Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spybot Detects Ms Server Registry Entry & Avast A Trojan


  • This topic is locked This topic is locked
15 replies to this topic

#1 jamieR

jamieR

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 03 May 2008 - 01:17 PM

Hi Guys

Firstly, excellent website. Really impressed with some peoples knowledge and willingness to help.

My problem is this. Spybot is detecting an important registry entry from "MS Server".
Also, Avast is detecting a trojan called win32:TratBHO.

I am using Vista.
I have run various scans i.e vundofix etc but nothing has been returned. Here is my hijack report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:16:22, on 03/05/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\aol\1189273587\ee\aolsoftware.exe
C:\Windows\PixArt\PAC207\Monitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\ProgramData\havrjcly\gpsfidqz.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hp\kbd\kbd.exe
C:\Users\Russell\Documents\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1189273587\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [EPSON Stylus DX4000 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE /FU "C:\Windows\TEMP\E_S931B.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Russell\AppData\Local\Temp\tuvVPfcc.dll,#1
O4 - HKCU\..\Run: [havrjcly] C:\ProgramData\havrjcly\gpsfidqz.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 8680 bytes


Thanks in advance for any assistance - sorry if ive missed some important info out

Jamie

BC AdBot (Login to Remove)

 


#2 jamieR

jamieR
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 05 May 2008 - 12:33 PM

have I posted this in the correct place?

#3 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 06 May 2008 - 02:58 PM

Welcoming to Bleeping Computer, please be sure you have read and followed the
Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
All advice given is taken at your own risk.

have I posted this in the correct place?

Have you read the instructions pinned to the top of the forum and posted above? Looks like Vundo, but I need more information to start.

Return to #5 in the preparation guide. Scan your computer with the Kaspersky Online Scanner
in the Preparation Guide and follow those instruction using these settings:
Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here using Add Reply

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#4 jamieR

jamieR
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 11 May 2008 - 06:58 AM

many thanks pskelly for your input. Here is the results from the kaspersky online scanner


KASPERSKY ONLINE SCANNER REPORT
Sunday, May 11, 2008 12:55:47 PM
Operating System: Microsoft Windows Vista Home Edition, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/05/2008
Kaspersky Anti-Virus database records: 755935


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics
Total number of scanned objects 98944
Number of viruses found 5
Number of infected objects 32
Number of suspicious objects 0
Duration of the scan process 01:04:07

Infected Object Name Virus Name Last Action
C:\Boot\BCD Object is locked skipped

C:\Boot\BCD.LOG Object is locked skipped

C:\Deckard\System Scanner\backup\Users\Russell\AppData\Local\Temp\448bca5f.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.o skipped

C:\Deckard\System Scanner\backup\Users\Russell\AppData\Local\Temp\5c4bbff0.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.o skipped

C:\Deckard\System Scanner\backup\Users\Russell\AppData\Local\Temp\97300431.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.o skipped

C:\Deckard\System Scanner\backup\Users\Russell\AppData\Local\Temp\d35143ed.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.o skipped

C:\Deckard\System Scanner\backup\Users\Russell\AppData\Local\Temp\EXPLOR~1.EXE.bak Infected: Trojan.Win32.Obfuscated.gx skipped

C:\Deckard\System Scanner\backup\Users\Russell\AppData\Local\Temp\ssqOHaWq.dll Infected: Trojan.Win32.Monder.gen skipped

C:\Deckard\System Scanner\backup\Users\Russell\AppData\Local\Temp\tmp00009de3 Infected: not-a-virus:AdWare.Win32.Virtumonde.qta skipped

C:\Deckard\System Scanner\backup\Users\Russell\AppData\Local\Temp\tmp00009e7f Infected: not-a-virus:AdWare.Win32.Virtumonde.qta skipped

C:\Deckard\System Scanner\backup\Users\Russell\AppData\Local\Temp\tmp0000a69a Infected: not-a-virus:AdWare.Win32.Virtumonde.qta skipped

C:\Deckard\System Scanner\backup\Users\Russell\AppData\Local\Temp\tmp0000af9f Infected: not-a-virus:AdWare.Win32.Virtumonde.qta skipped

C:\Deckard\System Scanner\backup\Users\Russell\AppData\Local\Temp\vtUkhebb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qta skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080413-160311-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080413-160322-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080413-165450-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080413-165502-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080413-194835-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080413-194846-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080414-172847-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080414-172858-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080414-184500-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080414-184510-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080415-185440-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080415-185456-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080416-221257-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080416-221308-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080417-172037-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080417-172048-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080420-201611-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080420-201633-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080421-183305-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080421-183328-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080421-220319-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080421-220330-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080424-162540-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080424-162600-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080426-134402-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080426-134423-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080426-214019-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080426-214030-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080427-172103-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080427-172114-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080428-195927-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080428-195938-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080429-201234-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080429-201245-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080430-161023-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080430-161035-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080501-083114-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080501-083129-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080501-194855-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080501-194910-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080502-173329-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080502-173353-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080502-183858-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080502-184121-0.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\MpCmdRun.log Object is locked skipped

C:\Deckard\System Scanner\backup\Windows\temp\MpSigStub.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\aswAr.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\moved\mlJDWOEV.dll Infected: Trojan.Win32.Monder.gen skipped

C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped

C:\Program Files\PC-Doctor 5 for Windows\Configuration\config.xml Object is locked skipped

C:\ProgramData\Microsoft\Windows\DRM\drmstore.hds Object is locked skipped

C:\ProgramData\Microsoft\User Account Pictures\IUSR_NMPR.dat Object is locked skipped

C:\ProgramData\havrjcly\gpsfidqz.exe Infected: Trojan.Win32.Obfuscated.gx skipped

