tools
2008-04-13 01:23 . 2008-04-13 01:23 <DIR> d-------- C:\ProgramData\CyberLink
2008-04-12 21:21 . 2008-04-12 21:21 1,073,741,824 --a------ C:\ppsds.pgf
2008-04-12 21:20 . 2008-05-04 16:37 43 --a------ C:\Windows\PCDNSetting.ini
2008-04-12 21:20 . 2008-05-04 13:30 27 --a------ C:\Windows\ppssg.ini
2008-04-12 21:19 . 2008-04-29 21:14 13 --a------ C:\Windows\msgtn.ini
2008-04-12 21:18 . 2008-04-12 21:20 <DIR> d-------- C:\Users\Patrick\AppData\Roaming\ppstream
2008-04-12 21:18 . 2008-05-04 01:29 <DIR> d-------- C:\Program Files\PPStream
2008-04-12 21:18 . 2008-05-04 01:34 1,035 --a------ C:\Windows\powerplayer.ini
2008-04-12 21:18 . 2008-05-04 16:37 822 --a------ C:\Windows\psnetwork.ini
2008-04-12 21:07 . 2008-04-12 21:07 <DIR> d-------- C:\Windows\PCHEALTH
2008-04-12 21:01 . 2008-04-12 21:06 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-12 21:00 . 2008-04-12 21:07 <DIR> d-------- C:\Program Files\Windows Live
2008-04-12 20:24 . 2008-04-12 20:24 1,820 --a------ C:\Windows\System32\rasctrnm.h
2008-04-12 20:16 . 2008-04-12 20:16 988,216 --a------ C:\Windows\System32\winload.exe
2008-04-12 20:16 . 2008-04-12 20:16 927,288 --a------ C:\Windows\System32\winresume.exe
2008-04-12 20:16 . 2008-04-12 20:16 615,992 --a------ C:\Windows\System32\ci.dll
2008-04-12 20:16 . 2008-04-12 20:16 378,368 --a------ C:\Windows\System32\srcore.dll
2008-04-12 20:16 . 2008-04-12 20:16 318,464 --a------ C:\Windows\System32\rstrui.exe
2008-04-12 20:16 . 2008-04-12 20:16 46,592 --a------ C:\Windows\System32\setbcdlocale.dll
2008-04-12 20:16 . 2008-04-12 20:16 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-12 20:16 . 2008-04-12 20:16 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-12 20:16 . 2008-04-12 20:16 14,848 --a------ C:\Windows\System32\srdelayed.exe
2008-04-12 20:16 . 2008-04-12 20:16 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-12 20:15 . 2008-04-12 20:15 2,032,128 --a------ C:\Windows\System32\win32k.sys
2008-04-12 20:15 . 2008-04-12 20:15 295,936 --a------ C:\Windows\System32\gdi32.dll
2008-04-12 20:09 . 2008-04-12 20:09 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-04-12 20:09 . 2008-04-12 20:09 826,880 --a------ C:\Windows\System32\wininet.dll
2008-04-12 19:46 . 2008-04-12 21:00 <DIR> d-------- C:\ProgramData\WLInstaller
2008-04-12 17:50 . 2008-04-12 17:50 108,144 --a------ C:\Windows\System32\CmdLineExt.dll
2008-04-12 17:37 . 2008-04-12 17:37 <DIR> d-------- C:\Program Files\DreamCatcher
2008-04-12 16:20 . 2008-04-12 16:20 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-12 16:14 . 2008-04-13 01:31 717,296 --a------ C:\Windows\System32\drivers\sptd.sys
2008-04-12 16:09 . 2008-04-12 16:12 <DIR> d-------- C:\Program Files\WinAce
2008-04-12 15:53 . 2008-04-12 15:53 <DIR> d-------- C:\Program Files\uTorrent
2008-04-12 15:52 . 2008-04-27 20:00 <DIR> d-------- C:\Users\Patrick\AppData\Roaming\uTorrent
2008-04-12 15:24 . 2008-04-12 15:24 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-12 15:19 . 2008-04-12 15:19 <DIR> d-------- C:\Program Files\Real
2008-04-12 15:19 . 2008-04-27 20:00 <DIR> d-------- C:\Program Files\Common Files\Real
2008-04-12 15:14 . 2008-05-05 17:00 <DIR> d-a------ C:\ProgramData\TEMP
2008-04-12 15:13 . 2008-04-12 15:13 <DIR> d-------- C:\Users\Patrick\AppData\Roaming\PC Tools
2008-04-12 15:13 . 2008-05-05 16:45 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-12 15:13 . 2007-12-10 14:53 81,288 --a------ C:\Windows\System32\drivers\iksyssec.sys
2008-04-12 15:13 . 2007-12-10 14:53 66,952 --a------ C:\Windows\System32\drivers\iksysflt.sys
2008-04-12 15:13 . 2008-02-01 12:55 42,376 --a------ C:\Windows\System32\drivers\ikfilesec.sys
2008-04-12 15:13 . 2007-12-10 14:53 29,576 --a------ C:\Windows\System32\drivers\kcom.sys
2008-04-12 15:11 . 2008-04-25 17:15 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-12 15:09 . 2008-04-12 15:09 <DIR> d-------- C:\ProgramData\Symantec