C:\ProgramData\muvee Technologies\030625\0103\0399\values Object is locked skipped

C:\ProgramData\ohcdkpon\mjifmzov.exe Infected: Trojan.Win32.Obfuscated.gx skipped

C:\Users\Russell\AppData\Local\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped

C:\Users\Russell\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Users\Russell\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped

C:\Users\Russell\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db Object is locked skipped

C:\Users\Russell\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db Object is locked skipped

C:\Users\Russell\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db Object is locked skipped

C:\Users\Russell\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db Object is locked skipped

C:\Users\Russell\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db Object is locked skipped

C:\Users\Russell\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db Object is locked skipped

C:\Users\Russell\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped

C:\Users\Russell\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat Object is locked skipped

C:\Users\Russell\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012008051120080512\index.dat Object is locked skipped

C:\Users\Russell\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Users\Russell\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat Object is locked skipped

C:\Users\Russell\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Russell\AppData\Local\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped

C:\Users\Russell\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Users\Russell\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped

C:\Users\Russell\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped

C:\Users\Russell\AppData\Local\Microsoft\Windows\UsrClass.dat{43c7df73-5e2a-11dc-93fd-001bfcf96e36}.TM.blf Object is locked skipped

C:\Users\Russell\AppData\Local\Microsoft\Windows\UsrClass.dat{43c7df73-5e2a-11dc-93fd-001bfcf96e36}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Users\Russell\AppData\Local\Microsoft\Windows\UsrClass.dat{43c7df73-5e2a-11dc-93fd-001bfcf96e36}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Users\Russell\AppData\Local\Microsoft\Windows Defender\FileTracker\{3A4B1B46-AE8A-4800-B9F5-2DBB2C2C9ACF} Object is locked skipped

C:\Users\Russell\AppData\Local\Microsoft\Windows Sidebar\Settings.ini Object is locked skipped

C:\Users\Russell\AppData\Local\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped

C:\Users\Russell\AppData\Local\Temp\awtrQjJC.dll Infected: Trojan.Win32.Monder.gen skipped

C:\Users\Russell\AppData\Local\Temp\fcCUOIYQ.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qta skipped

C:\Users\Russell\AppData\Local\Temp\iifdeFus.dll Infected: Trojan.Win32.Monder.gen skipped

C:\Users\Russell\AppData\Local\Temp\Low\~DF7822.tmp Object is locked skipped

C:\Users\Russell\AppData\Local\Temp\ssQHBtSi.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.quk skipped

C:\Users\Russell\AppData\Local\Temp\tmp00009971 Infected: not-a-virus:AdWare.Win32.Virtumonde.qta skipped

C:\Users\Russell\AppData\Local\Temp\tmp00009eed Infected: not-a-virus:AdWare.Win32.Virtumonde.qta skipped

C:\Users\Russell\AppData\Local\Temp\tmp0000a025 Infected: not-a-virus:AdWare.Win32.Virtumonde.qta skipped

C:\Users\Russell\AppData\Local\Temp\tmp0000a5c0 Infected: not-a-virus:AdWare.Win32.Virtumonde.qta skipped

C:\Users\Russell\AppData\Local\Temp\tmp0000ad9c Infected: not-a-virus:AdWare.Win32.Virtumonde.qta skipped

C:\Users\Russell\AppData\Local\Temp\tmp0000b23e Infected: not-a-virus:AdWare.Win32.Virtumonde.qta skipped

C:\Users\Russell\AppData\Local\Temp\tmp0000b46f Infected: not-a-virus:AdWare.Win32.Virtumonde.qta skipped

C:\Users\Russell\AppData\Local\Temp\tmp0000b8b3 Infected: not-a-virus:AdWare.Win32.Virtumonde.qta skipped

C:\Users\Russell\AppData\Local\Temp\tmp0000bb43 Infected: not-a-virus:AdWare.Win32.Virtumonde.qta skipped

C:\Users\Russell\AppData\Local\Temp\tmp0000bcf7 Infected: not-a-virus:AdWare.Win32.Virtumonde.qta skipped

C:\Users\Russell\AppData\Local\Temp\tmp0000ce46 Infected: not-a-virus:AdWare.Win32.Virtumonde.qta skipped

C:\Users\Russell\AppData\Local\Temp\tmp0001ec80 Infected: not-a-virus:AdWare.Win32.Virtumonde.qta skipped

C:\Users\Russell\AppData\Local\Temp\tmp0002428b Infected: not-a-virus:AdWare.Win32.Virtumonde.qta skipped

C:\Users\Russell\AppData\Local\Temp\wvUmlMDv.dll Infected: Trojan.Win32.Monder.gen skipped

C:\Users\Russell\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped

C:\Users\Russell\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat Object is locked skipped

C:\Users\Russell\AppData\Roaming\Skype\jamesbrady26\call1024.dbb Object is locked skipped

C:\Users\Russell\AppData\Roaming\Skype\jamesbrady26\call256.dbb Object is locked skipped

C:\Users\Russell\AppData\Roaming\Skype\jamesbrady26\call512.dbb Object is locked skipped

C:\Users\Russell\AppData\Roaming\Skype\jamesbrady26\callmember256.dbb Object is locked skipped

C:\Users\Russell\AppData\Roaming\Skype\jamesbrady26\contactgroup256.dbb Object is locked skipped

C:\Users\Russell\AppData\Roaming\Skype\jamesbrady26\dyncontent\bundle.dat Object is locked skipped

C:\Users\Russell\AppData\Roaming\Skype\jamesbrady26\index2.dat Object is locked skipped

C:\Users\Russell\AppData\Roaming\Skype\jamesbrady26\profile256.dbb Object is locked skipped

C:\Users\Russell\AppData\Roaming\Skype\jamesbrady26\user1024.dbb Object is locked skipped

C:\Users\Russell\ntuser.dat Object is locked skipped

C:\Users\Russell\ntuser.dat.LOG1 Object is locked skipped

C:\Users\Russell\ntuser.dat.LOG2 Object is locked skipped

C:\Users\Russell\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped

C:\Users\Russell\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Users\Russell\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Windows\Debug\PASSWD.LOG Object is locked skipped

C:\Windows\Debug\sam.log Object is locked skipped

C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped

C:\Windows\Logs\CBS\CBS.log Object is locked skipped

C:\Windows\Logs\CBS\CBS.persist.log Object is locked skipped

C:\Windows\Logs\DPX\setupact.log Object is locked skipped

C:\Windows\Logs\DPX\setuperr.log Object is locked skipped

C:\Windows\MEMORY.DMP Object is locked skipped

C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped

C:\Windows\Panther\UnattendGC\diagerr.xml Object is locked skipped

C:\Windows\Panther\UnattendGC\diagwrn.xml Object is locked skipped

C:\Windows\Panther\UnattendGC\setupact.log Object is locked skipped

C:\Windows\Panther\UnattendGC\setuperr.log Object is locked skipped

C:\Windows\security\database\secedit.sdb Object is locked skipped

C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped

C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped

C:\Windows\System32\bdss.log Object is locked skipped

C:\Windows\System32\catroot2\edb.log Object is locked skipped

C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped

C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped

C:\Windows\System32\config\components Object is locked skipped

C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped

C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped

C:\Windows\System32\config\default Object is locked skipped

C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped

C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped

C:\Windows\System32\config\sam Object is locked skipped

C:\Windows\System32\config\SAM.LOG1 Object is locked skipped

C:\Windows\System32\config\SAM.LOG2 Object is locked skipped

C:\Windows\System32\config\security Object is locked skipped

C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped

C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped

C:\Windows\System32\config\software Object is locked skipped

C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped

C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped

C:\Windows\System32\config\system Object is locked skipped

C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped

C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped

C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped

C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped

C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\Windows\System32\restore\MachineGuid.txt Object is locked skipped

C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped

C:\Windows\System32\sysprep\Panther\diagerr.xml Object is locked skipped

C:\Windows\System32\sysprep\Panther\diagwrn.xml Object is locked skipped

C:\Windows\System32\sysprep\Panther\setupact.log Object is locked skipped

C:\Windows\System32\sysprep\Panther\setuperr.log Object is locked skipped

C:\Windows\System32\wbem\AutoRecover\3460B7617E0429A960E481B197F238A3.mof Object is locked skipped

C:\Windows\System32\wbem\AutoRecover\E478A5DB75C9721E744C05D78DBACFD3.mof Object is locked skipped

C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped

C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped

C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped

C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped

C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped

C:\Windows\System32\winevt\Logs\Antivirus.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\IntelDH.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ParentalControls%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped

C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped

C:\Windows\WindowsUpdate.log Object is locked skipped

C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped

Scan process completed.

#5 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 11 May 2008 - 07:10 AM

Thanks James for the scan results. I will suggest if you turn off "Word Wrap" under "Format" in Notepad you should be able to post the logs single space which will make them easier to work with.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#6 jamieR

jamieR
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 11 May 2008 - 07:33 AM

Thanks Phil for the tip re: text files. Here are the 2 logs

Combofix:

ComboFix 08-05-09.1 - Russell 2008-05-11 13:17:50.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1056 [GMT 1:00]
Running from: C:\Users\Russell\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-04-11 to 2008-05-11 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 12:18 6,736 ----a-w C:\Windows\system32\drivers\PROCEXP90.SYS
2008-05-11 12:17 81,984 ----a-w C:\Windows\System32\bdod.bin
2008-05-11 11:51 --------- d-----w C:\Users\Russell\AppData\Roaming\Skype
2008-05-11 11:18 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-05-11 10:38 --------- d-----w C:\Users\Russell\AppData\Roaming\skypePM
2008-05-06 20:05 634 ----a-w C:\Users\Russell\AppData\Roaming\wklnhst.dat
2008-05-03 19:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-03 18:50 --------- d-----w C:\Users\Russell\AppData\Roaming\Bitdefender
2008-05-03 18:48 --------- d-----w C:\ProgramData\BitDefender
2008-05-03 18:47 --------- d-----w C:\Program Files\Softwin
2008-05-03 18:47 --------- d-----w C:\Program Files\Common Files\Softwin
2008-04-30 20:03 --------- d-----w C:\Program Files\Java
2008-04-30 19:08 --------- d-----w C:\ProgramData\ohcdkpon
2008-04-30 19:08 --------- d-----w C:\ProgramData\havrjcly
2008-04-30 16:55 304,160 ----a-w C:\PA207.DAT
2008-04-21 17:30 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-13 15:39 --------- d-----w C:\Program Files\Google
2008-04-13 15:35 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-04-13 14:54 --------- d-----w C:\Program Files\uTorrent
2008-04-12 13:17 32 ----a-w C:\Users\All Users\ezsid.dat
2008-04-12 13:17 32 ----a-w C:\ProgramData\ezsid.dat
2008-04-09 21:30 --------- d-----w C:\Program Files\Windows Mail
2008-04-06 20:14 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-04-06 20:14 --------- d-----w C:\Users\Russell\AppData\Roaming\WinBatch
2008-04-06 20:14 --------- d-----w C:\Program Files\Realtek
2008-04-06 17:51 --------- d-----w C:\ProgramData\Skype
2008-04-06 17:51 --------- d-----w C:\Program Files\Skype
2008-04-06 17:51 --------- d-----w C:\Program Files\Common Files\Skype
2008-03-31 21:25 682,496 ----a-w C:\Windows\System32\divx.dll
2008-03-29 17:32 50,768 ----a-w C:\Windows\system32\drivers\aswMonFlt.sys
2008-03-28 17:41 7,680 ----a-w C:\Windows\System32\ff_vfw.dll
2008-03-21 20:30 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-03-21 20:28 81,920 ----a-w C:\Windows\System32\dpl100.dll
2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-29 04:14 2,028,544 ----a-w C:\Windows\System32\win32k.sys
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-19 05:10 620,088 ----a-w C:\Windows\System32\ci.dll
2008-02-14 23:19 944,184 ----a-w C:\Windows\System32\winload.exe
2008-02-13 18:27 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-13 18:25 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 18:25 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 18:25 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 18:25 3,505,720 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-13 18:25 3,471,928 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-13 18:25 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-13 18:25 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-13 18:25 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-02-13 18:25 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 18:25 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 18:25 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-13 18:25 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2007-09-08 17:42 174 --sha-w C:\Program Files\desktop.ini
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-25 23:12 1232896]
"EPSON Stylus DX4000 Series"="C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBEE.exe" [2006-09-21 04:01 139264]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-06 18:37 21898024]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 13:36 201728]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"cmds"="C:\Users\Russell\AppData\Local\Temp\fcCUoNdb.dll" [2008-05-08 21:06 274944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-06-27 23:25 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 14:42 65536]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 11:26 4874240 C:\Windows\RtHDVCpl.exe]
"CCUTRAYICON"="FactoryMode" []
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 07:11 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"HostManager"="C:\Program Files\Common Files\AOL\1189273587\ee\AOLSoftware.exe" [2006-11-14 15:01 50736]
"Monitor"="C:\Windows\PixArt\PAC207\Monitor.exe" [2006-11-03 11:01 319488]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 18:37 79224]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-05-15 05:03 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-05-15 05:03 8429568]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-05-15 05:03 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent]
--a------ 2007-03-26 15:49 69632 C:\Program Files\Softwin\BitDefender10\bdagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDMCon]
--a------ 2007-04-02 16:48 290816 C:\Program Files\Softwin\BitDefender10\bdmcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\havrjcly]
--a------ 2008-04-30 20:08 98304 C:\ProgramData\havrjcly\gpsfidqz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2006-12-08 17:16 65536 C:\HP\KBD\KbdStub.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
C:\Users\Russell\AppData\Local\Temp\efcBturP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OsdMaestro]
--a------ 2007-02-15 11:59 118784 C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-734639056-3708653490-2978069551-1001]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8675C652-A5E3-4A7E-ABA7-EBE956394F05}"= UDP:C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{83752797-490C-41BA-BC0E-D2236A55FEAA}"= TCP:C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{437E17A8-3B30-4F84-A3B3-4BCB0DFBA716}"= UDP:C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{3E957A28-299A-4C25-A959-CDB84A556519}"= TCP:C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{7306407D-F11B-4831-A599-7A159C9F2CA9}"= UDP:C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{46354080-058F-4E0E-AC93-FE1B6DAE3403}"= TCP:C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{3A849754-F16C-40F3-8470-16AD8B945CEA}"= TCP:9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{05069BA8-21F2-4046-A265-7BBCE5478E8D}"= TCP:1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{1CA0895C-9175-44FD-8D4C-46E007CF039A}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{9687EA38-A746-4636-9BB9-A28D117F2FFB}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{50028109-4544-4AED-9507-4D8ECC368518}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{93DACD81-6F9B-4EB5-A63E-DFAE1F919863}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule
"{547250B7-8C77-4FCA-9C6B-94922C77B6B5}"= UDP:C:\Program Files\AOL\RC\regClient.exe:AOL
"{9160F12F-9A12-4BE1-95E9-2B698055E3A4}"= TCP:C:\Program Files\AOL\RC\regClient.exe:AOL
"{656461E3-9B4C-46A9-BC10-0889DD5DBEE8}"= UDP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialler
"{6D0FDD87-8881-4BF7-8C91-78D53004A37B}"= TCP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialler
"{A4691B4F-09FB-4A47-93C5-5C0D353401FB}"= UDP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Services
"{F8210722-02A7-4463-B959-B86FCD3A48C3}"= TCP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Services
"{4D59179D-3FF6-4690-B162-5731E13215AF}"= UDP:C:\Program Files\AOL 9.0 VR\waol.exe:AOL
"{C07B5C81-41F7-4201-900D-E69A3BC6350C}"= TCP:C:\Program Files\AOL 9.0 VR\waol.exe:AOL
"{533D094C-FFBA-4821-ACE6-98749BD7DC0E}"= UDP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{A2B544AC-F1F4-4756-B1F6-EDA96B935588}"= TCP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{9F1EDE47-3936-484A-AEF4-EFD994F13356}"= UDP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{05F213AC-D83D-4A38-A809-5D63126638DC}"= TCP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{5957E576-FF2F-4449-B0B1-7C93FDBEE57F}"= UDP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{ACBF34E3-9839-4E81-8B1C-015DC8D7895D}"= TCP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{5CA78823-0B04-4A7E-BBFC-12AF3ECB5A5C}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{13B67D79-B786-4EA5-9FBA-E5626EDAA263}"= UDP:C:\Users\Russell\AppData\Local\Temp\Installer.exe:SpeedTouch Home Install Wizard
"{4C51679C-F6EF-4E67-96E0-22F62B137759}"= TCP:C:\Users\Russell\AppData\Local\Temp\Installer.exe:SpeedTouch Home Install Wizard
"{8FFE892F-D777-4C49-9A5B-1099A349BD2F}"= UDP:C:\Program Files\Thomson\ST330\service\st330service.exe:ST330 service
"{938F5402-CD09-45FB-94AA-FCE708A22FFA}"= TCP:C:\Program Files\Thomson\ST330\service\st330service.exe:ST330 service
"{ED019A35-4A61-4C7E-A522-99E562B215DE}"= UDP:C:\Program Files\Common Files\aol\1189273587\ee\aolsoftware.exe:AOL Services
"{F6832F2A-A48E-457A-9790-51F9D29EE1E4}"= TCP:C:\Program Files\Common Files\aol\1189273587\ee\aolsoftware.exe:AOL Services
"TCP Query User{3C6B3B41-6D98-4A59-832D-E67414FF8F52}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{B54C962F-97D3-46FD-9E2E-16287316F591}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{E2B95CBD-D27B-4CE5-BD6C-563B952C26E5}"= UDP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialler
"{E376A095-0626-44B9-B8B9-4704E463F026}"= TCP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialler
"{9CF8005D-4504-47AE-9DBD-C53D882880E5}"= UDP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Services
"{1C51B964-5F65-48EA-9C06-ED59B19A72DD}"= TCP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-03-29 18:31]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-03-29 18:35]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-03-29 18:32]
R2 DQLWinService;DQLWinService;"C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe" [2006-09-03 18:32]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R3 PAC207;SoC PC-Camera;C:\Windows\system32\DRIVERS\PFC027.SYS [2006-12-05 11:34]
S2 IntelDHSvcConf;Intel DH Service;"C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe" [2006-05-10 17:13]
S3 iadusb;MT882;C:\Windows\system32\DRIVERS\glauiad.sys [2006-07-27 16:37]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-11 12:20:11 C:\Windows\Tasks\User_Feed_Synchronization-{C1AB2EA9-6F6A-433E-9323-8968CB0F7247}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 13:20:19
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Users\Russell\AppData\Local\Temp\~DF188C.tmp 16384 bytes
C:\Users\Russell\AppData\Local\Temp\~DF18F1.tmp 512 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Users\Russell\AppData\Local\Temp\pyhswjnl.dll
-> C:\Users\Russell\AppData\Local\Temp\fcCUoNdb.dll
.
Completion time: 2008-05-11 13:21:18
ComboFix-quarantined-files.txt 2008-05-11 12:21:02