2008-04-12 15:07 . 2008-04-12 15:07 <DIR> d-------- C:\Users\Patrick\AppData\Roaming\Talkback
2008-04-12 15:04 . 2008-04-18 15:00 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-04-12 15:04 . 2008-04-15 19:23 <DIR> d-------- C:\Program Files\Google
2008-04-12 14:52 . 2008-04-14 17:31 <DIR> d-------- C:\Program Files\THQ
2008-04-12 03:04 . 2008-04-12 03:04 <DIR> d-------- C:\Users\Patrick\AppData\Roaming\CyberLink
2008-04-12 01:23 . 2008-04-14 17:46 43,520 --a------ C:\Windows\System32\CmdLineExt03.dll
2008-04-12 01:20 . 2008-04-12 01:24 <DIR> d-------- C:\Program Files\Ground Control II
2008-04-11 22:14 . 2008-04-11 22:14 18,061 --a------ C:\Windows\War3Unin.dat
2008-04-11 22:13 . 2008-04-11 22:13 126,976 --a------ C:\Windows\War3Unin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 23:42 --------- d-----w C:\ProgramData\NVIDIA
2008-04-17 23:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-15 18:28 174 --sha-w C:\Program Files\desktop.ini
2008-04-15 18:21 --------- d-----w C:\Program Files\Windows Sidebar
2008-04-15 18:21 --------- d-----w C:\Program Files\Windows Mail
2008-04-15 18:21 --------- d-----w C:\Program Files\Windows Calendar
2008-04-15 18:20 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-04-15 18:20 --------- d-----w C:\Program Files\Windows Journal
2008-04-15 18:20 --------- d-----w C:\Program Files\Windows Defender
2008-04-15 18:20 --------- d-----w C:\Program Files\Windows Collaboration
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 08:33 1233920]
"Reminder_MUI"="C:\Applications\oem\Reminder\Reminder_MUI.exe" [2007-07-20 10:15 1089536]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 08:33 125952]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 08:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 08:38 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-10 10:01 4431872 C:\Windows\RtHDVCpl.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Skytel"="Skytel.exe" [2007-04-04 11:22 1822720 C:\Windows\SkyTel.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-12 05:28 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-12 05:28 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-12 05:28 81920]
"UpdateP2GShortCut"="C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2007-07-26 22:07 202024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{00EAE414-758E-43F0-8C2A-963A4F85A25D}C:\\program files\\thq\\dawn of war - soulstorm\\soulstorm.exe"= UDP:C:\program files\thq\dawn of war - soulstorm\soulstorm.exe:Soulstorm
"UDP Query User{CAF3D743-2444-47E7-9FCF-1E83889C827E}C:\\program files\\thq\\dawn of war - soulstorm\\soulstorm.exe"= TCP:C:\program files\thq\dawn of war - soulstorm\soulstorm.exe:Soulstorm
"TCP Query User{2E1631F4-6917-4CE8-A4F1-676070502EE8}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{C78713C8-A8AE-4F18-BF75-25AC9EB7EDB7}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{1CDE173E-099B-4AB1-A086-57C31D5BC9EC}C:\\program files\\dreamcatcher\\genesis rising\\bin\\genesisrising.exe"= UDP:C:\program files\dreamcatcher\genesis rising\bin\genesisrising.exe:GenesisRising
"UDP Query User{8A7CC307-0DB8-4BDA-B8B9-94CD5F39B215}C:\\program files\\dreamcatcher\\genesis rising\\bin\\genesisrising.exe"= TCP:C:\program files\dreamcatcher\genesis rising\bin\genesisrising.exe:GenesisRising
"{4C91E406-410A-4D2B-BAF6-44EE4F401F96}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{D9C52195-E9C0-45FE-97C8-066CC6FF1860}C:\\program files\\ppstream\\ppstream.exe"= UDP:C:\program files\ppstream\ppstream.exe:PPS????
"UDP Query User{259A2DA9-F1AE-4342-8813-26AA6F3500A4}C:\\program files\\ppstream\\ppstream.exe"= TCP:C:\program files\ppstream\ppstream.exe:PPS????
"TCP Query User{8FA62073-8483-447A-A440-D846FD39D58D}C:\\program files\\ppstream\\ppstream.exe"= UDP:C:\program files\ppstream\ppstream.exe:PPS????
"UDP Query User{0DBE2445-3DAB-418A-8499-BE4FC0DDB0F4}C:\\program files\\ppstream\\ppstream.exe"= TCP:C:\program files\ppstream\ppstream.exe:PPS????
"TCP Query User{825C0FC1-B3CD-4148-9D35-DD05D19B1E21}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{6C968C91-5839-453C-9F0D-A8580E5943FC}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"{1C7F8E9C-970A-44A4-95CA-69A35785492E}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"{1E727216-86B0-4BE0-AD03-B6492C02639A}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"{AA9237EE-1D12-4C1B-A3F4-30CD8D57BC15}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:Sid Meier's Civilization 4 Warlords
"{D08CC586-6EBF-4558-BA92-DF41FA3659FC}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:Sid Meier's Civilization 4 Warlords
"{90554D26-CB58-489F-86C8-072C9CFA73AB}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:Sid Meier's Civilization 4 Pitboss
"{198FEA4F-5D74-4607-AC0E-DA3D89AB36A3}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:Sid Meier's Civilization 4 Pitboss
"TCP Query User{C7599844-035B-4F82-AAAB-60B4094B760C}C:\\program files\\thq\\dawn of war - soulstorm\\soulstorm.exe"= UDP:C:\program files\thq\dawn of war - soulstorm\soulstorm.exe:Soulstorm
"UDP Query User{1F8F4755-7D53-4B0B-84D7-FFE5C79033FF}C:\\program files\\thq\\dawn of war - soulstorm\\soulstorm.exe"= TCP:C:\program files\thq\dawn of war - soulstorm\soulstorm.exe:Soulstorm
"TCP Query User{AADE86AE-C407-4CB8-8F1C-F4F6895E0A62}C:\\program files\\thq\\dawn of war\\w40k.exe"= UDP:C:\program files\thq\dawn of war\w40k.exe:W40k
"UDP Query User{158460AE-E0C2-494C-A460-F86DF6546D48}C:\\program files\\thq\\dawn of war\\w40k.exe"= TCP:C:\program files\thq\dawn of war\w40k.exe:W40k
"TCP Query User{895C2160-996F-409E-A2B3-8E71DD40126F}C:\\program files\\ubisoft\\ghost recon advanced warfighter\\graw.exe"= UDP:C:\program files\ubisoft\ghost recon advanced warfighter\graw.exe:GRAW
"UDP Query User{6675AFDF-DF0E-44F1-B1E3-7FA12817CBE0}C:\\program files\\ubisoft\\ghost recon advanced warfighter\\graw.exe"= TCP:C:\program files\ubisoft\ghost recon advanced warfighter\graw.exe:GRAW
"TCP Query User{5C161377-0458-45C5-8592-F2424583D7DB}C:\\program files\\dreamcatcher\\genesis rising\\bin\\genesisrising.exe"= UDP:C:\program files\dreamcatcher\genesis rising\bin\genesisrising.exe:GenesisRising
"UDP Query User{76B1486D-9045-4EB8-9DE2-9301A60DCB40}C:\\program files\\dreamcatcher\\genesis rising\\bin\\genesisrising.exe"= TCP:C:\program files\dreamcatcher\genesis rising\bin\genesisrising.exe:GenesisRising
"TCP Query User{79E14601-18B9-41BA-8421-5811FE589CF0}C:\\program files\\sopcast\\adv\\sopadver.exe"= UDP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"UDP Query User{0C60F2B5-6A91-43A2-ABC6-A687CCA241EF}C:\\program files\\sopcast\\adv\\sopadver.exe"= TCP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"TCP Query User{747F3036-AD70-49C4-8BB7-A2BFA73D8220}C:\\program files\\sopcast\\sopcast.exe"= UDP:C:\program files\sopcast\sopcast.exe:SopCast Main Application
"UDP Query User{F38C47AE-F057-4605-93DE-4B0B19D9EA24}C:\\program files\\sopcast\\sopcast.exe"= TCP:C:\program files\sopcast\sopcast.exe:SopCast Main Application
"TCP Query User{B822ED29-59B5-4878-8D7C-CF340C7C04FB}C:\\program files\\sopcast\\sopvod.exe"= UDP:C:\program files\sopcast\sopvod.exe:sopvod
"UDP Query User{B933C7B1-8124-4CCC-9034-24F300387056}C:\\program files\\sopcast\\sopvod.exe"= TCP:C:\program files\sopcast\sopvod.exe:sopvod
"TCP Query User{8B36A820-0AFD-47D1-B8E5-5E70515BE549}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{E0B40DC6-636B-4A4B-B256-BD1DADC4255D}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{51BEC75D-B726-47EC-8111-FF5940CA69B7}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{C64176E6-2FAC-4FFF-9BCE-848FF290348E}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\PPStream\\PPStream.exe"= C:\Program Files\PPStream\PPStream.exe:*:Enabled:PPS
"C:\\Program Files\\PPStream\\PPSAP.exe"= C:\Program Files\PPStream\PPSAP.exe:*:Enabled:PPS