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

206 --- E O F --- 2008-05-08 20:06:39


\Hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:29:20, on 11/05/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\aol\1189273587\ee\aolsoftware.exe
C:\Windows\PixArt\PAC207\Monitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\SopCast\adv\SopAdver.exe
C:\Users\Russell\Documents\Russell.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1189273587\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Russell\AppData\Local\Temp\fcCUoNdb.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 7814 bytes

#7 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 11 May 2008 - 07:47 AM

Hi James, I am totally surprised as combofix located nothing and it is very good with the Vundo infection?
The stuff is showing in the Kaspersky Online Scan here: Sunday, May 11, 2008 12:55:47 PM

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:29:20, on 11/05/2008
The only thing I see is this:
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Russell\AppData\Local\Temp\fcCUoNdb.dll,c
That Temp file I highlited is where most of the infections appear in the KOS? Is it possible you have run another tool that I do not know about prior to using combofix?

If this is not the case, then run and post a new KOS and we will delete the junk manually.

Thanks...Phil

Not being real familiar with Vista, I see this: C:\Users\Russell\Desktop\ComboFix.exe
Since no infected files are showing for the last month, is it possible you are in a user account that was not used during that time frame? Could you possibly sign in as administrator and give combofix another run? If this does not help, then post the KOS and we will work with it.

Edited by pskelley, 11 May 2008 - 07:53 AM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#8 jamieR

jamieR
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 11 May 2008 - 07:58 AM

Hi Phil

These were the only tools I ran. The combofix.exe i just the downloaded combobox tool, I saved it to the desktop.

I will run again as administrator and post results

Thanks again

#9 jamieR

jamieR
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 11 May 2008 - 08:05 AM

Combofix run as admin:

ComboFix 08-05-09.1 - Russell 2008-05-11 14:00:12.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1250 [GMT 1:00]
Running from: C:\Users\Russell\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-11 to 2008-05-11 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 13:01 81,984 ----a-w C:\Windows\System32\bdod.bin
2008-05-11 11:51 --------- d-----w C:\Users\Russell\AppData\Roaming\Skype
2008-05-11 11:18 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-05-11 10:38 --------- d-----w C:\Users\Russell\AppData\Roaming\skypePM
2008-05-06 20:05 634 ----a-w C:\Users\Russell\AppData\Roaming\wklnhst.dat
2008-05-03 19:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-03 18:50 --------- d-----w C:\Users\Russell\AppData\Roaming\Bitdefender
2008-05-03 18:48 --------- d-----w C:\ProgramData\BitDefender
2008-05-03 18:47 --------- d-----w C:\Program Files\Softwin
2008-05-03 18:47 --------- d-----w C:\Program Files\Common Files\Softwin
2008-04-30 20:03 --------- d-----w C:\Program Files\Java
2008-04-30 19:08 --------- d-----w C:\ProgramData\ohcdkpon
2008-04-30 19:08 --------- d-----w C:\ProgramData\havrjcly
2008-04-30 16:55 304,160 ----a-w C:\PA207.DAT
2008-04-21 17:30 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-13 15:39 --------- d-----w C:\Program Files\Google
2008-04-13 15:35 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-04-13 14:54 --------- d-----w C:\Program Files\uTorrent
2008-04-12 13:17 32 ----a-w C:\Users\All Users\ezsid.dat
2008-04-12 13:17 32 ----a-w C:\ProgramData\ezsid.dat
2008-04-09 21:30 --------- d-----w C:\Program Files\Windows Mail
2008-04-06 20:14 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-04-06 20:14 --------- d-----w C:\Users\Russell\AppData\Roaming\WinBatch
2008-04-06 20:14 --------- d-----w C:\Program Files\Realtek
2008-04-06 17:51 --------- d-----w C:\ProgramData\Skype
2008-04-06 17:51 --------- d-----w C:\Program Files\Skype
2008-04-06 17:51 --------- d-----w C:\Program Files\Common Files\Skype
2008-03-31 21:25 682,496 ----a-w C:\Windows\System32\divx.dll
2008-03-29 17:32 50,768 ----a-w C:\Windows\system32\drivers\aswMonFlt.sys
2008-03-28 17:41 7,680 ----a-w C:\Windows\System32\ff_vfw.dll
2008-03-21 20:30 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-03-21 20:28 81,920 ----a-w C:\Windows\System32\dpl100.dll
2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-29 04:14 2,028,544 ----a-w C:\Windows\System32\win32k.sys
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-19 05:10 620,088 ----a-w C:\Windows\System32\ci.dll
2008-02-14 23:19 944,184 ----a-w C:\Windows\System32\winload.exe
2008-02-13 18:27 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-13 18:25 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 18:25 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 18:25 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 18:25 3,505,720 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-13 18:25 3,471,928 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-13 18:25 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-13 18:25 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-13 18:25 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-02-13 18:25 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 18:25 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 18:25 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-13 18:25 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2007-09-08 17:42 174 --sha-w C:\Program Files\desktop.ini
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( snapshot@2008-05-11_13.20.47.08 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-11 10:35:54 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-05-11 12:26:46 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-05-11 10:35:55 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-05-11 12:26:47 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-05-11 10:35:55 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-05-11 12:26:47 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-05-11 11:58:09 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-05-11 12:41:57 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-05-11 10:38:38 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-05-11 12:28:20 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-05-11 12:28:20 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-05-11 12:16:56 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-05-11 13:00:17 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-05-11 12:19:54 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-05-11 12:28:25 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-05-11 12:28:25 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-05-11 10:51:38 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-05-11 12:27:09 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-05-11 10:51:38 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-11 12:27:09 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-11 10:51:38 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-05-11 12:27:09 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-05-11 10:41:35 108,122 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-05-11 12:32:04 108,122 ----a-w C:\Windows\System32\perfc009.dat
- 2008-05-11 10:41:35 622,906 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-05-11 12:32:04 622,906 ----a-w C:\Windows\System32\perfh009.dat
- 2008-05-08 20:02:55 9,366 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-734639056-3708653490-2978069551-1001_UserData.bin
+ 2008-05-11 12:28:44 9,374 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-734639056-3708653490-2978069551-1001_UserData.bin
- 2008-05-11 10:39:28 56,014 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-05-11 12:28:43 56,100 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-02-22 23:05:18 2,538 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-05-11 12:25:45 2,538 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-05-11 10:39:25 40,550 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-05-11 12:28:42 40,800 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"cmds"="C:\Users\Russell\AppData\Local\Temp\fcCUoNdb.dll" [2008-05-08 21:06 274944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-06-27 23:25 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 14:42 65536]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 11:26 4874240 C:\Windows\RtHDVCpl.exe]