R1 SAVOnAccess Control;SAVOnAccess Control;C:\Windows\system32\DRIVERS\savonaccesscontrol.sys [2005-08-25 15:04]
R1 SAVOnAccess Filter;SAVOnAccess Filter;C:\Windows\system32\DRIVERS\savonaccessfilter.sys [2005-08-25 15:04]
R2 NetPipeActivator;Net.Pipe Listener Adapter;"C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" [2008-01-05 12:21]
R2 NetTcpActivator;Net.Tcp Listener Adapter;"C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" [2008-01-05 12:21]
S3 netr73;Sitecom RT73 Wireless Driver for Vista;C:\Windows\system32\DRIVERS\netr73.sys [2008-02-26 09:17]
S4 NetMsmqActivator;Net.Msmq Listener Adapter;"C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" -NetMsmqActivator []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{792e4134-07ff-11dd-8643-806e6f6e6963}]
\shell\AutoRun\command - E:\Autoplay.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 17:57:09 C:\Windows\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-05-05 15:26:27 C:\Windows\Tasks\User_Feed_Synchronization-{044FA82F-9D99-40E3-85D0-7856E1DCEFA2}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-05 17:10:19
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 56

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2008-05-05 17:12:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-05 16:12:26

Pre-Run: 159,208,845,312 bytes free
Post-Run: 162,492,338,176 bytes free

269 --- E O F --- 2008-05-04 11:29:55

C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UpdateP2GShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe "C:\Program Files\CyberLink\Power2Go" update "SOFTWARE\CyberLink\Power2Go\5.0"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Reminder_MUI] C:\Applications\oem\Reminder\Reminder_MUI.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 4218 bytes

#10 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:55 AM

Posted 05 May 2008 - 02:41 PM

P2P Warning!

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation
Additional information on the safety of Peer to Peer programs themselves is here :
Clean/Infected P2P Programs (http://p2p.malwareremoval.com/)
Please decide if you want to keep using P2P, if you do then please stop until I give you the all clear.
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#11 hooligan_69

hooligan_69
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 05 May 2008 - 03:58 PM

I use pps stream regularly as well should i cease using it?

#12 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:55 AM

Posted 06 May 2008 - 12:36 AM

Well that is up to you, if you want to get infected again.

Perform an online scan with Internet Explorer with Panda ActiveScan
  • Click on Posted Image located at the bottom of the page.
  • A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  • Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting Posted Image
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on Posted Image then click Posted Image
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#13 hooligan_69

hooligan_69
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 06 May 2008 - 02:06 PM

Please find below the result of the panda scan report. My system still wont let me update the dotnet framework to the latest service pack update and it is still running slow. Is there anything else that may be causing this?

Many thanks for your help Hooligan

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-05-06 19:49:38
PROTECTIONS: 1
MALWARE: 7
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Sophos Anti-Virus <NULL> Yes No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Users\Patrick\AppData\Roaming\Microsoft\Windows\Cookies\patrick@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Users\Patrick\AppData\Roaming\Microsoft\Windows\Cookies\Low\patrick@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\Patrick\AppData\Roaming\Microsoft\Windows\Cookies\Low\patrick@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\Patrick\AppData\Roaming\Microsoft\Windows\Cookies\patrick@atdmt[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Users\Patrick\AppData\Roaming\Microsoft\Windows\Cookies\patrick@mediaplex[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Users\Patrick\AppData\Roaming\Microsoft\Windows\Cookies\Low\patrick@advertising[2].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Users\Patrick\AppData\Roaming\Microsoft\Windows\Cookies\Low\patrick@media.adrevolver[3].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Users\Patrick\AppData\Roaming\Microsoft\Windows\Cookies\Low\patrick@adrevolver[2].txt
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Users\Patrick\Desktop\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
;===================================================================================================================================================================================
SUSPECTS
Sent Location �,$���
3
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description �,$���
3
;===================================================================================================================================================================================
;===================================================================================================================================================================================

#14 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:55 AM

Posted 06 May 2008 - 03:04 PM

Hi! Log looks good.

Please see this link : http://miekiemoes.blogspot.com/search/label/Slow%20computer

Let me know if it helped.
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#15 hooligan_69

hooligan_69
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 09 May 2008 - 10:48 AM

I tried the solutions posted on the site, but the problem hasn't stopped I still can't update the .NET framework to the new service pack. It seems to be even worse when i launch anything from the desktop.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users