"CCUTRAYICON"="FactoryMode" []
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 07:11 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"HostManager"="C:\Program Files\Common Files\AOL\1189273587\ee\AOLSoftware.exe" [2006-11-14 15:01 50736]
"Monitor"="C:\Windows\PixArt\PAC207\Monitor.exe" [2006-11-03 11:01 319488]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 18:37 79224]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-05-15 05:03 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-05-15 05:03 8429568]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-05-15 05:03 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent]
--a------ 2007-03-26 15:49 69632 C:\Program Files\Softwin\BitDefender10\bdagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDMCon]
--a------ 2007-04-02 16:48 290816 C:\Program Files\Softwin\BitDefender10\bdmcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\havrjcly]
--a------ 2008-04-30 20:08 98304 C:\ProgramData\havrjcly\gpsfidqz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2006-12-08 17:16 65536 C:\HP\KBD\KbdStub.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
C:\Users\Russell\AppData\Local\Temp\efcBturP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OsdMaestro]
--a------ 2007-02-15 11:59 118784 C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-734639056-3708653490-2978069551-1001]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8675C652-A5E3-4A7E-ABA7-EBE956394F05}"= UDP:C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{83752797-490C-41BA-BC0E-D2236A55FEAA}"= TCP:C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{437E17A8-3B30-4F84-A3B3-4BCB0DFBA716}"= UDP:C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{3E957A28-299A-4C25-A959-CDB84A556519}"= TCP:C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{7306407D-F11B-4831-A599-7A159C9F2CA9}"= UDP:C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{46354080-058F-4E0E-AC93-FE1B6DAE3403}"= TCP:C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{3A849754-F16C-40F3-8470-16AD8B945CEA}"= TCP:9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{05069BA8-21F2-4046-A265-7BBCE5478E8D}"= TCP:1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{1CA0895C-9175-44FD-8D4C-46E007CF039A}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{9687EA38-A746-4636-9BB9-A28D117F2FFB}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{50028109-4544-4AED-9507-4D8ECC368518}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{93DACD81-6F9B-4EB5-A63E-DFAE1F919863}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule
"{547250B7-8C77-4FCA-9C6B-94922C77B6B5}"= UDP:C:\Program Files\AOL\RC\regClient.exe:AOL
"{9160F12F-9A12-4BE1-95E9-2B698055E3A4}"= TCP:C:\Program Files\AOL\RC\regClient.exe:AOL
"{656461E3-9B4C-46A9-BC10-0889DD5DBEE8}"= UDP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialler
"{6D0FDD87-8881-4BF7-8C91-78D53004A37B}"= TCP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialler
"{A4691B4F-09FB-4A47-93C5-5C0D353401FB}"= UDP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Services
"{F8210722-02A7-4463-B959-B86FCD3A48C3}"= TCP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Services
"{4D59179D-3FF6-4690-B162-5731E13215AF}"= UDP:C:\Program Files\AOL 9.0 VR\waol.exe:AOL
"{C07B5C81-41F7-4201-900D-E69A3BC6350C}"= TCP:C:\Program Files\AOL 9.0 VR\waol.exe:AOL
"{533D094C-FFBA-4821-ACE6-98749BD7DC0E}"= UDP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{A2B544AC-F1F4-4756-B1F6-EDA96B935588}"= TCP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{9F1EDE47-3936-484A-AEF4-EFD994F13356}"= UDP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{05F213AC-D83D-4A38-A809-5D63126638DC}"= TCP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{5957E576-FF2F-4449-B0B1-7C93FDBEE57F}"= UDP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{ACBF34E3-9839-4E81-8B1C-015DC8D7895D}"= TCP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{5CA78823-0B04-4A7E-BBFC-12AF3ECB5A5C}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{13B67D79-B786-4EA5-9FBA-E5626EDAA263}"= UDP:C:\Users\Russell\AppData\Local\Temp\Installer.exe:SpeedTouch Home Install Wizard
"{4C51679C-F6EF-4E67-96E0-22F62B137759}"= TCP:C:\Users\Russell\AppData\Local\Temp\Installer.exe:SpeedTouch Home Install Wizard
"{8FFE892F-D777-4C49-9A5B-1099A349BD2F}"= UDP:C:\Program Files\Thomson\ST330\service\st330service.exe:ST330 service
"{938F5402-CD09-45FB-94AA-FCE708A22FFA}"= TCP:C:\Program Files\Thomson\ST330\service\st330service.exe:ST330 service
"{ED019A35-4A61-4C7E-A522-99E562B215DE}"= UDP:C:\Program Files\Common Files\aol\1189273587\ee\aolsoftware.exe:AOL Services
"{F6832F2A-A48E-457A-9790-51F9D29EE1E4}"= TCP:C:\Program Files\Common Files\aol\1189273587\ee\aolsoftware.exe:AOL Services
"TCP Query User{3C6B3B41-6D98-4A59-832D-E67414FF8F52}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{B54C962F-97D3-46FD-9E2E-16287316F591}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{E2B95CBD-D27B-4CE5-BD6C-563B952C26E5}"= UDP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialler
"{E376A095-0626-44B9-B8B9-4704E463F026}"= TCP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialler
"{9CF8005D-4504-47AE-9DBD-C53D882880E5}"= UDP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Services
"{1C51B964-5F65-48EA-9C06-ED59B19A72DD}"= TCP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-03-29 18:31]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-03-29 18:35]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-03-29 18:32]
R2 DQLWinService;DQLWinService;"C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe" [2006-09-03 18:32]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R3 PAC207;SoC PC-Camera;C:\Windows\system32\DRIVERS\PFC027.SYS [2006-12-05 11:34]
S2 IntelDHSvcConf;Intel DH Service;"C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe" [2006-05-10 17:13]
S3 iadusb;MT882;C:\Windows\system32\DRIVERS\glauiad.sys [2006-07-27 16:37]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-11 13:00:19 C:\Windows\Tasks\User_Feed_Synchronization-{C1AB2EA9-6F6A-433E-9323-8968CB0F7247}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 14:01:50
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Users\Russell\AppData\Local\Temp\fcCUoNdb.dll
.
Completion time: 2008-05-11 14:02:39
ComboFix-quarantined-files.txt 2008-05-11 13:02:24
ComboFix2.txt 2008-05-11 12:21:19

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

236 --- E O F --- 2008-05-08 20:06:39

Do you want me to run another KOS?

Thanks

#10 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 11 May 2008 - 08:11 AM

Files Created from 2008-04-11 to 2008-05-11
I am just surprised no new files were created during the last month? How long have you had this infection? It may be a glitch in the tool.

Please do run a new KOS and as soon as you post I will give you instructions for manually removing the junk.

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#11 jamieR

jamieR
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 11 May 2008 - 09:31 AM

the scan is running the now Phil. So far it hasnt found a much as the first scan. And yet ive not run any tools other than above?

Weird

Ill post the log when complete

#12 jamieR

jamieR
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 11 May 2008 - 09:40 AM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, May 11, 2008 3:39:58 PM
Operating System: Microsoft Windows Vista Home Edition, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/05/2008
Kaspersky Anti-Virus database records: 676480
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 97060
Number of viruses found: 2
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 00:52:25

Infected Object Name / Virus Name / Last Action
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\Deckard\System Scanner\backup\Users\Russell\AppData\Local\Temp\EXPLOR~1.EXE.bak Infected: Trojan.Win32.Obfuscated.gx skipped
C:\Deckard\System Scanner\backup\Users\Russell\AppData\Local\Temp\ssqOHaWq.dll Infected: Trojan.Win32.Monder.gen skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080413-160311-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080413-160322-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080413-165450-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080413-165502-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080413-194835-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080413-194846-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080414-172847-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080414-172858-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080414-184500-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080414-184510-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080415-185440-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080415-185456-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080416-221257-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080416-221308-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080417-172037-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080417-172048-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080420-201611-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080420-201633-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080421-183305-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080421-183328-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080421-220319-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080421-220330-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080424-162540-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080424-162600-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080426-134402-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080426-134423-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080426-214019-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080426-214030-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080427-172103-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080427-172114-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080428-195927-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080428-195938-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080429-201234-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080429-201245-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080430-161023-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080430-161035-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080501-083114-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080501-083129-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080501-194855-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080501-194910-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080502-173329-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080502-173353-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080502-183858-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080502-184121-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\MpCmdRun.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\MpSigStub.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswAr.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\moved\mlJDWOEV.dll Infected: Trojan.Win32.Monder.gen skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\PC-Doctor 5 for Windows\Configuration\config.xml Object is locked skipped
C:\ProgramData\Microsoft\User Account Pictures\IUSR_NMPR.dat Object is locked skipped
C:\ProgramData\havrjcly\gpsfidqz.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\ProgramData\muvee Technologies\030625\0103\0399\values Object is locked skipped
C:\ProgramData\ohcdkpon\mjifmzov.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\Users\Russell\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Users\Russell\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Russell\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008051120080512\index.dat Object is locked skipped
C:\Users\Russell\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat Object is locked skipped
C:\Users\Russell\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Russell\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Russell\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat Object is locked skipped
C:\Users\Russell\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Russell\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Russell\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Russell\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Russell\AppData\Local\Microsoft\Windows\UsrClass.dat{43c7df73-5e2a-11dc-93fd-001bfcf96e36}.TM.blf Object is locked skipped
C:\Users\Russell\AppData\Local\Microsoft\Windows\UsrClass.dat{43c7df73-5e2a-11dc-93fd-001bfcf96e36}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Russell\AppData\Local\Microsoft\Windows\UsrClass.dat{43c7df73-5e2a-11dc-93fd-001bfcf96e36}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Russell\AppData\Local\Microsoft\Windows Defender\FileTracker\{02AE85D7-CEBF-4AC0-8F12-6DC3CC23EFF1} Object is locked skipped
C:\Users\Russell\AppData\Local\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Users\Russell\AppData\Local\Temp\BITB000.tmp Object is locked skipped
C:\Users\Russell\AppData\Local\Temp\~DF1F9B.tmp Object is locked skipped
C:\Users\Russell\AppData\Local\Temp\~DF1FA2.tmp Object is locked skipped
C:\Users\Russell\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Russell\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat Object is locked skipped
C:\Users\Russell\ntuser.dat Object is locked skipped
C:\Users\Russell\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Russell\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Russell\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Users\Russell\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Russell\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\sam.log Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\Logs\CBS\CBS.log Object is locked skipped
C:\Windows\Logs\CBS\CBS.persist.log Object is locked skipped
C:\Windows\Logs\DPX\setupact.log Object is locked skipped
C:\Windows\Logs\DPX\setuperr.log Object is locked skipped
C:\Windows\MEMORY.DMP Object is locked skipped
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped
C:\Windows\Panther\UnattendGC\diagerr.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\diagwrn.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\setupact.log Object is locked skipped
C:\Windows\Panther\UnattendGC\setuperr.log Object is locked skipped
C:\Windows\security\database\secedit.sdb Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\bdss.log Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\components Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\default Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\sam Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\security Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\software Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\system Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\restore\MachineGuid.txt Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagerr.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagwrn.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\setupact.log Object is locked skipped
C:\Windows\System32\sysprep\Panther\setuperr.log Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\3460B7617E0429A960E481B197F238A3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E478A5DB75C9721E744C05D78DBACFD3.mof Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\winevt\Logs\Antivirus.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\IntelDH.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ParentalControls%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped

Scan process completed.

#13 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 11 May 2008 - 09:57 AM

Thanks for returning your scan results.

Delete the files in red, should be in that Temp folder bolded)
C:\Deckard\System Scanner\backup\Users\Russell\AppData\Local\Temp\EXPLOR~1.EXE.bak ------> Trojan.Win32.Obfuscated.gx
C:\Deckard\System Scanner\backup\Users\Russell\AppData\Local\Temp\ssqOHaWq.dll ------> Trojan.Win32.Monder.gen

(delete the file in red, my guess is it will be in the "moved" folder bolded) C:\Program Files\Alwil Software\Avast4\DATA\moved\mlJDWOEV.dll ------> Trojan.Win32.Monder.gen

(delete both folders in red and the contents)
C:\ProgramData\havrjcly\gpsfidqz.exe ------> Trojan.Win32.Obfuscated.gx
C:\ProgramData\ohcdkpon\mjifmzov.exe ------> Trojan.Win32.Obfuscated.gx

A new scan should be clean. no need to post a clean scan, how is the computer running? This information may not all apply to Vista:

Some good information for you:
http://users.telenet.be/bluepatchy/miekiem...owcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiem...prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#14 jamieR

jamieR
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 11 May 2008 - 10:28 AM

running another scan aftr doing the above. Nothing found so far, so thanks for that.
Still getting spybot popups though, if you know anything about them? Its the same 3 popups when I click deny change. Screen prints tached

Thanks inadvance

Attached Files



#15 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 11 May 2008 - 10:37 AM

This appears to be TeaTimer (I use Spybot S&D but not TT) and I do not use it, here is a load of information:
http://www.safer-networking.org/en/faq/index.html
If that does not answer your questions, ask them here:
http://forums.spybot.info/forumdisplay.php?f=4

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users